Attack Methodology Frameworks
Not sure you’re ready?
Take the ~3-minute readiness diagnostic and see where you stand.
A seasoned detective investigating a bank heist rarely begins with the empty vault. Instead, they examine the blueprints the thieves studied, the stolen van they drove, the specific thermal lance they used to breach the safe, and the burner phones they carried. Security Operations Center (SOC) analysts face the exact same multidimensional puzzle when dissecting a network intrusion, yet the digital artifacts are often scattered across thousands of logs, firewall alerts, and endpoint telemetry. Without a conceptual scaffold, an analyst is just looking at isolated anomalies—a suspicious DNS request here, an unexpected PowerShell execution there.
Attack methodology frameworks transform these disjointed technical indicators into a coherent narrative of adversary behavior. By applying structured models to security events, defenders can anticipate an attacker’s next move, attribute the intrusion to specific threat actors, and systematically dismantle an ongoing attack campaign before critical data is lost. For the modern incident responder, these frameworks are the fundamental laws of motion governing the chaotic universe of cyberspace.
To defend a network, we must understand how it is conquered. Derived from military targeting doctrine, The Cyber Kill Chain framework was developed by Lockheed Martin to model exactly how a threat actor achieves their objectives.
The core tenet of the Lockheed Martin Cyber Kill Chain describes a linear sequence of phases an adversary goes through to execute a cyberattack. It is a rigid, step-by-step lifecycle. Why does this linearity matter to a SOC analyst? Because it introduces a profound tactical advantage for the defender: breaking the Lockheed Martin Cyber Kill Chain at any single phase successfully stops the progression of the cyberattack. The adversary must succeed at every step; the defender only needs to succeed once to sever the chain.

The Lockheed Martin Cyber Kill Chain consists of exactly seven distinct phases:
-
Reconnaissance: The first phase of the Lockheed Martin Cyber Kill Chain is Reconnaissance. Long before an alert triggers in your SIEM, the Reconnaissance phase involves the attacker gathering information about the target organization before launching an attack. This might involve scraping LinkedIn for employee emails, port scanning public-facing assets, or querying DNS records.
-
Weaponization: The second phase of the Lockheed Martin Cyber Kill Chain is Weaponization. Here, the attacker stays entirely on their own systems. The Weaponization phase involves coupling a malicious payload with an exploit to create a deliverable threat. Think of this as putting a deadly warhead (a remote access trojan) onto a missile (a macro-enabled PDF).
-
Delivery: The third phase of the Lockheed Martin Cyber Kill Chain is Delivery. The Delivery phase involves transmitting the weaponized payload to the target environment. For a SOC analyst, this is often the first visible touchpoint—a spear-phishing email hitting a spam filter, or a user clicking a malicious link.
-
Exploitation: The fourth phase of the Lockheed Martin Cyber Kill Chain is Exploitation. Once delivered, the payload must detonate. The Exploitation phase occurs when the weaponized code is triggered to exploit a target vulnerability. This is the moment a buffer overflow executes or an unsuspecting user enables macros, granting the payload execution rights.

A buffer overflow is a classic software vulnerability exploited during phase four of the Kill Chain, allowing an attacker to overwrite memory boundaries and execute weaponized code. Source: Buffer overflow basicexample by Self, CC BY-SA 2.0. -
Installation: The fifth phase of the Lockheed Martin Cyber Kill Chain is Installation. An exploit is fleeting; an attacker wants to stay. The Installation phase involves placing malware or a backdoor on the victim system to maintain persistence. EDR alerts regarding unauthorized registry modifications or scheduled task creations are classic indicators here.
-
Command and Control (C2): The sixth phase of the Lockheed Martin Cyber Kill Chain is Command and Control. The Command and Control phase establishes a communication channel between the compromised system and the attacker. The infected machine "phones home" for instructions. If your firewall blocks outbound traffic to a known malicious IP, you have successfully broken the chain at phase six.
-
Actions on Objectives: The seventh phase of the Lockheed Martin Cyber Kill Chain is Actions on Objectives. This is the grim finale. The Actions on Objectives phase occurs when the attacker achieves their ultimate goal, whether that is exfiltrating intellectual property, deploying ransomware, or destroying infrastructure.
Analyst Application: When you receive a phishing alert, you are looking at Delivery. Your immediate goal is to verify if Exploitation and Installation occurred. If you quarantine the host before it initiates Command and Control, the adversary cannot proceed to Actions on Objectives.
While the Kill Chain gives us a timeline, it lacks the context needed to track who is attacking us and what infrastructure they are leveraging across multiple campaigns. To solve this, the intelligence community relies on the Diamond Model.
The Diamond Model of Intrusion Analysis represents a security incident as a relationship between four core features. Imagine a diamond-shaped graph where each vertex is a critical element of an attack. The four core features of the Diamond Model of Intrusion Analysis are Adversary, Infrastructure, Capability, and Victim.
- Adversary (Top Vertex): The Adversary feature in the Diamond Model refers to the entity directing the cyberattack. This could be a state-sponsored APT (Advanced Persistent Threat) or a financially motivated cybercriminal syndicate.
- Victim (Bottom Vertex): The Victim feature in the Diamond Model refers to the target of the adversary. This could be an individual user, a specific server, or an entire corporate enterprise.
- Capability (Left Vertex): The Capability feature in the Diamond Model describes the tools and techniques used by the adversary. This includes custom malware, zero-day exploits, or stolen credentials.
- Infrastructure (Right Vertex): The Infrastructure feature in the Diamond Model describes the physical or logical communication structures used to deliver capabilities. This includes leased virtual private servers (VPS), compromised botnets, or registered domain names.
The power of the Diamond Model lies in its connecting edges. It elegantly maps how in the Diamond Model of Intrusion Analysis, the Adversary uses Infrastructure to communicate with the Victim. Simultaneously, on the other side of the diamond, the Adversary develops or uses Capabilities to exploit the Victim.
Adding Context with Meta-Features
A single diamond represents a single event. To make these events actionable, the Diamond Model of Intrusion Analysis includes six meta-features to provide additional context to a security event.
The six meta-features of the Diamond Model of Intrusion Analysis are Timestamp, Phase, Result, Direction, Methodology, and Resources.
- Timestamp: When the event occurred.
- Phase: Which stage of an attack lifecycle (often mapping back to the Kill Chain) the event represents.
- Result: Whether the adversary's action succeeded or failed.
- Direction: The flow of the attack (e.g., Victim-to-Infrastructure for C2 callbacks).
- Methodology: The general classification of the event (e.g., Spearphishing).
- Resources: The external dependencies the adversary needed (e.g., funding, zero-day research).
Weaving the Threads
Attackers rarely succeed in a single, isolated action. Activity threads in the Diamond Model link multiple related events together to map an entire attack campaign. By graphing a series of diamonds, analysts can trace how an adversary moves horizontally across an environment. Because of this powerful relational graphing, the Diamond Model of Intrusion Analysis is frequently used by threat intelligence analysts to attribute attacks to specific threat actors. If a SOC notices the same bespoke Capability communicating over the exact same Infrastructure seen in a prior attack, they can confidently attribute the new intrusion to the same Adversary.
The Kill Chain is linear and theoretical; the Diamond Model is relational. But what if a SOC analyst needs to know exactly how an adversary dumps credentials in a Windows environment? We must turn to empirical data.
MITRE ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge.
Unlike abstract models, MITRE ATT&CK is a globally accessible knowledge base of adversary behaviors based on real-world observations. It is the definitive periodic table of cyberattacks. Instead of relying on what attackers might do, ATT&CK documents what attackers have actually done in the wild.
The MITRE ATT&CK framework categorizes adversary behaviors into Tactics, Techniques, and Sub-techniques.
| Classification | Definition | Example |
|---|---|---|
| Tactics | In the MITRE ATT&CK framework, Tactics represent the technical goal or reason behind an adversary's action. It is the "Why." | Privilege Escalation (The attacker wants higher-level permissions). |
| Techniques | In the MITRE ATT&CK framework, Techniques represent the specific method an adversary uses to achieve a tactical goal. It is the "How." | Abuse Elevation Control Mechanism (The attacker is bypassing UAC). |
| Sub-techniques | In the MITRE ATT&CK framework, Sub-techniques provide a more specific description of adversary behavior than standard Techniques. | Bypass User Account Control (The granular action taken). |

Unlike the rigid progression of the Kill Chain, the MITRE ATT&CK framework organizes attack behaviors in a non-linear matrix format. An attacker might jump directly to "Defense Evasion" without traditional "Execution," or bounce between "Lateral Movement" and "Credential Access" recursively. Nature is non-linear, and so is a human adversary operating within a network.
For the modern enterprise, the MITRE ATT&CK Enterprise matrix focuses on operating systems like Windows, macOS, Linux, and cloud environments.
Operationalizing ATT&CK in the SOC
How does an incident responder actually use this massive matrix?
First, the MITRE ATT&CK framework maps specific named threat actor groups to the techniques historically used by those groups. If threat intelligence warns that the group APT29 is targeting your sector, an analyst can pull up the ATT&CK profile for APT29 and instantly see every Tactic and Technique they are known to employ.

Second, it drives proactive defense. Security teams use the MITRE ATT&CK framework to map defensive controls against known adversary behaviors. By overlaying their SIEM rules, EDR deployments, and network sensors onto the ATT&CK matrix, they generate a "heatmap" of their detection capabilities.
Consequently, the MITRE ATT&CK framework is used to identify gaps in an organization's security posture by analyzing unmitigated attack techniques. If your heatmap shows complete coverage for Initial Access but zero coverage for Lateral Movement, you have found a critical blind spot that requires new detection engineering.
While ATT&CK excels at mapping enterprise operating systems, a vast percentage of initial compromises (the Delivery and Exploitation phases of the Kill Chain) occur through web-facing applications. To systematically understand and test these specific vectors, defenders turn to OWASP.
OWASP stands for Open Web Application Security Project. It is a global non-profit organization dedicated to improving software security.
At the heart of their methodology is the OWASP Web Security Testing Guide, which provides a comprehensive framework for testing web application security. This is not a generalized incident response model, but a highly specific, highly technical blueprint for discovering vulnerabilities like SQL Injection, Cross-Site Scripting (XSS), and Broken Access Control before an adversary can weaponize them.

To stop the kill chain at phase zero, organizations must build defensible software. The OWASP Web Security Testing Guide outlines processes for integrating security testing throughout the software development lifecycle (SDLC). By pushing security "left" into the coding phase, vulnerabilities are eradicated before they ever reach a production server.

When software is deployed, the OWASP Web Security Testing Guide helps penetration testers standardize the process of identifying web application vulnerabilities. Instead of ad-hoc hacking, testers follow OWASP's rigorous checklists to ensure every potential parameter, cookie, and API endpoint is mathematically verified against known flaws.
For the SOC analyst operating the defenses, this guide is equally vital. Security analysts use the OWASP Web Security Testing Guide to verify the effectiveness of web application firewalls (WAFs) and input validation controls. If a WAF alert fires for a directory traversal attack, the analyst relies on OWASP methodology to parse the malicious payload, understand exactly what the attacker was attempting to read, and validate that the backend application correctly neutralized the malicious input.
The Unified Defender
No single framework answers every question. An elite cybersecurity analyst uses them in concert. When an alert fires, you validate the payload using OWASP principles. You immediately recognize this as the Delivery phase of the Lockheed Martin Cyber Kill Chain. To ensure you understand the full scope of the breach, you map the adversary's exact Techniques against the MITRE ATT&CK matrix. Finally, you take the Capabilities and Infrastructure observed, graph them on the Diamond Model, and attribute the attack to a specific adversary.
Through these frameworks, the chaotic noise of thousands of daily alerts is synthesized into a clear, actionable, and ultimately stoppable adversary methodology.