What Is the Cyber Kill Chain and How to Use It Effectively

You're probably familiar with the defense-in-depth or castle and moat approach to cybersecurity. It remains a common model that organizations use to think through their information security. 

However, as organizations have matured they have sought out new models to enable them to better understand how cyber attackers operate and how best to defend against them. 

One example is Lockheed Martin's Cyber Kill Chain framework which was developed as part of the Intelligence Driven Defense model for identification and prevention of cyberattacks and data exfiltration. 

The term 'kill chain' originates from the military and defines the steps an enemy uses to attack a target. In 2011, Lockheed Martin took this military model and used it to define the steps used in today's cyber attacks. The theory is that by understanding the seven stages an attack progresses through, security teams will have a better chance of stopping them or forcing them to make enough noise to be easily detected.  

Since then, various versions of the cyber kill chain have been released, including AT&T’s Internal Cyber Kill Chain Model and the Unified Kill Chain, which was developed to overcome common critiques against the traditional cyber kill chain, by uniting and extending Lockheed Martin's kill chain and MITRE’s ATT&CK framework. However, Lockheed Martin's model continues to be the most widely used.

It remains one of the most informative models and does a good job of focusing on the human element of the cyber kill chain. This is a good thing for an industry that often places the emphasis on technology-driven threat intelligence while ignoring the risks of social engineering and other human-based attack vectors. 

Security awareness is one of the most important security controls, up there with the likes of encryption, secure passwords, data loss prevention, intrusion prevention and detection systems, vendor risk management, attack surface management, and an anti-virus. 

In short, the cyber kill chain model outlines the stages of an attack by an advanced persistent threat (APT) or cybercriminal attempting to gain unauthorized access to sensitive data or assets within a security perimeter. 

Understanding the seven stages of the cyber kill chain can help prevent insider threats, exploitation of vulnerabilities, data breaches, privilege escalation, phishing, denial of service, social engineering, malware, ransomware, and a myriad of other cyber threats. 

What are the Seven Phases of the Cyber Kill Chain?

Below we briefly explain the stages of an attack according to the Lockheed Martin model. In each stage, we describe a brief list of attacks that could be used during the stage. 

1. Reconnaissance

In the reconnaissance phase, cyber attackers are concerned with research, identification, and selection of targets. This is often achieved by crawling the Internet for conference attendees, email addresses, social media relationships, or information on target systems.  

While many security professionals feel there isn't anything that can be done at this stage, we believe this is wrong. 

Attackers take advantage of poor operations security, open ports, and the myriad of other externally observable attack vectors to decide on their targets. Investing in attack surface management software can help you understand, map, and reduce your attack surface over time.

The reconnaissance stage is where secure behaviors can have a big impact. A security-conscious organization will know they are a potential target and limit what information they share, reducing the risk of spear phishing and whaling attacks. 

That's not to say detecting reconnaissance efforts in real-time isn't difficult. It is and these controls won't stop everything. However, discovering reconnaissance after the fact can still provide context into the intent of an attacker. Consider investing in the following detection mechanisms:

• Collecting website visitor logs for altering and historical searching
• Collaborating with web administrators to utilize their existing browser analytics
• Building detections for browsing behaviors that are unique to reconnaissance
• Prioritizing defenses around particular technologies or people based on reconnaissance activity

2. Weaponization

The weaponization stage is the preparation and staging phase of a cyberattack. The attacker has still not interacted with its intended victim. Instead, they are creating their attack. 

This typically means coupling malicious software, like a remote access trojan, with an exploit by means of an automated tool called a weaponizer. 

For example, an attacker may create an infected Microsoft Office document that is intended to be delivered via phishing emails. 

Even though detection of weaponization is near impossible, it's an essential phase to understand and you can learn a lot by analyzing malware artifacts. Detection against weaponizer artifacts is one of the most durable and resilient defenses.  

Security controls that can reduce the likelihood and impact of the weaponization stage:

• Conducting security awareness training 
• Performing malware analysis on not only the payload but how it was made
• Building detections for weaponizers
• Analyzing the timeline of when malware was created relative to when it was used. Old malware generally means it came off the shelf while new malware may mean active, tailored operations
• Collecting files and metadata for future digital forensics 
• Determining which weaponizer artifacts are common to which APT campaigns 

3. Delivery

Delivery is the third phase of the cyber kill chain and refers to the attack vectors used to deliver malicious payloads. According to Lockheed Martin Computer Incident Response Team (LM-CIRT) for the years 2004-2010 email attachments, websites, and USB media were the three most prevalent delivery vectors for weaponized payloads by APT actors. 

While there is an entire industry dedicated to stopping attacks at this stage, people also play a critical role. If you look at the three most common attack vectors above, two of them rely on some form of human interaction. 

By teaching people to stop when they feel like something isn't right, you can prevent the delivery of a load of different malicious software. While it won't stop wormable exploits like EternalBlue that targeted outdated SMB protocols and led to the WannaCry ransomware attack, it will prevent many less sophisticated attempts.  

Countermeasures for the delivery stage include:

• Analysis of delivery medium to understand the impact of target systems
• Understanding targeted servers and people, their roles and responsibilities, and what sensitive data they have access to
• Inferring the intent of adversaries based on targeting
• Leveraging weaponizer artifacts to detect new malicious payloads at the point of delivery
• Analyzing the time of day when the attack began
• Collecting email and web logs for forensic reconstruction even if an intrusion is detected late, you must be able to determine when and how delivery began
• Vulnerability management and vulnerability assessment processes 

4. Exploitation

After the payload has been delivered to the victim, the exploitation triggers the intruders' code. Most often this will target an application or operating system vulnerability, but it could also simply exploit the victim or leverage an operating system feature that auto-executes code. 

To add reliance consider investing in traditional hardening measures:

• User awareness training and email testing for employees
• Secure coding training for web developers
• Regular vulnerability scanning and penetration testing
• Endpoint hardening measures like restricting admin privileges and custom endpoint rules to block shellcode execution
• Endpoint process auditing to forensically determine origin of exploit

5. Installation

The installation phase implies the attacker has an active exploit running on the target system. In this situation, they may look for additional vulnerabilities or use privilege escalation to gain additional access to the system to install a backdoor or remote access trojan that allows for persistence within the environment. 

They may also employ some form of obfuscation to conceal their presence and mask activity to avoid detection and thwart an investigation. This can include wiping files and metadata, overwriting data with false timestamps and misleading information, or modifying critical information so it looks as though access was never granted. 

Defending this stage means you should have some form of endpoint instrumentation to detect and log installation activity, such as:

• Understanding if malware required administrator privileges or not
• Alerting or blocking common installation paths
• Endpoint processing auditing to discover abnormal file creations
• Extract certificates from any signed executables
• Understand compile time of malware to determine if it is old or new

6. Command and Control (C2)

Typically compromised hosts communicate to an outside server to establish a command & control channel. Once the connection is established, the intruders have hands on the keyboard access to the target environment.  

This stage is likely your last best chance to block the operation if adversaries can't issue commands you can prevent impact. 

• Discover C2 infrastructure through malware analysis
• Harden your network by consolidation the number of internet points of presence and require proxies for all types of traffic (HTTP, DNS)
• Customize blocks of C2 protocols on web proxies
• Proxy category blocks including "none" or "uncategorized" domains
• Prevent DNS sink holding and name server poisoning
• Conduct open-source research to discover new adversary C2 infrastructure 

7. Actions on Objectives

Now after progressing through the six previous phases of the intrusion kill chain, intruders can take actions to achieve their original objectives. This is typically a violation of either confidentiality, integrity, or availability or a combination of the three. 

Alternatively, the attackers may only desire access to the initial victim in order to compromise additional systems and use lateral movement to gain access to new systems deeper in the network. 

• Establish incident response playbook, including executive engagement and communications plan
• Detect data exfiltration, lateral movement, unauthorized credential usage
• Immediate analyst response to all alerts
• Forensic agents pre-deployed to endpoints for rapid triage
• Network package capture to recreate activity
• Conduct damage assessment with subject matter experts

How UpGuard Can Improve your Organization's Security Posture

For the assessment of your information security controls, UpGuard BreachSight can monitor your organization for 70+ security controls providing a simple, easy-to-understand cyber security rating and automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos, and more.

This includes open ports and other services that are exposed to the public Internet. Our platform explicitly checks for nearly 200 services running across thousands of ports, and reports on any services we can't identify, as well as any open ports with no services detected. 

UpGuard Vendor Risk can minimize the amount of time your organization spends assessing related and third-party information security controls by automating vendor questionnaires and providing vendor questionnaire templates.

Our expertise has been featured in the likes of The New York Times, The Wall Street Journal, Bloomberg, The Washington Post, Forbes, Reuters, and TechCrunch.

You can read more about what our customers are saying on Gartner reviews.