Hybrid Cloud
Cybersecurity
Data & AI
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Smart Cities
Public Sector
From the linear chain to the global matrix: the evolution of Cybersecurity frameworks
Cybersecurity, by its very nature, is a living discipline that is constantly evolving. As adversaries have become more sophisticated in their methods, both the industry and public authorities have had to progressively transform the way these malicious actions are conceptualised, analysed and mitigated. The most significant qualitative leap of the last decade has not come solely from new technological tools, but also from the evolution of cybersecurity frameworks.
A necessary transition has taken place from traditional models, which were more linear and focused on detection and isolated response, towards comprehensive approaches that make it possible to analyse threat behaviour, business risk and adversary capabilities within a contextualised framework.
To understand the current state of cybersecurity, it is essential to examine this historical evolution through the models that have redefined the rules of the game: from organisation-wide risk management frameworks such as the NIST Cybersecurity Framework (NIST CSF), through tactical approaches such as the Cyber Kill Chain, and relational models such as the Diamond Model, to the MITRE ATT&CK approach, based on the analysis and classification of TTPs (tactics, techniques and procedures).
Cyber Kill Chain: the origin of the sequential and tactical approach
At the beginning of the last decade, the industry was facing a growing wave of attacks and urgently needed a structured model. In 2011, Lockheed Martin introduced the Cyber Kill Chain, marking a milestone in cybersecurity. Inspired by military terminology, this model defined a cyberattack as a sequential and immutable process made up of seven phases: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), and Actions on Objectives.
Illustration 1. Cyber Kill Chain phases. Source: lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
By structuring an attack as a sequence, this approach completely redefined defensive strategies, bringing with it both a new paradigm and a major limitation when dealing with more complex scenarios:
- The disruption paradigm: The value of the Kill Chain lay in its defence-in-depth approach. The premise was brilliantly simple: the attacker must complete the chain perfectly in order to succeed, whereas the defender only needs to break one early link to frustrate the entire operation.
- The limitation of linearity: The strictly linear approach soon began to reveal shortcomings when confronted with more complex threats. Attacks involving lateral movement or insider threats often skip phases or repeat them out of sequence, demonstrating that an intrusion does not always follow a progressive and sequential pattern.
Diamond Model: the leap towards a relational dimension
As the discipline of Threat Intelligence (Cyber Threat Intelligence or CTI) gained prominence, it became clear that categorising an attack solely as a timeline limited the understanding of the ‘who’ and the ‘why’, while overlooking the ‘with what’ and the ‘against whom’.
This led to the emergence of the Diamond Model (Diamond Model of Intrusion Analysis), proposed by Caltagirone et al. in 2013. Instead of temporal phases, this framework proposes a relational structure based on four vertices: Adversary, Capability, Infrastructure and Victim. Every malicious event is defined by the interaction between these four elements.
Illustration 2. Elements of an event in the Diamond Model. Source: threatintel.academy/wp-content/uploads/2020/07/diamond_summary.pdf
By redefining analysis from a temporal sequence to a model of interactions, the Diamond Model provided a structured methodology for intrusion analysis.
- Relational analysis: Its strength lies in enabling structured pivots between vertices. Once a malicious IP address (Infrastructure) has been detected, analysts can investigate the malware it hosts (Capability) to link it to a cybercriminal or threat group (Adversary) and alert the organisation (Victim). This makes it possible to move from responding to isolated incidents to tracking coordinated campaigns.
- The operational limitation: This same strength becomes a limitation when multiple pivots are unavailable. To generate meaningful analytical value, information from at least two vertices is required. In the early stages of an investigation, when there is only a single isolated indicator, the model proves impractical for day-to-day technical defence.
NIST CSF: the strategic and business perspective
In contrast to the tactical focus of the previous models, cybersecurity needed a bridge to the language of business and risk management. To meet this corporate need, the National Institute of Standards and Technology (NIST) published the NIST Cybersecurity Framework (NIST CSF) in 2014.
This is not a framework designed for malware analysis or the phases of an intrusion, but rather for managing organisational risk in a comprehensive manner. Its structure is organised around five core functions: Identify, Protect, Detect, Respond and Recover.
By elevating cybersecurity to board-level discussions, this framework delivered significant organisational value, although it also exposed certain limitations in tactical implementation:
- Strategic alignment: It translates cybersecurity into the language of business. It enables CISOs to build a holistic programme, justify budgets and ensure that technology, processes and people are aligned to mitigate risk.
- Technical abstraction: Its managerial approach lacks tactical granularity. NIST defines what should be achieved, such as network monitoring, but omits how to implement it, making it too abstract for technical deployment.
In 2024, the framework evolved into its version 2.0 to adapt to new regulations and resilience requirements. This update broadened its scope and introduced a sixth core function, Govern, consolidating cyber risk oversight as a cross-functional corporate pillar.
Illustration 3. NIST Cybersecurity Framework 2.0. Source: nist.gov/itl/smallbusinesscyber/nist-cybersecurity-framework-0
MITRE ATT&CK: an X-ray of real-world threats
While the previous frameworks provided tactical (Kill Chain), relational (Diamond) and strategic (NIST) analysis, there was still no standard for documenting and sharing the behaviour of real-world attackers. MITRE began to take shape between 2013 and 2015, becoming firmly established as a reference framework in 2017.
Organised into three main matrices Enterprise, Mobile (covering both Android and iOS) and ICS (Industrial Control Systems), this model reinforces the premise that what matters is no longer the attacker’s specific tool, but rather their Tactics, Techniques and Procedures (TTPs).
—The Enterprise matrix with tactics and techniques can be consulted at attack.mitre.org/matrices/enterprise/
MITRE ATT&CK revolutionised operational cybersecurity by providing a common language for SOCs, vendors and agencies, although it also presents implementation challenges:
- Universal language: ATT&CK offers granular and continuously evolving matrices built on real-world incidents. It details exactly how attackers operate across different environments (Windows, Linux, Cloud and Mobile) and proposes objective mitigations.
- Operational complexity: Today, its more than 350 techniques and 500 sub-techniques can create severe analytical overload. Mapping defensive coverage against its matrices in full requires advanced maturity and technical resources that many SOCs simply do not have.
Beyond the universal solution
The evolution of cybersecurity over the last decade leaves us with a fundamental lesson: defensive maturity is not a process of replacement, but one of convergence and layered value. No framework is a universal solution in isolation.
Today, a cutting-edge cybersecurity strategy does not rely on a single framework, but orchestrates several simultaneously according to organisational needs. The following table compares the capabilities covered by each framework: ❌ indicates that the model does not address the capability, ⚠️ indicates it is covered only partially, and ✅ indicates it is covered clearly.
Table 1. Comparison of the characteristics of each framework
In practical terms, modern cybersecurity architecture functions like a perfectly synchronised mechanism:
- The board of directors and the CISO rely on the NIST CSF to govern risk, justify investment and ensure business continuity.
- IR (Incident Response) teams and systems visualise the phases of an ongoing attack and prioritise tactical disruption measures.
- Analysts correlate IOCs (Indicators of Compromise) with known adversaries, infrastructure and sector-specific patterns.
- Finally, SOC engineers map defensive coverage, identify specific TTPs and prioritise mitigations.
The shift from isolated tactical disruption to comprehensive analysis of the threat ecosystem and the implementation of concrete mitigation measures reflects a discipline that has matured significantly. Understanding, integrating and mastering the interaction between these frameworks is now one of the essential pillars for anticipating cyber threats and strengthening resilience in an increasingly complex digital environment.
