CyberQuizzer

Security Frameworks Comparison

Kill Chain → ATT&CK → D3FEND

How to Use This Cheat Sheet

For incident analysis, read horizontally: Start with a **Kill Chain** stage, map it to specific **ATT&CK** techniques, and then identify corresponding **D3FEND** countermeasures.

Cyber Kill Chain

1. Reconnaissance

  • - Research and identify targets
  • - Harvest email addresses, social media
  • - Scan for vulnerabilities

2. Weaponization

  • - Create malicious payload
  • - Package exploit with backdoor
  • - Prepare delivery mechanism

3. Delivery

  • - Transmit weapon to target
  • - Email attachments, websites, USB
  • - Drive-by downloads

4. Exploitation

  • - Trigger vulnerability
  • - Execute malicious code
  • - Gain initial foothold

5. Installation

  • - Install persistent backdoor
  • - Establish access mechanism
  • - Maintain presence

6. Command & Control

  • - Establish C2 channel
  • - Remote control of compromised system
  • - Receive commands from attacker

7. Actions on Objectives

  • - Data exfiltration
  • - Data destruction
  • - Encryption (ransomware)
MITRE ATT&CK

Reconnaissance

  • - Active ScanningT1595
  • - Gather Victim Identity InfoT1589
  • - Search Open WebsitesT1593

Resource Development

  • - Acquire InfrastructureT1583
  • - Develop CapabilitiesT1587
  • - Obtain CapabilitiesT1588

Initial Access

  • - PhishingT1566
  • - Drive-by CompromiseT1189
  • - Exploit Public-Facing AppT1190

Execution

  • - PowerShellT1059.001
  • - Command & ScriptingT1059
  • - User ExecutionT1204

Persistence

  • - Registry Run KeysT1547.001
  • - Scheduled TaskT1053
  • - Create AccountT1136

Command & Control

  • - Web ProtocolsT1071
  • - Encrypted ChannelT1573
  • - DNST1071.004

Exfiltration

  • - Exfil Over C2 ChannelT1041
  • - Exfil Over Web ServiceT1567
  • - Automated ExfiltrationT1020
MITRE D3FEND

Harden

  • - Security Awareness Training
  • - Attack Surface Reduction
  • - Network Segmentation
  • - Patch Management

Detect

  • - Email Analysis (DKIM, DMARC)
  • - File Analysis (Sandboxing)
  • - Network Traffic Analysis
  • - Process Analysis (EDR)

Isolate

  • - Application Isolation (VMs)
  • - Browser Sandboxing
  • - Email Sandboxing
  • - Network Isolation

Control Access

  • - Application Whitelisting
  • - Multi-Factor Authentication
  • - Credential Access Protection
  • - Execution Prevention

Monitor

  • - System Call Analysis
  • - Script Execution Logging
  • - Registry Monitoring
  • - File Integrity Monitoring

Filter/Block

  • - DNS Filtering
  • - Web Proxy/Filtering
  • - Firewall Rules
  • - URL Analysis

Prevent

  • - Data Loss Prevention (DLP)
  • - Egress Traffic Filtering
  • - Cloud Access Security Broker
  • - Encrypted Channel Analysis

💡 Pro Tip for Incident Responders

When you identify a **Kill Chain** stage, look across the row to see common **ATT&CK** techniques. Then, look at the corresponding **D3FEND** column to find relevant countermeasures. This helps you move from detection to action.