What Is the Cyber Kill Chain? Definition & Explanation

The Cyber Kill Chain is a popular framework that’s used for understanding and responding to information security incidents.

It outlines the steps that organizations can take to trace the stages of a cyber attack, from a criminal’s reconnaissance efforts to the exfiltration of data.

Lockheed Martin created the Cyber Kill Chain in 2011 by adapting a military framework for engaging with adversaries in combat to cyber security.

Since then, it has been widely used by organizations to tackle of range of security threats, including ransomware, APTs (advanced persistent threats), code injection, and DDoS (distributed denial-of-service) attacks.

How does the Cyber Kill Chain work?

The Cyber Kill Chain plots the specific actions that criminal hackers take when they compromise an organization’s systems.

By breaking down the attack into discrete stages, security teams can assess their ability to combat each stage of an attack. As a result, they can anticipate weaknesses in the organization’s defences and take steps to bolster their defence mechanisms.

As the nature of cyber crime has evolved over the years, with new techniques being developed, several variations of the Cyber Kill Chain have been created, with each one defining the attack chain in a slightly different way.

For instance, Lockheed Martin’s framework contains seven stages, whereas alternative models, such as Gartner’s, combine several steps and add others.

As we dissect the Cyber Kill Chain in the next section, we’ll be looking using Lockheed Martin’s framework, which remains the most popular.

The 7 stages of the Cyber Kill Chain

Each stage of the Cyber Kill Chain presents organizations with the opportunity to thwart a cyber attack. As the criminal hacker moves through the stages, they gain greater leverage and are able to commit more damage.

1. Reconnaissance

Cyber attacks begin with the criminal hacker gathering information on the target system to identify potential weaknesses.

They might do this by probing the system for identified vulnerabilities or configuration errors. For targeted attacks, such as spear phishing, the attacker might search online for people’s names, job titles, and contact details.

2. Weaponization

This next stage of the attack is to create the exploit that will be used to compromise the system.

For example, the fraudster might write or purchase malware, and then package it in an executable file, a malicious flash drive, or a malicious email attachment. This code is often combined with a RAT (Remote Access Trojan) to form a deliverable payload.

Common weapons used for this are data files from client applications such as Adobe PDF or Microsoft Office documents.

3. Delivery

At this stage, the criminal hacker identifies a method by which to deliver their weapon to the target system. The most common delivery methods are email attachments, bogus websites, USB devices, and malicious download links.

Alternatively, criminal hackers might use a program script to target a known vulnerability in the organization’s systems or website code.

4. Exploitation

The weapon is now launched against its target, aiming to exploit a specific weakness. It typically targets an application or operating system vulnerability, but it could also exploit the users themselves.

For instance, social engineering attacks, such as phishing, work by tricking employees into downloading infected attachments or clicking bogus links.

Similarly, attackers can brute force their way into a system by correctly guessing an employee’s password or using protocol decryption to crack the encryption of an SSL (Secure Socket Layer).

If successful, the attacker will gain access to the organization’s system, data, or services.

5. Installation

This stage applies to malware attacks and describes the way attackers install the malicious software onto the organization’s system.

There are many types of malware that a criminal hacker can use. Some are designed to compromise sensitive data, such as ransomware, spyware, and keyloggers, while others gain control over a victim’s systems, such as backdoors, rootkits, and botnets.

6. Command and Control

In this stage, the attacker establishes a connection between the compromised system and a remote server that they control.

This communication channel, known as Command and Control (or ‘C2’), requires manual interaction to enable the attacker to access the target environment. Once the connection has been established, intruders have “hands on the keyboard” access to the organization’s systems.

7. Actions on Objectives

In the final stage of the attack, the criminal hacker performs the necessary actions to achieve their original objectives. This is typically means exfiltrating sensitive data, but some attacks are designed to perform more complex tasks.

This can include manipulating data, executing malicious code, and establishing backdoors in the system for future use. Other attack goals may include disrupting services and systems, or using the compromised environment as a launchpad for further attacks.

Is the Cyber Kill Chain still relevant?

The Cyber Kill Chain has proved to be an important tool over the past decade, helping organizations structure their cyber security strategies.

However, the cyber attack lifecycle is less predictable than it once was. Criminal hackers have become more sophisticated and now often skip or combine steps, giving organizations less time to detect and neutralize threats.

Also, the popularity and widely publicized nature of the model has given attackers an insight into the way organizations defend themselves, which could help them avoid detection.

The framework has come under criticism in particular for focusing on perimeter security and malware prevention at the expense of other attack methods. It contains little guidance on threats related to the Cloud environment, personal devices, Internet-of-Things technology and RPA (Robotic Process Automation).

Likewise, the Cyber Kill Chain is not applicable to insider threats, which account for 22% of all security incidents, or web-based attacks such as XSS (cross-site scripting), SQL injection and DDoS (distributed denial-of-service) attacks.

Nonetheless, the framework gives an effective overview of the way criminal hackers gain unauthorized access into an organization’s systems. When used alongside other techniques to understand and identify security threats, it can help organizations create comprehensive and layered defences.

Assured security with IT Governance

The get the most out of the Cyber Kill Chain, you must understand how it applies directly to your organization. This is where a professional pen tester (or ethical hacker) can help.

Certified testers can examine your systems using the same techniques as a cyber criminal, demonstrating the vulnerabilities in your operations that attackers can use to deliver, exploit, and install malware.

With this information, organizations can prioritize defensive capabilities to protect themselves from before they are targeted be a real-world attack.

IT Governance is a CREST-accredited penetration testing provider, and we offer a range of solutions.

You can also find out more about penetration testing and the ways it can help bolster your systems by downloading Assured Security – Getting cyber secure with penetration testing.

This free guide explains what penetration testing is and how it works, the types of vulnerabilities that it can help detect.