Introduction to Microsoft DefenderThreat Landscape & Attack Frameworks

Threat Landscape & Attack Frameworks

20 mins

Understanding the Concept

Understanding the modern threat landscape is essential for effective security operations. Common threat actors include nation-state groups (APTs), cybercrime organizations (ransomware-as-a-service), hacktivists, and insider threats. Each has different motivations, capabilities, and tactics.

The MITRE ATT&CK framework is the industry-standard knowledge base of adversary tactics and techniques. It organizes attack behaviors into a matrix covering initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, exfiltration, and command & control.

The Cyber Kill Chain model (Lockheed Martin) describes the stages of a cyberattack: reconnaissance, weaponization, delivery, exploitation, installation, command & control, and actions on objectives. Microsoft Defender maps detections to both MITRE ATT&CK and Kill Chain stages.

Key Points

  • Threat actors: nation-states (APT), cybercriminals, hacktivists, insiders
  • MITRE ATT&CK: comprehensive matrix of adversary tactics and techniques
  • Cyber Kill Chain: 7-stage model of attack progression
  • Microsoft Defender maps alerts to MITRE ATT&CK techniques
  • Threat intelligence informs detection rules and hunting queries

Cyber Kill Chain Stages

Step 1

Reconnaissance

Attacker gathers information about the target

Step 2

Weaponization

Malware or exploit payload is created

Step 3

Delivery

Payload delivered via email, web, or USB

Step 4

Exploitation

Vulnerability exploited to gain access

Step 5

C2 & Actions

Remote control established, objectives executed

Why This Matters in Real Organizations

Defenders who understand attacker tactics can anticipate and disrupt attacks at multiple stages. Mapping detections to MITRE ATT&CK helps identify coverage gaps. Without this understanding, SOC teams react to individual alerts without seeing the bigger threat picture.

Common Mistakes to Avoid

Focusing only on malware detection instead of understanding adversary behavior
Not mapping security controls to MITRE ATT&CK for coverage analysis
Ignoring insider threats as a significant attack vector
Treating the kill chain as linear when modern attacks are often non-linear

Interview Tips

  • Demonstrate knowledge of MITRE ATT&CK tactics and common techniques
  • Discuss how threat intelligence informs detection and hunting
  • Reference specific threat actor groups relevant to your industry

Exam Tips (SC-200)

  • Know how Microsoft Defender maps alerts to MITRE ATT&CK
  • Understand the kill chain stages and where each Defender product provides coverage
  • Be familiar with common attack techniques like phishing, credential theft, lateral movement

Course Complete!

You've finished all lessons

Previous|Next|HHome