A Cyber Defence Framework (CDF) is a structured approach to securing digital assets, networks, and systems from cyber threats. It provides guidelines, best practices, and methodologies to prevent, detect, respond to, and recover from cyberattacks. These frameworks are designed to help organizations establish a robust security posture by aligning security controls with business objectives and regulatory requirements.

Key Components of a Cyber Defence Framework

1. Identify — Understanding critical assets, vulnerabilities, and threats.
2. Protect — Implementing security controls, encryption, and access controls.
3. Detect — Monitoring networks and systems for potential threats.
4. Respond — Incident response planning and threat mitigation.
5. Recover — Business continuity and disaster recovery measures.

some of the cyber defence frameworks are,

Pyramid of Pain

The Pyramid of Pain is a cybersecurity model created by David J. Bianco that illustrates the impact and difficulty of detecting and responding to different types of Indicators of Compromise (IOCs) in a Security Operations Center (SOC). It helps SOC analysts and threat hunters understand how adversaries react when defenders disrupt their operations.

Pyramid of Pain — Structure & Explanation

The pyramid is divided into six levels, starting from the easiest (bottom) to the hardest (top) in terms of detection and impact on adversaries.

Hash Values (Least Painful for Attackers)

• Definition: Unique identifiers (MD5, SHA1, SHA256) of specific malicious files.
• Example: 44d88612fea8a8f36de82e1278abb02f (MD5 hash of EICAR test file).
• Defender’s Impact: Low — Attackers can easily modify files to generate a new hash (e.g., repacking malware).

IP Addresses

• Definition: IPs used by attackers for C2 (Command & Control), phishing, or exploitation.
• Example: 192.168.1.1 (example malicious IP).
• Defender’s Impact: Low — Attackers can switch to new IPs using VPNs, proxies, or botnets.

Domain Names

• Definition: Malicious domains used for phishing, C2, or malware hosting.
• Example: malicious-site[.]com.
• Defender’s Impact: Moderate — Attackers can register new domains but with some cost and effort.

Network/Host Artifacts

• Definition: Patterns of attacker behavior such as registry modifications, dropped files, or specific URLs used in attacks.
• Example: A registry change in Windows that disables Defender (HKLMSoftwarePoliciesMicrosoftWindows Defender).
• Defender’s Impact: Moderate to High — Attackers must alter techniques or tools to evade detection.

Tools

• Definition: Software and frameworks used by attackers (e.g., Mimikatz, Cobalt Strike).
• Example: mimikatz.exe used for credential dumping.
• Defender’s Impact: High — Attackers must develop or find alternative tools, which is time-consuming.

Tactics, Techniques & Procedures (TTPs) (Most Painful for Attackers)

• Definition: The overall strategy and methods used by attackers (mapped to MITRE ATT&CK).
• Example: T1059 — Command and Scripting Interpreter (using PowerShell for execution).
• Defender’s Impact: Very High — Changing tactics requires significant time, skill, and planning for attackers.

Why Does the Pyramid of Pain Matter in a SOC?

• Prioritizes Threat Intelligence: Helps SOC teams focus on higher-impact indicators.
• Disrupts Attackers’ Operations: Moving from hash-based detections to TTP-based defenses forces adversaries to rethink strategies.
• Enhances Threat Hunting: SOC analysts can build detections for behavior-based threats rather than static IOCs.
• Supports MITRE ATT&CK Framework: Aligns with adversary tactics to improve Blue Team effectiveness.

How to Apply in a SOC?

SIEM Rules: Detect TTP-based behavior rather than relying on simple IOCs.
Threat Hunting: Search for anomalies in logs that indicate attacker behaviors.
SOAR Automation: Automate blocking of known tools and domains.
Purple Teaming: Test and improve defenses against real adversary tactics.

Cyber Kill Chain

The Cyber Kill Chain is a seven-step framework developed by Lockheed Martin to describe the stages of a cyberattack. It helps SOC analysts, incident responders, and threat hunters identify and stop attacks at different phases.

Understanding the Cyber Kill Chain allows Blue Teams to implement preventive controls and detect attackers earlier in the attack lifecycle.

Cyber Kill Chain — The 7 Stages

Reconnaissance (Pre-Attack Phase)

• What Happens?
• Attackers gather information about the target (domains, employees, network, open ports, etc.).
• Common Techniques:
• Open-source intelligence (OSINT)
• Phishing reconnaissance
• Social engineering
• Scanning using Nmap, Shodan, Maltego, Recon-ng
• SOC Detection & Mitigation:
  Monitor for unusual recon traffic (e.g., high-volume scanning)
  Use threat intelligence to block known reconnaissance tools
  Train employees against social engineering attacks

Weaponization

• What Happens?
• Attackers craft exploits, malware, or payloads based on the gathered intel.
• Common Techniques:
• Creating malicious documents (e.g., macro-based Word files)
• Exploit kits (e.g., Metasploit, Cobalt Strike, Empire)
• Building trojans & backdoors
• SOC Detection & Mitigation:
  Use sandboxing to analyze unknown files
  Deploy endpoint protection (EDR/XDR) to detect payloads
  Implement email security to scan for weaponized attachments

Delivery

• What Happens?
• Attackers deliver the malicious payload to the victim.
• Common Techniques:
• Phishing emails with malicious links/attachments
• Drive-by downloads
• Watering hole attacks (compromising trusted sites)
• USB-based attacks
• SOC Detection & Mitigation:
  SIEM rules to monitor email attachments & malicious domains
  Block known malicious IPs, domains, and hashes using threat intelligence
  Train users on email security & phishing awareness

Exploitation

• What Happens?
• The attacker executes the exploit on the target system.
• Common Techniques:
• Exploiting unpatched software vulnerabilities (Zero-days, CVEs)
• Remote Code Execution (RCE)
• Privilege escalation attacks
• SOC Detection & Mitigation:
  Patch vulnerabilities using Vulnerability Management
  Use Application Whitelisting to block unauthorized scripts
  Monitor PowerShell, Bash, and command-line execution for suspicious activity

Installation

• What Happens?
• Attackers install malware/backdoors for persistence.
• Common Techniques:
• Dropping trojans & rootkits
• Modifying registry for persistence
• Creating scheduled tasks
• SOC Detection & Mitigation:
  EDR/XDR solutions to detect persistence mechanisms
  SIEM alerts for suspicious registry & process modifications
  Monitor autorun & startup entries for malicious executables

Command & Control (C2)

• What Happens?
• The attacker establishes a communication channel to control the compromised system.
• Common Techniques:
• Using C2 frameworks (Cobalt Strike, Empire, Metasploit)
• DNS Tunneling & Encrypted C2
• HTTP/S & custom protocols for exfiltration
• SOC Detection & Mitigation:
  Network Traffic Analysis (NTA) to detect abnormal C2 traffic
  Use Threat Intelligence to block known C2 domains & IPs
  Implement DNS filtering & behavioral analysis

Actions on Objectives (Exfiltration, Impact, or Lateral Movement)

• What Happens?
• Attackers steal data, encrypt files (ransomware), or move laterally across networks.
• Common Techniques:
• Data Exfiltration via FTP, HTTP, or Cloud Services
• Ransomware Encryption
• Lateral Movement using RDP, SMB, Mimikatz
• SOC Detection & Mitigation:
  DLP (Data Loss Prevention) policies to prevent unauthorized transfers
  Monitor PowerShell, RDP, SMB, and Kerberos abuse
  SIEM detections for large outbound data transfers

How SOC Uses Cyber Kill Chain?

Threat Hunting — Find attacker behavior at different stages.
Incident Response (IR) — Contain threats before they reach objectives.
SIEM & SOAR — Automate alerts & remediation for faster response.
Threat Intelligence — Block known indicators before they cause damage.
Red Team vs. Blue Team (Purple Teaming) — Test & improve defenses.

Unified Kill Chain — A Complete Attack Lifecycle Model

The Unified Kill Chain (UKC) expands on Lockheed Martin’s Cyber Kill Chain by incorporating MITRE ATT&CK tactics and real-world APT attack methodologies. It provides a more comprehensive view of modern cyberattacks, making it highly useful for SOC analysts, threat hunters, and incident responders.

Why UKC over Cyber Kill Chain?

• The Cyber Kill Chain is linear, focusing on perimeter defense.
• The Unified Kill Chain is non-linear, covering persistent threats, lateral movement, and defense evasion.
• UKC combines Cyber Kill Chain, MITRE ATT&CK, and other threat models into a unified framework.

Unified Kill Chain — The 18 Attack Phases

The Unified Kill Chain categorizes attacks into three high-level objectives:

Initial Foothold (1–7) — Gaining Access
Network Propagation (8–14) — Lateral Movement & Control
Action on Objectives (15–18) — Achieving Attacker Goals

Initial Foothold (Attack Begins)

The attacker gains initial access through phishing, exploiting vulnerabilities, or compromised credentials.

Phase Description Common Attacks

1. Reconnaissance Gathering intelligence on the target OSINT, Google Dorking, Shodan, WHOIS
2. 2. Initial Compromise Gaining access to target systems Phishing, Exploit kits, Drive-by downloads
3. 3. Establish Foothold Deploying malware, web shells, or backdoors Remote access trojans (RATs), C2 implants
4. 4. Escalate Privileges Gaining higher-level access Privilege escalation exploits, stolen credentials
5. 5. Defense Evasion Avoiding detection by security tools Obfuscation, rootkits, disabling logs
6. 6. Credential Access Stealing valid credentials Keylogging, dumping hashes (Mimikatz), brute force
7. 7. Discovery Scanning internal networks for targets Nmap, BloodHound, ping sweeps

Network Propagation (Spreading Across Systems)

The attacker moves laterally within the environment and expands control.

Phase Description Common Attacks

8. Lateral Movement Expanding control across the network Pass-the-Hash, RDP, PsExec, SMB exploitation

9. Persistence Ensuring continued access after reboots Scheduled tasks, registry keys, DLL hijacking

10. Internal Reconnaissance Mapping internal assets & privileges AD enumeration, LDAP queries

11. Pivoting Using compromised systems to attack others SSH tunneling, SOCKS proxies

12. Privilege Escalation (Domain Level) Becoming a domain admin or high-privileged user Kerberoasting, Golden Ticket, SID history injection

13. Credential Theft Dumping more credentials from compromised systems LSASS dumping, NTDS.dit extraction

14. Maintain Control Keeping access to the environment long-term Alternate backdoors, redundant access

Actions on Objectives (Final Attack Goals)

The attacker executes their final mission: data theft, destruction, or system takeover.

Phase Description Common Attacks

15. Data Collection Gathering sensitive information Database queries, file exfiltration

16. Data Exfiltration Stealing or transferring stolen data Cloud uploads, encrypted transfers

17. Impact & Disruption Destroying, modifying, or encrypting data Ransomware, Wiper malware

18. Attack Success Achieving the final objective Financial theft, espionage, system takeover

SOC & Blue Team Strategy Against UKC Attacks

1. Early Detection (Prevent Initial Foothold)

Use SIEM alerts for phishing, scanning, and brute force attacks.
Implement Multi-Factor Authentication (MFA) to block credential-based attacks.
Deploy Endpoint Detection & Response (EDR/XDR) for malware detection.

2. Prevent Lateral Movement

Monitor Active Directory logs for unusual access attempts.
Detect PowerShell, PsExec, and RDP abuse in logs & network traffic.
Use micro-segmentation & least privilege to limit attacker movement.

3. Stop Data Theft & Ransomware

Implement Data Loss Prevention (DLP) to stop exfiltration.
Monitor anomalous file transfers to cloud services or external storage.
Backup & Encrypt critical data to prevent destruction.

Unified Kill Chain vs. Other Models

Framework Focus Pros Cons Cyber Kill Chain Perimeter security & attack lifecycle Good for early-stage attacks Lacks internal attack details MITRE ATT&CK Specific TTPs used by attackers Most detailed for real-world APTs Complex & requires mapping Unified Kill Chain Complete attack lifecycle from start to finish Covers all phases of modern attacks Requires deep monitoring & correlation

Diamond Model

The Diamond Model of Intrusion Analysis is a cyber threat intelligence (CTI) framework used to analyze and track cyberattacks. It helps SOC analysts, threat hunters, and incident responders understand adversary tactics, techniques, and procedures (TTPs) and connect different attack components into a structured format.

Why is the Diamond Model Important?

• Maps attacker behaviors to cybersecurity events.
• Connects multiple intrusions from the same attacker.
• Helps in threat hunting and proactive defense.
• Useful for incident response and forensic analysis.

The Four Core Elements of the Diamond Model

Every cyberattack involves four key components:

Adversary (Who?)

The threat actor or group responsible for the attack.
Examples: APT29 (Cozy Bear), Lazarus Group, Ransomware gangs.

Capability (How?)

The tools, malware, or exploits used by the adversary.
Examples:

• Malware — Emotet, Cobalt Strike, Mimikatz
• Exploits — CVE-2023–23397 (Outlook Zero-Day)
• Tactics — Phishing, Supply Chain Attacks

Infrastructure (Where?)

The command and control (C2) servers, IP addresses, or phishing domains used to carry out the attack.
Examples:

• C2 Servers — malicious-server.com, 192.168.1.10
• Botnets — TrickBot, QakBot
• Compromised Infrastructure — Hacked websites, cloud services

Victim (Target?)

The individual, organization, or system being attacked.
Examples:

• Government agencies
• Financial institutions
• Critical infrastructure (Energy, Healthcare, etc.)

Relationships: Each element is linked, allowing SOC analysts to correlate multiple attack incidents and track threat actors more efficiently.

Real-World Example: APT Attack Using Diamond Model

Case Study: SolarWinds Attack (APT29)

Diamond Model Element Example from SolarWinds Attack Adversary APT29 (Cozy Bear — Russian state-sponsored group) Capability SUNBURST malware, supply chain attack Infrastructure Compromised SolarWinds Orion software updates, C2 domains like avsvmcloud.com Victim U.S. government agencies, tech companies, cybersecurity firms

Diamond Model for Threat Hunting

SOC analysts can use the Diamond Model to hunt for threats based on different elements:
Hunting based on Infrastructure: Search SIEM logs for malicious IPs/domains linked to known attacks.
Hunting based on Capability: Look for malware YARA rules, MITRE ATT&CK TTPs in EDR/SIEM.
Hunting based on Adversary: Track APT groups and their evolving techniques.
Hunting based on Victim Profile: Predict potential targets based on industry trends.

SOC & Blue Team Strategy with Diamond Model

Use Threat Intelligence Feeds to track adversaries and their infrastructure.
Map attack patterns in SIEM using MITRE ATT&CK and correlate logs.
Block known malicious infrastructure (IPs, Domains, Hashes) in firewalls & EDR.
Analyze attack campaigns by linking multiple intrusion events.

MITRE ATT&CK Framework

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a comprehensive framework that maps out real-world adversary behavior in cyberattacks. It is widely used in SOC (Security Operations Center), threat hunting, incident response, and red teaming.

Why is MITRE ATT&CK Important?
Standardizes attack techniques for SOC & threat intelligence teams.
Helps in detection engineering, threat hunting, and incident response.
Maps adversary behavior from initial access to data exfiltration.
Enhances SIEM and EDR detection rules using TTPs (Tactics, Techniques, and Procedures).

MITRE ATT&CK Core Components

MITRE ATT&CK is structured into:
Tactics (The “Why”) — High-level goals of an adversary.
Techniques (The “How”) — Methods used to achieve the goal.
Procedures (The “What”) — Real-world implementation of a technique.

Tactics — The “Why” of an Attack

Tactics define the attacker’s objective at each stage of an intrusion.

• Reconnaissance — Gathering information (OSINT, scanning).
• Initial Access — Gaining entry (phishing, exploits).
• Execution — Running malicious code (PowerShell, macros).
• Persistence — Maintaining access (backdoors, scheduled tasks).
• Privilege Escalation — Gaining higher privileges (exploits, credentials).
• Defense Evasion — Bypassing security (obfuscation, disabling AV).
• Credential Access — Stealing passwords (keylogging, dumping hashes).
• Discovery — Identifying systems and data (network scans, AD enumeration).
• Lateral Movement — Expanding access (RDP, Pass-the-Hash).
• Collection — Gathering target data (screenshot capture, file theft).
• Exfiltration — Sending data outside (C2 channels, email exfiltration).
• Impact — Destroying or altering systems (ransomware, wiper malware).

Techniques & Sub-Techniques — The “How” of an Attack

Techniques describe how an adversary achieves a specific tactic.
Example:

• Tactic: Initial Access
• Technique: Phishing (T1566)
• Sub-Technique: Spearphishing Attachment (T1566.001)
• Sub-Technique: Spearphishing Link (T1566.002)

Each Technique has:
Detection Suggestions (SIEM queries, logs).
Mitigation Strategies (EDR rules, hardening).
Examples of Use (real-world APT cases).

Procedures — The “What” of an Attack

Procedures show real-world implementations of a technique by different adversaries.

Example:

• Technique: Credential Dumping (T1003)
• Procedure: Mimikatz is used to extract NTLM hashes from LSASS.

MITRE ATT&CK Matrices

MITRE ATT&CK provides different matrices for specific environments:

1. Enterprise ATT&CK

• Focuses on Windows, Linux, macOS, Cloud, Containers, and SaaS.
• Used for SOC monitoring, SIEM detection, and threat hunting.

2. Mobile ATT&CK

• Covers Android & iOS attack techniques (e.g., mobile malware, MITM).

3. ICS ATT&CK

• Focuses on Industrial Control Systems (SCADA, PLC, IoT threats).

MITRE ATT&CK in Action: APT Case Study

Case: Conti Ransomware Attack

MITRE ATT&CK Technique Real-World Example Initial Access (T1566.001) Phishing email with malicious document Execution (T1204.002) User opens a weaponized Excel macro Privilege Escalation (T1055) Uses Process Injection to evade detection Credential Access (T1003) Steals credentials via Mimikatz Lateral Movement (T1021.001) Uses RDP to spread across the network Impact (T1486) Encrypts files and drops ransom note

SOC Response:

• Detect phishing indicators in email security tools.
• Monitor PowerShell execution in SIEM & EDR.
• Block credential dumping attempts via YARA rules.
• Limit RDP access to prevent lateral movement.

How to Integrate MITRE ATT&CK in Your SOC?

SIEM Mapping: Convert ATT&CK TTPs into detection rules.
Threat Intelligence: Track APT groups using ATT&CK techniques.
Purple Teaming: Simulate ATT&CK techniques for testing defenses.
Incident Response: Use ATT&CK mapping for rapid triage.
SOC Training: Teach analysts how to recognize ATT&CK patterns.