Social engineering attack taxonomy and kill-chain mapping (MITRE ATT&CK T1566, T1598, T1204)
The systematic classification of human-targeted deception tactics and their mapping to the MITRE ATT&CK framework, specifically covering phishing (T1566), phishing for information (T1598), and user execution (T1204), to model attacker workflows and inform defensive controls.
This skill enables organizations to preemptively identify and disrupt adversary human-exploitation pathways, directly reducing breach probability and financial loss from credential compromise and initial access. It transforms reactive security awareness into a proactive, intelligence-driven defense posture aligned with real-world threat actor behavior.
1Careers
1Categories
9.2 Avg Demand
20%
Avg AI Risk
How to Learn Social engineering attack taxonomy and kill-chain mapping (MITRE ATT&CK T1566, T1598, T1204)
Master the core definitions: differentiating phishing, spear phishing, vishing, smishing, pretexting, baiting, and tailgating. Understand the basic kill-chain concept (e.g., Lockheed Martin's or MITRE's). Memorize the specific definitions and examples of T1566 (Phishing), T1598 (Phishing for Information), and T1204 (User Execution).
Apply taxonomy to real incidents: analyze breach reports (e.g., Verizon DBIR) to map specific social engineering vectors to their ATT&CK techniques. Practice building mini-kill-chains: trace a phishing email from initial delivery to final payload execution. Common mistake: conflating T1598 (obtaining info via phishing) with T1566 (delivering payload via phishing).
Design detection and response logic: develop analytics that correlate multiple low-fidelity signals (e.g., unusual login location + suspicious email attachment) into a high-confidence alert for a T1566->T1204 chain. Align defensive controls (email filtering, UEBA, EDR) to specific points in the kill-chain to measure and report on control efficacy. Mentor others by conducting tabletop exercises simulating complex social engineering campaigns.
Practice Projects
Beginner
Case Study/Exercise
Phishing Email Triage & MITRE Mapping
Scenario
You are a SOC Tier 1 analyst. A user reports a suspicious email with a link to a fake 'Microsoft 365 login' page. Analyze the email headers, body, and link to determine the primary technique used.
How to Execute
1. Extract email headers using an analyzer (e.g., MXToolbox). 2. Identify the sending domain's reputation and SPF/DKIM/DMARC status. 3. Analyze the link's true destination and landing page. 4. Conclude the primary technique is T1566.002 (Phishing: Spearphishing Link) and map the intended follow-on action of credential theft.
Intermediate
Case Study/Exercise
Incident Reconstruction & Kill-Chain Mapping
Scenario
Following a data breach, you receive IOCs: a malicious macro-enabled document from a compromised vendor email, a Cobalt Strike beacon, and lateral movement to a file server. Reconstruct the social engineering kill-chain.
How to Execute
1. Correlate the initial document receipt with the user's execution action (T1204.002 - User Execution: Malicious File). 2. Map the initial delivery vector to T1566.001 (Spearphishing Attachment). 3. Trace the command and control to the initial access. 4. Build a visual kill-chain diagram showing the progression from Reconnaissance (inferred from spearphishing) through Execution, Persistence, and Lateral Movement.
Advanced
Case Study/Exercise
Proactive Defense Architecture Based on Attack Taxonomy
Scenario
As a security architect, you are tasked with designing controls to disrupt the most common social engineering kill-chains observed in your industry (e.g., finance). Focus on pre-exploitation and execution phases.
How to Execute
1. Analyze internal and threat intelligence reports to identify top 3 T1566 and T1204 sub-techniques. 2. For each technique, define one preventive control (e.g., DMARC enforcement for T1566.001) and one detective control (e.g., email gateway behavioral analysis for macro execution - T1204.002). 3. Map these controls to the ATT&CK matrix and create a heat map of current coverage. 4. Develop a prioritized roadmap to address gaps, justifying investments based on risk reduction.
Tools & Frameworks
Threat Intelligence & Mapping Frameworks
MITRE ATT&CK NavigatorLockheed Martin Cyber Kill ChainDiamond Model of Intrusion Analysis
Use ATT&CK Navigator to visually map and annotate T1566, T1598, and T1204 sub-techniques against your organization's controls. The Lockheed Martin model provides a sequential view for understanding campaign flow, while the Diamond Model links adversary, capability, infrastructure, and victim to enrich analysis.
Header analyzers deconstruct phishing emails for technical IOCs. Sandboxes detonate attachments to observe T1204 behaviors. Phishing simulation platforms are essential for testing user susceptibility to T1566 and training, providing measurable metrics on click rates and report rates.
Interview Questions
Answer Strategy
The interviewer is assessing your ability to apply ATT&CK beyond malware-centric attacks and understand nuanced social engineering. Focus on the pre-attack and execution phases. Sample Answer: 'The initial delivery is a form of T1566.001 (Spearphishing Attachment) or more likely T1566.002 (Spearphishing Link) if it contains a link, but can also be pure T1598.001 (Phishing for Information: Spearphishing Service) if conducted via a compromised vendor account. The key execution step is T1204.002 (User Execution: Malicious File) if a macro was used, or more critically, the manual action of the finance employee initiating the transfer, which aligns with the goal of T1204. The kill-chain focuses on reconnaissance to understand the org chart and pretexting to gain trust.'
Answer Strategy
Tests investigation depth and focus on intent over just malware. Sample Answer: 'First, I'd classify the reported action as a potential T1566.002 (Phishing Link) event, even without payload delivery. The investigation would focus on T1598 (Phishing for Information) or a T1204.001 (Malicious Link) that may have led to a credential harvesting page. Steps: 1) Retrieve and analyze the link from email gateway logs. 2) Check for any new OAuth app grants or VPN logins from the user post-click. 3) Interview the user about what they saw post-click. The absence of malware suggests the attack's objective was credential theft or session hijacking, not direct code execution.'
Careers That Require Social engineering attack taxonomy and kill-chain mapping (MITRE ATT&CK T1566, T1598, T1204)