Cyber Kill Chain

The cyber kill chain is an adaptation of the kill chain used in the military, that utilises a step-by-step approach to identify and stop enemy activity. It was originally developed by Lockheed Martin in 2011 and breaks down a cyber-attack into seven different stages.

• Reconnaissance
• Weaponization
• Delivery
• Exploitation
• Installation
• Command and control
• Actions on objectives

These stages can be used by security teams as opportunities to prevent, detect, or intercept attackers. The intention of the cyber kill chain is to help an organisation define its cyber security strategy. It then aids in defending against sophisticated cyber-attacks, such as advanced persistent threats, or APTs for short, where attackers spend a significant amount of time performing surveillance and planning an attack to gain a long-term foothold within a system or network.

The seven stages explained

Below is an explanation of each of these stages.

Reconnaissance

The reconnaissance stage is where an attacker gathers information about the target system or network. This could entail scanning for vulnerabilities in software and hardware that is being used, researching potential entry points into the system or network, as well as identifying potential targets within the organisation in question.

Weaponization

As part of the weaponization stage, the attacker looks at all the information gained during the reconnaissance phase and produces an attack vector or weapon to use against the intended target. This might entail the creation of a remote access trojan, ransomware, virus, or worm that can be used to exploit a vulnerability discovered during reconnaissance. Included within this might be the creation of a back door into the system for continued access after the initial attack.

Delivery

As the name suggests, the delivery stage is where the weapon of choice, created previously, is delivered to the intended target. This can be achieved through phishing emails, using social engineering tools, and exploiting hardware or software vulnerabilities, to name a few.

Exploitation

Once delivery has been completed, the malicious code contained in the weapon of choice is executed within the victim's system in order to exploit the identified vulnerabilities.

Installation

With the chosen vulnerability or vulnerabilities exploited, the malicious payload is installed on the victim's system, and the attacker can start to assume control of the intended target. They may seek to gain further control by installing additional malware, for example, to move laterally across systems.

Command and control

During the penultimate, command and control phase, the attacker seeks to establish a command and control, or C2, channel, that allows for the remote monitoring and use of the deployed weapons. Obfuscation techniques may be used here to cover up evidence of the attack. An additional attack, such as a denial-of-service attack, may be used as a distraction for security teams to take the focus off the original attack.

Actions on objectives

In the final stage, actions on objectives, the attacker seeks to achieve their intended goals, such as data exfiltration, data destruction, or encryption for ransom.

Limitations of the Cyber Kill Chain

The cyber kill chain was originally designed to help detect and prevent malware, as well as protect perimeter security, however, there are threats across other attack surfaces as cybercrime becomes more sophisticated.

There is an increasing trend to move systems into the cloud, beyond the perimeter of the network. With there also being an increase in the number of people working remotely, protecting the perimeter of a network is no longer enough.

Additionally, insider threats, advances in malware, such as file-less malware, and web-based attacks, such as SQL injection and Cross Site Scripting, may go undetected using this framework.