Skip to content

Cybersecurity Frameworks in the SOC

Read about four common cybersecurity frameworks used in the SOC: NIST, Cyber Kill Chain, MITRE ATT&CK, and Unified Kill Chain.

What are SOC frameworks?

Cybersecurity frameworks are a must-have in modern SOCs faced with complex attacks. SOCs use frameworks to guide their approach to and understanding of attack and defense strategies and manage and reduce cyber risk to continuously improve operations. For example, many advanced SOCs integrate adversarial models, such as the MITRE ATT&CK framework, into analyst workflows to provide automation that informs investigations, placing the SOC one step ahead in stonewalling attacks.

4 Common SOC Frameworks

Below are the four most common frameworks we see deployed by security operations teams.

Framework #1

NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) is a key reference point for standards, guidelines, and best practices for managing the threat lifecycle. The SOC can apply this framework to guide, assess, improve, and deliver on key security metrics and establish a mature approach to securing the enterprise. NIST CSF is a functional starting place to begin to build an enterprise cybersecurity strategy.

The NIST Framework is comprised of five functions:


Gain a complete understanding of your people, physical and digital assets, risks and vulnerabilities, and defense systems.


Establish a layered and diverse approach to defending the business, while also being ready to respond to any attack.


Implement technologies and practices for quickly detecting true positive events across all security data.


React appropriately to an incident and keep it from becoming a serious breach.


Return the organization to its original state by planning for resilience, and implement new preventative measures to safeguard against a repeat attack.

Framework #2

Cyber Kill Chain (CKC)

The Cyber Kill Chain, one of many frameworks or models to consider in security operations, was created by computer scientists at Lockheed Martin. The model describes a phased approach to end-to-end cyber attack detection and prevention based on the choreographed movements of a standard threat actor. The kill chain is a foundational archetype; however, the first stage is difficult to detect, and it does not accommodate attacks that begin inside the perimeter.


The threat actor stealthily gathers intel on the organization to achieve its objective. This often includes a combination of tactics to determine the ideal target and identify vulnerabilities, from observing the building’s physical security measures to researching employees on social media.


In this stage, the actor develops an exploit, such as a new strain of malware hosted on a hijacked domain to attack an organization by targeting specific vulnerabilities.


Next, the threat actor packages and delivers the malware


At this point, the malware “weapon” is triggered to exploit the target vulnerability of the system, network, application, or policy.


The malware is installed on the target device or system as a result, while the attacker takes steps to penetrate the organization’s defenses and maintain access.

Command & control

The compromised system then communicates with Command and Control (C&C) to enable remote access to the network, officially letting the malicious actor gain control.

Actions on objectives

The threat actor has achieved its end goal and can now do its dirty work

Building the Modern SOC – a four step approach

Framework #3


The MITRE ATT&CK framework is a model of various observable adversarial behaviors used to intelligently identify “right of bang” tactics—tactics after an attack has begun. It addresses four key use cases: threat intelligence; detection and analytics; adversary emulation and red teaming; and assessment and engineering. The tactics are defined as the objective of the actor, and techniques are the method of getting there. The MITRE framework uses evidence from past attacks to get inside the head of the attacker with a detailed understanding of how these tactics manifest, techniques used, potential response steps, and useful data sources for in-depth analysis.


The 12 tactics addressed by MITRE ATT&CK Framework include:

1) Initial access

Initial access the act of sidling past the network’s defenses to get a foothold in the environment, using techniques such as whaling.

2) Execution

Execution of malicious code enables actors to penetrate deeper into the network and move towards their objective.

3) Persistence

Persistence enables an actor to linger in a system or network, buying time to execute their plan despite potential interruptions.

4) Privilege escalation

Privilege escalation provides the attacker with a greater range of motion and control in the network through admin level access Stealing a user’s credentials is a prime example of privilege escalation.

5) Defense evasion

Defense evasion tactics, like masquerading, are an attempt to go undetected in the network.

6) Credential access

Credential access allows bad actors to gain the access and control they need to achieve their objectives.

7) Discovery

Discovery involves gaining an understanding of the operating system and network to inform the attack plan.

8) Lateral movement

Lateral movement is the method of snaking through a system or network to get to the critical data or target objective.

9) Collection

Collection refers to the identification and collection of prized data, to then exfiltrate it.

10) Command & control

Command & control or “C2”, the actor takes remote control of a network through an already-compromised system.

11) Exfiltration

Exfiltration is the ultimate goal of removing sensitive, highly-coveted data from a target network or system for malicious purposes, like re-sale on the black market.

12) Impact

Impact on the business is another key objective, disrupting the integrity and availability of data, services, and systems.

Framework #4

Unified Kill Chain (UKC)

The Unified Kill Chain melds the MITRE ATT&CK framework and Cyber Kill Chain captures the advantages of each model to overcome common critiques of the kill chain. The comprehensive UKC expands the potential attack phases to eighteen, and breaks those phases into three fundamental steps: initial foothold, network propagation, and action on objectives. This revised model provides a more detailed, accurate, and time-oriented approach to end-to-end cybersecurity. The evolving nature of security frameworks is a testament to the industry’s need for adaptability in a constantly changing, high-stakes domain.

Like what you’re reading?

Subscribe to receive monthly, weekly, or daily blog updates.