What Is the Cyber Kill Chain and How to Use It Effectively

The cyber kill chain model outlines the stages of an attack by an advanced persistent threat (APT) or cybercriminal attempting to gain unauthorized access to sensitive data or assets within a security perimeter. 

Understanding the seven stages of the cyber kill chain can help prevent a wide range of dangerous cyber threats.

What are the Seven Phases of the Cyber Kill Chain?

Below we briefly explain the stages of an attack according to the Lockheed Martin model. In each stage, we describe a brief list of attacks that could be used during the stage. 

1. Reconnaissance

In the reconnaissance phase, cyber attackers are concerned with research, identification, and selection of targets. This is often achieved by crawling the Internet for conference attendees, email addresses, social media relationships, or information on target systems.  

While many security professionals feel there isn't anything that can be done at this stage, we believe this is wrong. 

Attackers take advantage of poor operations security, open ports, and the myriad of other externally observable attack vectors to decide on their targets. Investing in attack surface management software can help you understand, map, and reduce your attack surface over time.

The reconnaissance stage is where secure behaviors can have a big impact. A security-conscious organization will know they are a potential target and limit what information they share, reducing the risk of spear phishing and whaling attacks. 

That's not to say detecting reconnaissance efforts in real-time isn't difficult. It is and these controls won't stop everything. However, discovering reconnaissance after the fact can still provide context into the intent of an attacker. Consider investing in the following detection mechanisms:

• Collecting website visitor logs for altering and historical searching
• Collaborating with web administrators to utilize their existing browser analytics
• Building detections for browsing behaviors that are unique to reconnaissance
• Prioritizing defenses around particular technologies or people based on reconnaissance activity

2. Weaponization

The weaponization stage is the preparation and staging phase of a cyberattack. The attacker has still not interacted with its intended victim. Instead, they are creating their attack. 

This typically means coupling malicious software, like a remote access trojan, with an exploit by means of an automated tool called a weaponizer. 

For example, an attacker may create an infected Microsoft Office document that is intended to be delivered via phishing emails. 

Even though detection of weaponization is near impossible, it's an essential phase to understand and you can learn a lot by analyzing malware artifacts. Detection against weaponizer artifacts is one of the most durable and resilient defenses.  

Security controls that can reduce the likelihood and impact of the weaponization stage:

• Conducting security awareness training 
• Performing malware analysis on not only the payload but how it was made
• Building detections for weaponizers
• Analyzing the timeline of when malware was created relative to when it was used. Old malware generally means it came off the shelf while new malware may mean active, tailored operations
• Collecting files and metadata for future digital forensics 
• Determining which weaponizer artifacts are common to which APT campaigns 

3. Delivery

Delivery is the third phase of the cyber kill chain and refers to the attack vectors used to deliver malicious payloads. According to Lockheed Martin Computer Incident Response Team (LM-CIRT) for the years 2004-2010 email attachments, websites, and USB media were the three most prevalent delivery vectors for weaponized payloads by APT actors. 

While there is an entire industry dedicated to stopping attacks at this stage, people also play a critical role. If you look at the three most common attack vectors above, two of them rely on some form of human interaction. 

By teaching people to stop when they feel like something isn't right, you can prevent the delivery of a load of different malicious software. While it won't stop wormable exploits like EternalBlue that targeted outdated SMB protocols and led to the WannaCry ransomware attack, it will prevent many less sophisticated attempts.  

Countermeasures for the delivery stage include:

• Analysis of delivery medium to understand the impact of target systems
• Understanding targeted servers and people, their roles and responsibilities, and what sensitive data they have access to
• Inferring the intent of adversaries based on targeting
• Leveraging weaponizer artifacts to detect new malicious payloads at the point of delivery
• Analyzing the time of day when the attack began
• Collecting email and web logs for forensic reconstruction even if an intrusion is detected late, you must be able to determine when and how delivery began
• Vulnerability management and vulnerability assessment processes 

4. Exploitation

After the payload has been delivered to the victim, the exploitation triggers the intruders' code. Most often this will target an application or operating system vulnerability, but it could also simply exploit the victim or leverage an operating system feature that auto-executes code. 

To add reliance consider investing in traditional hardening measures:

• User awareness training and email testing for employees
• Secure coding training for web developers
• Regular vulnerability scanning and penetration testing
• Endpoint hardening measures like restricting admin privileges and custom endpoint rules to block shellcode execution
• Endpoint process auditing to forensically determine origin of exploit

5. Installation

The installation phase implies the attacker has an active exploit running on the target system. In this situation, they may look for additional vulnerabilities or use privilege escalation to gain additional access to the system to install a backdoor or remote access trojan that allows for persistence within the environment. 

They may also employ some form of obfuscation to conceal their presence and mask activity to avoid detection and thwart an investigation. This can include wiping files and metadata, overwriting data with false timestamps and misleading information, or modifying critical information so it looks as though access was never granted. 

Defending this stage means you should have some form of endpoint instrumentation to detect and log installation activity, such as:

• Understanding if malware required administrator privileges or not
• Alerting or blocking common installation paths
• Endpoint processing auditing to discover abnormal file creations
• Extract certificates from any signed executables
• Understand compile time of malware to determine if it is old or new

6. Command and Control (C2)

Typically compromised hosts communicate to an outside server to establish a command & control channel. Once the connection is established, the intruders have hands on the keyboard access to the target environment.  

This stage is likely your last best chance to block the operation if adversaries can't issue commands you can prevent impact. 

• Discover C2 infrastructure through malware analysis
• Harden your network by consolidation the number of internet points of presence and require proxies for all types of traffic (HTTP, DNS)
• Customize blocks of C2 protocols on web proxies
• Proxy category blocks including "none" or "uncategorized" domains
• Prevent DNS sink holding and name server poisoning
• Conduct open-source research to discover new adversary C2 infrastructure 

7. Actions on Objectives

Now after progressing through the six previous phases of the intrusion kill chain, intruders can take actions to achieve their original objectives. This is typically a violation of either confidentiality, integrity, or availability or a combination of the three. 

Alternatively, the attackers may only desire access to the initial victim in order to compromise additional systems and use lateral movement to gain access to new systems deeper in the network. 

• Establish incident response playbook, including executive engagement and communications plan
• Detect data exfiltration, lateral movement, unauthorized credential usage
• Immediate analyst response to all alerts
• Forensic agents pre-deployed to endpoints for rapid triage
• Network package capture to recreate activity
• Conduct damage assessment with subject matter experts

How UpGuard Can Improve your Organization's Security Posture

For the assessment of your information security controls, UpGuard Breach Risk can monitor your organization for 70+ security controls providing a simple, easy-to-understand cyber security rating and automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos, and more.

This includes open ports and other services that are exposed to the public Internet. Our platform explicitly checks for nearly 200 services running across thousands of ports, and reports on any services we can't identify, as well as any open ports with no services detected. 

UpGuard Vendor Risk can minimize the amount of time your organization spends assessing third-party information security controls with its industry-leading vendor questionnaire software.