The Cyber Kill Chain is a model that outlines the stages of a cyber attack. This guide explores each phase of the kill chain, from reconnaissance to execution, and how organizations can use this framework to enhance their security posture.
Learn about the importance of detection and response at each stage. Understanding the Cyber Kill Chain is essential for developing effective cybersecurity strategies.
What is the Cyber Kill Chain in Cybersecurity?
Derived from a military model by Lockheed Martin in 2011, the cyber kill chain is a step-by-step approach to understanding a cyberattack with the goal of identifying and stopping malicious activity.
Also called the cyber attack lifecycle, the cyber kill chain can help organizations gain a deeper understanding of the events leading up to a cyberattack and the points at which they can prevent, detect, or intercept attackers in the future.
Although the original cyber kill chain model contained only seven steps, cybersecurity experts expanded the kill chain to include eight phases: reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on objective, and monetization.
Most of the time, organizations use the cyber kill chain to defend against the most sophisticated cyberattacks, including ransomware, security breaches, and advanced persistent threats (APTs).
How the Cyber Kill Chain Works
The term “cyber kill chain” was adapted from the military and describes the structure of an attack (either offensive or defensive) broken into a pattern of identifiable stages, including identifying a target, dispatch, decision, order, and destruction of the target.
In cybersecurity, the cyber kill chain is a model outlining the various phases of common cyberattacks. Using the cyber kill chain, organizations can trace the stages of a cyberattack to better anticipate and prevent against cyber threats in the future.
Each stage of the cyber kill chain is related to a specific type of activity in a cyberattack (regardless of whether it’s an internal or external attack).
How Does the Cyber Kill Chain Protect Against Attacks?
The cyber kill chain is not a security system: it’s a framework that enables security teams to anticipate how attackers will act so they can stop them as quickly as possible or intercept them if the attack has already transpired.
The cyber kill chain maps out the exact path a typical attacker will take so cybersecurity teams can recognize the starting point of common cyberattacks. Cyber kill chain simulations allow security teams to gain firsthand experience in dealing with a cyber threat, and evaluating simulation responses can help organizations identify and remediate any security gaps that may exist.
It can guide strategy, training, and tool selection by revealing which parts of a security strategy may or may not need updating, such as employee training, endpoint security software, or VPNs.
Cyber Kill Chain Steps
Computer scientists at Lockheed Martin may have been the first to take this concept and apply it to information security, but the cyber kill chain continues to evolve with the changing nature of cyber threats.
At the core of the cyber kill chain is the notion that cyberattacks often occur in phases and they can be disrupted through controls established at each phase.
-
Reconnaissance
During what some call the observation phase, the reconnaissance phase is when attackers begin to identify targets and make a plan of action. This stage often includes activities such as researching potential targets, determining vulnerabilities, and exploring potential entry points. The more information an attacker can glean during this phase, the more sophisticated and successful the attack can be.
-
Weaponization
At this stage, attackers create the attack vector that will be used in the cyberattack. This could include remote access malware, ransomware, or a virus or worm that can exploit a vulnerability identified during the reconnaissance phase.
During the weaponization phase, attackers may also try to reduce the likelihood of being detected by any security solutions in place.
-
Delivery
Attackers then deliver the attack vector through a medium like phishing emails or by hacking into the target’s system or network. Regardless of the type of attack they intend to carry out, this is the stage at which the attacker officially launches an attack against a target.
-
Exploitation
Next, the malicious code is executed within the target’s systems. By breaching the perimeter, attackers now have the opportunity to further exploit the target’s systems by installing tools, running scripts, or modifying security certificates. Common examples of exploitation attacks include scripting, dynamic data exchange, and local job scheduling.
-
Installation
Immediately following the exploitation phase, the installation phase is when the attack vector is installed on the target’s systems. During the installation stage, attackers may also create back doors into the target’s systems or networks so they can continue to access them even if the original point of entry is identified and closed.
-
Command and Control
During the command and control phase, attackers use the successfully installed attack vector to control devices or identities remotely within the target’s network. Threat actors may also move laterally during the command and control phase in order to avoid detection and establish additional points of entry.
-
Actions on Objective
In the final phase of Lockheed Martin’s cyber kill chain, attackers take the final steps to carry out their original objective, be it data theft, destruction, encryption or exfiltration.
The above steps are taken directly from Lockheed Martin’s cyber kill chain, which was originally developed in 2011. Since then, cybersecurity experts have expanded on the seven phases to include an eighth: monetization.
-
Monetization
During the monetization phase, attackers focus on deriving income from the successful attack, whether through some form of ransom or selling sensitive information on the dark web.
Since its inception, the cyber kill chain has evolved to better anticipate and understand modern cyber threats. It has also been adopted by data security organizations and professionals to help define the stages of an attack.
However, because of the constantly evolving nature of cyber threats, the future of the cyber kill chain is unknown. As extended detection and response (XDR) becomes increasingly important for modern cybersecurity strategy, a new XDR framework or kill chain that leverages MITRE ATT&CK framework could be more beneficial to security teams.
Critiques of the Cyber Kill Chain
Current critiques can be bucketed into two main categories: perimeter security and attack vulnerabilities.
Perimeter Security
One of the biggest critiques of Lockheed’s Cyber Kill Chain model is the fact that the first two phases of an attack (reconnaissance and weaponization) often occur outside the target network. This can make it difficult for organizations to understand or defend against any actions occurring during these phases.
Attack Vulnerabilities
Some critics believe that the methodology also reinforces traditional perimeter-based and malware-prevention-based defensive strategies, which aren’t enough in today’s cybersecurity climate.
Additionally, some critics believe the traditional cyber kill chain isn’t a suitable model for simulating insider threats. This potentially puts organizations at greater risk given the likelihood of successful attacks that breach a target’s internal network perimeter.
Although many have adopted the cyber kill chain, acceptance is far from universal and there are many critics that are quick to point to what they believe are fundamental flaws. Fortunately, there are a number of other cybersecurity frameworks that may satisfy some of the cyber kill chain’s shortcomings.
Cyber Kill Chain vs MITRE ATT&CK Framework
Like the cyber kill chain, the MITRE ATT&CK framework was created as a cybersecurity model to document and track techniques that attackers use throughout various stages of a cyberattack.
The MITRE ATT&CK framework, which stands for Adversarial Tactics, Techniques, and Common Knowledge, has become one of the most respected and referenced resources in cybersecurity. By using a common lexicon, the ATT&CK framework enables stakeholders, cyber defenders, and vendors to clearly communicate on the exact nature of a threat and the plan to defeat it.
Each step in the ATT&CK framework has multiple tactics and techniques that offer additional granularity and specificity when describing attacker behavior. ATT&CK goes beyond describing the stages of an attack, and instead models specific attacker actions and motivations.
While the cyber kill chain is read sequentially starting with reconnaissance and ending with actions on objectives, the ATT&CK framework isn’t chronological and assumes attackers may change tactics and techniques over the course of an attack.
Additionally, MITRE points out that it is a “mid-level adversary model,” meaning that it’s not overly generalized or specific. Conversely, high-level models like the Lockheed Martin Cyber Kill Chain illustrate adversary goals but aren’t specific about how the goals are achieved.
MITRE Engenuity’s TTP model is that happy medium where tactics are the stepwise intermediate goals and the techniques represent how each tactic is achieved.
Cyber Kill Chain vs. Unified Kill Chain Model
The Unified Kill Chain was developed in 2017 by Paul Pols in collaboration with Fox-IT and Leiden University to overcome common critiques against the traditional cyber kill chain. This model united and extended Lockheed’s Kill Chain framework and the MITRE ATT&CK framework.
The unified kill chain model was designed to defend against end-to-end cyber attacks from a variety of advanced attackers and provide insights into the tactics that hackers employ to attain their strategic objectives.
This model is broken into three main phases: Initial Foothold, Network Propagation, and Action on Objectives.
Each of these phases are made up of additional attack phases. In total, there are 18 phases, including:
- Reconnaissance: Researching, identifying, and selecting targets through active or passive surveillance.
- Weaponization: Methods of preparation aimed at setting up the required infrastructure for the attack.
- Delivery: Techniques that aid in the transmission of a weaponized object to the target environment.
- Social Engineering: Methods aimed at manipulating people to perform unsafe actions.
- Exploitation: Tactics to exploit system vulnerabilities that may result in code execution.
- Persistence: Any action, access, or change to a system that grants an attacker a persistent presence on the system.
- Defense Evasion: Evasion tactics an attacker may specifically use to avoid detection or other defenses.
- Command and Control: Techniques that enable attackers to communicate with controlled systems within a target network.
- Pivoting: Using a controlled system to tunnel traffic to other systems that are not directly accessible.
- Discovery: Methods that enable an attacker to obtain knowledge about a system and its network environment.
- Privilege Escalation: The outcome of techniques that provide higher permissions on a system or network for an attacker. Common methods include brute force attacks and exploiting zero-day vulnerabilities.
- Execution: Tactics that result in execution of attacker-controlled code on a local or remote system.
- Credential Access: Strategies that result in access or control over system, service, or domain credentials.
- Lateral Movement: Techniques used to extend the reach of the attack and to find new systems or data that can be compromised. Lateral movement can occur at any stage of an attack but is most commonly seen during the post-compromise phase. Attackers can also seek out critical data and sensitive information via IT resources and built-in tools like PowerShell.
- Collection: Methods to identify and gather data from a target network before exfiltration.
- Exfiltration: Tactics that aid in or result in an attacker removing data from a target network. This can include strategies like obfuscation (e.g. falsifying timestamps, deleting or modifying logs, etc.) or Denial of Service (DoS).
- Impact: Techniques to manipulate, interrupt, or destroy the target system or data.
- Objectives: Socio-technical attack objectives aimed at achieving a strategic goal.
Improve Security with the Cyber Kill Chain and SentinelOne
Although extremely valuable, the cyber kill chain is just a framework. It’s important for organizations to have the right cybersecurity software in place to carry out the necessary prevention and detection capabilities.
For example, extended detection and response (XDR) tools are becoming increasingly important for the success of modern cybersecurity strategies. Sometimes referred to as “cross-layered” or “any data source” detection and response, XDR extends beyond the endpoint to make decisions based on data from more sources and takes action across platforms by acting on email, network, identity and beyond.
With SentinelOne, organizations can prevent, detect, and intercept both known and unknown threats before they do damage. By unifying and extending detection and response capabilities across multiple layers of security, users receive industry leading protection in every area, all in a single platform.
Organizations no longer need to rely solely on an outdated approach that examines cyberattacks after the fact. Instead, they can get ahead of threats with confidence.
Discover how SentinelOne is disrupting the cyber kill chain and book a demo today.