Salesforce Security: Leveraging the Power of the Cyber Kill Chain and MITRE Att&ck Framework


In today's digital world, security is a top priority for businesses and individuals alike.

The threat landscape is constantly evolving and creating new challenges for defenders to keep up with — making it even more important than ever before to have a comprehensive security strategy in place that’s adaptable to each new threat.

When it comes to protecting your Salesforce environment, it's crucial to have a well-thought-out strategy that can help you identify and mitigate threats as quickly as possible. The Cyber Kill Chain and the MITRE Att&ck framework are two excellent tools that can help you do just that. In this post, we'll explain what these frameworks are and how they can be used in conjunction with each other to better protect your Salesforce environment. Let's dive in!

Understanding the Cyber Kill Chain

The Cyber Kill Chain is a framework that was developed by Lockheed Martin in 2011 to outline the stages of a cyberattack and provide a roadmap for understanding and preventing such attacks. The framework consists of seven stages that an attacker goes through to successfully complete an attack: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives.

The Cyber Kill Chain is valuable for organizations because it helps them understand how attackers operate and where they might be vulnerable. By breaking down an attack into its individual stages, organizations can take proactive steps to prevent or disrupt the attack at each stage.

Exploring the MITRE Att&ck Framework

The MITRE Att&ck Framework is a knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations of cyber attacks. The framework was developed by the MITRE Corporation, a non-profit organization that operates federally funded research and development centers (FFRDCs) in the United States.

The MITRE Att&ck Framework is organized into several matrices, each of which represents a specific platform or domain. For example, here are matrices for Windows, Linux, macOS, mobile devices, Office 365 and SaaS. Within each matrix, there are several tactics that an attacker might use. In the case of SaaS, it's outlined as follows:


  1. Initial access
  2. Execution
  3. Persistence
  4. Privilege escalation
  5. Defense evation
  6. Credential access
  7. Discovery
  8. Lateral movement
  9. Collection
  10. Impact


Each of these has a list of cloud-based techniques with its processes and a list of mitigations. It's the biggest advantage of this framework — it's comprehensive and up-to-date. This can be crucial for organizations that are working to improve their security posture as it allows them to see all of the possible vectors that an attacker could use to infiltrate their environment.

The Cyber Kill Chain vs. The MITRE Att&ck Framework

Though some people may see the Cyber Kill Chain and MITRE Att&ck Framework as competing models, they should be viewed more as complementary to each other. By combining aspects from both frameworks, organizations can gain a better understanding of the full scope of their security posture and where they need to focus their efforts.

For instance, while the Cyber Kill Chain is perimeter and malware-focused, the MITRE Att&ck framework covers attack vectors that occur behind the organizational perimeter. The Unified Kill Chain recognizes the role of users in social engineering attacks, models the importance of choke points in attacks, sheds light on the overall objectives of threat actors and covers the compromise of integrity and availability. The steps are as follows:


  1. Reconnaissance
  2. Resource development
  3. Delivery
  4. Social engineering
  5. Exploitation
  6. Persistence
  7. Defense evation
  8. Command and control
  9. Pivoting
  10. Discovery
  11. Privilege escalation
  12. Execution
  13. Credential access
  14. Lateral movement
  15. Collection
  16. Exfiltration
  17. Impact
  18. Objectives


The inclusion of social engineering in the Unified Kill Chain is an important development. While neither the Cyber Kill Chain nor the MITRE Att&ck framework addresses it specifically, social engineering reveals the additional consideration of non-technical factors that can help companies to better understand the objective of threat actors.

This model provides valuable insights into the tactics that attackers use in advanced cyber attacks and the order in which they occur. The Unified Kill Chain's phases can be used to describe their behavior in individual cyber-attacks or the tactical modus operandi of a specific attacker. By putting the phases in the right order, organizations can gain a better insight into the threat landscape and develop a defense strategy accordingly.

Related resources

Cyber Kill Chain

Learn how Cyber attackers can leverage vulnerabilities in Salesforce and how you can stop them

Learn more

How Cloud Protection for Salesforce Works

Learn more

Want to Learn More? Get in Touch for a Free Consultation!

Complete the form and we'll get back to you as soon as possible

We process the personal data you share with us in accordance with our Corporate Business Privacy Policy.