Cyber Kill Chain
Last updated
Last updated
The cyber kill chain is an adaptation of the militaryβs kill chain, which is a step-by-step approach that identifies and stops enemy activity. Originally developed by Lockheed Martin in 2011, the cyber kill chain outlines the various stages of several common cyberattacks and, by extension, the points at which the information security team can prevent, detect or intercept attackers.
The cyber kill chain is intended to defend against sophisticated cyberattacks, also known as advanced persistent threats (APTs), wherein attackers spend significant time surveilling and planning an attack. Most commonly these attacks involve a combination of malware, ransomware, Trojans, spoofing and social engineering techniques to carry out their plan.
There are other Kill Chains out there, which some can found here from SentinelOne but here is the standard one. Another good article from Varonis can be found here.
The standard kill chain is broken into these phases:
Phase 1: Reconnaissance
Phase 2: Weaponization
Phase 3: Delivery
Phase 4: Exploitation
Phase 5: Installation
Phase 6: Command and Control
Phase 7: Actions on Objective
Attackers identify a target and explores vulnerabilities and weaknesses that can be exploited within the network. As part of this process, the attacker may harvest login credentials or gather other information, such as email addresses, user IDs, physical locations, software applications and operating system details, etc. all of which may be useful in phishing or spoofing attacks.
Attackers create an attack vector, such as remote access malware, ransomware, virus or worm that can exploit a known vulnerability. The attacker may also set up back doors so that they can continue to access to a system if their original point of entry is identified and closed by network administrators.
The attacker launches the attack. The specific steps taken will depend on the type of attack they intend to carry out. Eg. the attacker may send email attachments or a malicious link to spur user activity to advance the plan. This activity may be combined with social engineering techniques to increase the effectiveness of the campaign.
This phase is pretty simple. The malicious code or file is executed within the target system.
Following the Exploitation phase, the malware or other attack vector will be installed on the target system. This is a turning point in the attack lifecycle, as the threat actor has entered the system and can now assume control.
The attacker is able to use the malware to assume remote control of a device or identity within the target network. The attacker may also work to move laterally throughout the network, expanding their access and establishing more points of entry for the future.
The attacker takes steps to carry out their intended goals, which may include data theft, destruction, encryption or exfiltration.