The threat landscape is constantly evolving and creating new challenges for defenders to keep up with — making it even more important than ever before to have a comprehensive security strategy in place that’s adaptable to each new threat.
When it comes to protecting your Salesforce environment, it’s crucial to have a well-thought-out strategy that can help you identify and mitigate threats as quickly as possible. The Cyber Kill Chain and the MITRE Att&ck framework are two excellent tools that can help you do just that. In this post, we’ll explain what these frameworks are and how they can be used in conjunction with each other to better protect your Salesforce environment. Let’s dive in!
Understanding the Cyber Kill Chain
The Cyber Kill Chain is a framework that was developed by Lockheed Martin in 2011 to outline the stages of a cyberattack and provide a roadmap for understanding and preventing such attacks. The framework consists of seven stages that an attacker goes through to successfully complete an attack: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives.
The Cyber Kill Chain is valuable for organizations because it helps them understand how attackers operate and where they might be vulnerable. By breaking down an attack into its individual stages, organizations can take proactive steps to prevent or disrupt the attack at each stage.
Exploring the MITRE Att&ck Framework
The MITRE Att&ck Framework is a knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations of cyber attacks. The framework was developed by the MITRE Corporation, a non-profit organization that operates federally funded research and development centers (FFRDCs) in the United States.
The MITRE Att&ck Framework is organized into several matrices, each of which represents a specific platform or domain. For example, here are matrices for Windows, Linux, macOS, mobile devices, Office 365 and SaaS. Within each matrix, there are several tactics that an attacker might use. In the case of SaaS, it’s outlined as follows:
- Initial access
- Execution
- Persistence
- Privilege escalation
- Defense evation
- Credential access
- Discovery
- Lateral movement
- Collection
- Impact
Each of these has a list of cloud-based techniques with its processes and a list of mitigations. It’s the biggest advantage of this framework — it’s comprehensive and up-to-date. This can be crucial for organizations that are working to improve their security posture as it allows them to see all of the possible vectors that an attacker could use to infiltrate their environment.
The Cyber Kill Chain vs. The MITRE Att&ck Framework
Though some people may see the Cyber Kill Chain and MITRE Att&ck Framework as competing models, they should be viewed more as complementary to each other. By combining aspects from both frameworks, organizations can gain a better understanding of the full scope of their security posture and where they need to focus their efforts.
For instance, while the Cyber Kill Chain is perimeter and malware-focused, the MITRE Att&ck framework covers attack vectors that occur behind the organizational perimeter. The Unified Kill Chain recognizes the role of users in social engineering attacks, models the importance of choke points in attacks, sheds light on the overall objectives of threat actors and covers the compromise of integrity and availability. The steps are as follows:
- Reconnaissance
- Resource development
- Delivery
- Social engineering
- Exploitation
- Persistence
- Defense evation
- Command and control
- Pivoting
- Discovery
- Privilege escalation
- Execution
- Credential access
- Lateral movement
- Collection
- Exfiltration
- Impact
- Objectives
The inclusion of social engineering in the Unified Kill Chain is an important development. While neither the Cyber Kill Chain nor the MITRE Att&ck framework addresses it specifically, social engineering reveals the additional consideration of non-technical factors that can help companies to better understand the objective of threat actors.
This model provides valuable insights into the tactics that attackers use in advanced cyber attacks and the order in which they occur. The Unified Kill Chain’s phases can be used to describe their behavior in individual cyber-attacks or the tactical modus operandi of a specific attacker. By putting the phases in the right order, organizations can gain a better insight into the threat landscape and develop a defense strategy accordingly.
BOOK A DEMO
Secure your Salesforce today
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
Fill the form and get:
Free 15-day trial
Personalized Salesforce security risk assessment report
Demo and a solution consultation
Support from our experts with setup and configurations