3 ‘Must Know’ Cybersecurity Frameworks They Won’t Teach In Your Intro Classes

Introductory cybersecurity courses tend to cover similar basics. They provide you a solid foundation to demonstrate that you’re trainable for your first cybersecurity job. If you really want to stand out during the hiring process, learn about cybersecurity frameworks. Though they’re not beginners’ knowledge, these frameworks are a constant reference point as organizations plan and execute their cybersecurity operations.

Cyber Kill Chain

Like so many aspects of cybersecurity, the Cyber Kill Chain has its roots in the military. Lockheed-Martin developed the Cyber Kill Chain framework—based on the US Air Force’s F2T2EA Kill-Chain concept—to defend computer networks in 2011.

The Cyber Kill Chain consists of phases (i.e., links in the chain), which an attacker needs to successfully complete during a cyberattack. If a defender can stop the attacker during any of these phases, she can prevent the cyberattack from being successful.

The Cyber Kill Chain phases consist of:

  1. Reconnaissance

  2. Weaponization

  3. Delivery

  4. Exploitation

  5. Installation

  6. Command & Control (C2)

  7. Actions on Objective

Other organizations have developed variations of intrusion kill chains, but cybersecurity professionals generally refer to Lockheed-Martin’s Cyber Kill Chain.

Rick Howard—CSO at CyberWire and former CSO at Palo Alto Networks—does an excellent primer of the Cyber Kill Chain. I highly recommend the Cybersecurity First Principles: Intrusion kill chains episode of his CSO Perspectives podcast. Rick provides a great walkthrough of the framework with useful analogies to illustrate the kill chain.

NIST Incident Response Life Cycle

Cyberattacks happen. Organizations, regardless of size, will need an incident response plan to counter them. That’s where the NIST Incident Response Life Cycle comes in. Many people will be unfamiliar with the National Institute of Standards and Technology (or NIST). It’s a slightly obscure organization in the US Department of Commerce, but NIST publishes industry guidelines for technology you use everyday, like WiFi and Bluetooth.

Every cybersecurity professional should have at least a basic understanding of incident response.

NIST provides a framework for responding to security incidents in its special publication Computer Security Incident Handling Guide. Despite the modest sounding name, most organizations’ incident response programs—no matter how simple or complex—build upon this document.

Every cybersecurity professional should have at least a basic understanding of incident response. I would recommend actually reading the NIST publication. (It’s only 50 pages of text.) The phases of the NIST Incident Response Life Cycle are:

  1. Preparation

  2. Detection and Analysis

  3. Containment, Eradication, and Recovery

  4. Post-Incident Activity

Of course, there is plenty more to learn about incident response, if you want to pursue that cybersecurity discipline. The ability to speak intelligently about incident response in industry terms will allow you to stand out.

MITRE ATT&CK Framework

The MITRE Corporation’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) Framework is a more advanced topic. Many cybersecurity professionals don’t know much about MITRE ATT&CK, beyond the knowledge that it exists.

Ever heard the term “threat actor TTPs” (i.e., Tactics, Techniques, and Procedures)? The ATT&CK Framework provides those first two Ts in TTP.

As MITRE states on its website: “MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.”

The ATT&CK Framework documents over 200 threat actor techniques categorized into 11 tactics. Ever heard the term “threat actor TTPs” (i.e., Tactics, Techniques, and Procedures)? The ATT&CK Framework provides those first two Ts in TTP.

The MITRE ATT&CK Framework is an expansive topic. A lot of organizations are trying to figure out how to incorporate ATT&CK into their cybersecurity operations. A good starting point to get a foundational understanding is Cybrary’s MITRE ATT&CK Defender (MAD) ATT&CK Fundamentals Badge Training. Cybrary developed this free online course in coordination with MITRE Engenuity are part of the recent launch of their MITRE ATT&CK Defender (MAD) certifications.

Familiarize yourself with these frameworks and you’ll standout from the competition as you interview for your first cybersecurity job. You will likely use these frameworks during the course of your new cybersecurity career anyway. Best to learn about them early.

Recommended Posts: