The Cyber Kill Chain
The cyber kill chain is a series of steps that trace stages of a cyber attack from the early reconnaissance stages to the exfiltration of data. The kill chain helps security experts understand and combat ransomware, security breaches, advanced persistent attacks (APTs) and other human and internet threats.
Since its implementation, the kill chain has constantly been revised and has evolved to better anticipate and recognise such threats.
Lockheed Martin derived the kill chain framework from an earlier developed military model that was originally established to identify, prepare/prepare to attack, engage, and destroy the target.
Below, we’ll explore each phase of the cyber kill chain in more detail.
The Kill Chain
There are several specific stages in the cyber kill chain. They range from reconnaissance to lateral movement, to data exfiltration. Common attack vectors – whether phishing or brute force or the latest strain of malware – trigger activity within the cyber kill chain.
Each stage is related to a certain type of activity in a cyber attack, regardless of whether it’s an internal or external attack.
Reconnaissance. This is also known as the observation stage. Attackers typically assess the situation from the outside-in, in order to identify specific targets within the network or company, and type of tactics for the attack. Attackers may also conduct physical (watching a business building to determine their employees work routine or office layout) or online surveillance (scanning business/employee social media pages).
Weaponisation. The cyber attacker does not interact with the intended victim, instead they create their attack method and payload. For example, the attacker may create an infected document paired with a customised phishing email, or perhaps they create a new strain of self-replicating malware to be distributed via USB drive.
Delivery. The act of exploiting vulnerabilities, and delivering malicious code onto the system, in order to get a better foothold. Transmission of the attack to the intended victim(s). For example, this would be sending the actual phishing email or distributing the infected USB drives at a local coffee shop, cafe or the office car park.
Exploitation. This implies actual enacting of the attack, such as the developed exploit (during the weaponisation phase) running on the targeted system, or the insider transferring information on to a USB.
Installation. The attacker installs malicious software on the victim' device, network or system. Not all attacks require malware, such as spear phishing fraud attack or harvesting login credentials. Back door software is also often deployed on the target network so the attacker can maintain access over a prolonged period without being detected (used extensively by APTs).
Command and Control. Once a system is compromised and/or infected, the system has to call home to a Command and Control (C2) system for the cyber attacker to gain the required control(s). An intermediary server - often one that has been previously compromised without the knowledge of the owner - is frequently used to direct ongoing attack activities. Cyber criminals may also conduct C2 using their laptop device, depending on the attacker.
Actions at the Objective. Once the cyber attacker establishes access to the target, they then execute actions to achieve their aims and objectives. Motivations may vary depending on the scope of the network, threat actor themselves - to include personal, political, financial or military gain - so it is very difficult to define what those actions will be.
Understanding the Cyber Kill Chain is an effective way to identify and counter attacks on company and individual computer networks or physical locations.