Salesforce Security: Leveraging the Power of the Cyber Kill Chain and MITRE Att&ck Framework

Reading time: 5 min


  • 25/04/2023

In today's digital world, security is a top priority for businesses and individuals alike.

The threat landscape is constantly evolving and creating new challenges for defenders to keep up with — making it even more important than ever before to have a comprehensive security strategy in place that’s adaptable to each new threat.

When it comes to protecting your Salesforce environment, it's crucial to have a well-thought-out strategy that can help you identify and mitigate threats as quickly as possible. The Cyber Kill Chain and the MITRE Att&ck framework are two excellent tools that can help you do just that. In this post, we'll explain what these frameworks are and how they can be used in conjunction with each other to better protect your Salesforce environment. Let's dive in!

Understanding the Cyber Kill Chain

The Cyber Kill Chain is a framework that was developed by Lockheed Martin in 2011 to outline the stages of a cyberattack and provide a roadmap for understanding and preventing such attacks. The framework consists of seven stages that an attacker goes through to successfully complete an attack: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives.

The Cyber Kill Chain is valuable for organizations because it helps them understand how attackers operate and where they might be vulnerable. By breaking down an attack into its individual stages, organizations can take proactive steps to prevent or disrupt the attack at each stage.

Exploring the MITRE Att&ck Framework

The MITRE Att&ck Framework is a knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations of cyber attacks. The framework was developed by the MITRE Corporation, a non-profit organization that operates federally funded research and development centers (FFRDCs) in the United States.

The MITRE Att&ck Framework is organized into several matrices, each of which represents a specific platform or domain. For example, here are matrices for Windows, Linux, macOS, mobile devices, Office 365 and SaaS. Within each matrix, there are several tactics that an attacker might use. In the case of SaaS, it's outlined as follows:

  1. Initial access
  2. Execution
  3. Persistence
  4. Privilege escalation
  5. Defense evation
  6. Credential access
  7. Discovery
  8. Lateral movement
  9. Collection
  10. Impact

Each of these has a list of cloud-based techniques with its processes and a list of mitigations. It's the biggest advantage of this framework — it's comprehensive and up-to-date. This can be crucial for organizations that are working to improve their security posture as it allows them to see all of the possible vectors that an attacker could use to infiltrate their environment.

    The Cyber Kill Chain vs. The MITRE Att&ck Framework

    Though some people may see the Cyber Kill Chain and MITRE Att&ck Framework as competing models, they should be viewed more as complementary to each other. By combining aspects from both frameworks, organizations can gain a better understanding of the full scope of their security posture and where they need to focus their efforts.

    For instance, while the Cyber Kill Chain is perimeter and malware-focused, the MITRE Att&ck framework covers attack vectors that occur behind the organizational perimeter. The Unified Kill Chain recognizes the role of users in social engineering attacks, models the importance of choke points in attacks, sheds light on the overall objectives of threat actors and covers the compromise of integrity and availability. The steps are as follows:

    1. Reconnaissance
    2. Resource development
    3. Delivery
    4. Social engineering
    5. Exploitation
    6. Persistence
    7. Defense evation
    8. Command and control
    9. Pivoting
    10. Discovery
    11. Privilege escalation
    12. Execution
    13. Credential access
    14. Lateral movement
    15. Collection
    16. Exfiltration
    17. Impact
    18. Objectives

    The inclusion of social engineering in the Unified Kill Chain is an important development. While neither the Cyber Kill Chain nor the MITRE Att&ck framework addresses it specifically, social engineering reveals the additional consideration of non-technical factors that can help companies to better understand the objective of threat actors.

    This model provides valuable insights into the tactics that attackers use in advanced cyber attacks and the order in which they occur. The Unified Kill Chain's phases can be used to describe their behavior in individual cyber-attacks or the tactical modus operandi of a specific attacker. By putting the phases in the right order, organizations can gain a better insight into the threat landscape and develop a defense strategy accordingly.

        Related resources

        WithSecure™ Cloud Protection for Salesforce

        WithSecure™ Salesforce Cloud Security for Salesforce Community Cloud, Sales Cloud and Service Cloud offers real-time protection from advanced viruses & malware.

        Read more

        Cyber Kill Chain

        Learn how cyber attackers can leverage vulnerabilities in Salesforce and how you can stop them.

        Read more

        WithSecure™ Cloud Protection for Salesforce

        WithSecure™ Cloud Protection for Salesforce is a powerful security solution designed to protect against advanced cyber threats, such as ransomware, zero-day malware, viruses, trojans and phishing links. Developed in collaboration with Salesforce, it complements the platform's native security capabilities, scans URLs every time they're clicked and is ISO 27001 and ISAE 3000 (SOC 2) certified. 

        Don't let cybercriminals steal your data and compromise your business. Get in touch with us today to learn more about our advanced cloud security solutions.