The Cyber Kill Chain: What You Need to Know

What is a Kill Chain?

The term “kill chain” was originally used in the military. In October 1996, after the first Gulf War, General John Jumper formalized the methods necessary to compress the time it takes to find and kill the enemy on the battleground. He termed it “compressing the kill chain.” General Jumper wanted to do it in less than 10 minutes instead of several hours or days to complete. And so, the military kill chain model came to be known as the “F2T2EA,” an acronym that stands for:

  • Find – Locate the target
  • Fix – Fix the target’s location and make it difficult for them to move
  • Track – Monitor the target’s movement
  • Target – Choose the appropriate weapon or asset to use on the target to create the desired effect
  • Engage – Use the weapon on the target
  • Assess – Evaluate the effects of the attack

What is a Cyber Kill Chain?

In 2011, Lockheed Martin came up with the Cyber Kill Chain framework. According to the company, “the model identifies what the adversaries must complete in order to achieve their objective.”

The cyber kill chain is a series of stages required for an attacker to successfully gain access to a network and exfiltrate data from it. The theory is, the closer to the beginning of the kill chain an attack can be stopped, the better.

According to Lockheed Martin’s APT (Advanced Persistent Threat) documentation, there are seven stages in the Cyber Kill Chain. Each stage of the chain presents a specific goal along the attacker’s path and at the same time, an opportunity for the cybersecurity team to react to the attack:





1.    Reconnaissance

Targets are identified

The planning phase.

They conduct research on whom to target by:

  • Harvesting email addresses
  • Identifying employees on social media networks
  • Collecting conference attendee lists, press releases, contract awards
  • Finding internet-facing servers
Detection of recon can be difficult but when found can reveal the attacker’s intent.

  • Collect and review website visitor logs
  • Collaborate w/ web admin to use existing browser analytics
  • Build detections for browsing behaviors unique to recon
  • Set up defenses around specific technologies or people based on recon activity

2.    Weaponization

Preparing the Operation

The attacker uses automated tools – a “weaponizer” – malware and exploit are combined into a deliverable payload.

  • Weaponizer may be obtained in-house or through public or private channels
  • For file-based exploits, a “decoy” document to be presented to the victim is selected
  • Backdoor implant and command and control infrastructure are selected
  • A specific “mission ID” is designated and embedded in the malware
  • Backdoor is compiled and payload is weaponized
Weaponization as it happens cannot be detected but they can deduce by analyzing malware artifacts.

  • Full malware analysis (identify the payload and how it is made) should be conducted
  • Build detection for weaponizers
  • Analyze timeline of when malware was created relative to when it was used
  • Collect files and metadata for future analysis
  • Determine which weaponizer artifacts are common to w/c APT campaigns

3.    Delivery

Operation is launched

Two ways the attacker delivers the malware:

  • Controlled delivery Direct against web servers
  • Released delivery via:

– Malicious email

– Malware on USB stick

– Social media interactions

– “Watering hole” compromised websites

The first and most important opportunity to block the operation.

  • Analyze delivery medium
  • Understand targeted servers and people
  • Understand intent of attacker based on targeting
  • Leverage weaponizer artifacts to detect new malicious payloads at point of delivery
  • Analyze time of day when operation began
  • Collect email and web logs for forensic reconstruction. Determine when and how delivery began

4.    Exploitation

Attacker gains access to victim

Attacker exploits a vulnerability to gain access via:

  • Software, hardware, or human vulnerability
  • Purchasing or developing zero-day exploit
  • Attacker-triggered exploits for server-based vulnerabilities
  • Victim-triggered exploits:

– Opening attachment of malicious email

– Clicking malicious link in email

Traditional hardening measures as well as custom capabilities should be used to stop zero-day exploits:

  • Employees should undergo user awareness training and email testing
  • Web developers should undergo secure coding training
  • Conduct regular vulnerability scanning and penetration testing
  • Use endpoint hardening measures:

– Admin privileges should be restricted

– Use Microsoft EMET

– Use custom endpoint rules to block shellcode execution

  • Conduct endpoint process auditing to forensically determine origin of exploit

5.    Installation

Attacker establishes foothold on victim’s network

In order to maintain access for an extended period of time, the attacker will:

  • Install webshell on web server
  • Install backdoor
  • Create point of persistence by adding services, AutoRun keys, etc.
  • Some attackers “time stomp” the corrupted file to make malware appear as if it is part of standard operating system install
Defender should install endpoint technology to detect and log installation activity:

  • HIPS (Host Intrusion Prevention System) for alerting or blocking common installation paths (e.g. RECYCLER)
  • Investigate whether malware requires user or administrator privileges
  • Conduct endpoint process auditing to discover abnormal file creations
  • Extract certificates  of all signed executables
  • Determine if malware is old or new by checking its compile time

6.    Command and Control

Attacker remotely controls the implant/s

Attacker is able to manipulate the victim through the implant by:

  • Opening two-way communications channel to C2 infrastructure
  • C2 infrastructure may be owned by the attacker or another victim network itself
  • C2 channels that are over web, DNS, and email protocols
The last best chance for the defender to block the operation by blocking the C2 channel. Defenders can:

  • Discover C2 infrastructure via malware analysis
  • Harden network by:

– Consolidating the number of internet points of presence

– Requiring proxies for all types of traffic (HTTP, DNS)

  • Customize blocks of C2 protocols on web proxies
  • Proxy category blocks, including “none” or “uncategorized” domains
  • DNS sink holing and name server poisoning
  • Conduct open source research to find new adversary C2 infrastructure

7.    Actions on Objectives

Achieve the attacker’s goal


The attacker’s goal may be any of the following:

  • Collect user credentials
  • Collect and exfiltrate data
  • Overwrite or corrupt data
  • Covertly alter data
  • Privilege escalation
  • Internal reconnaissance
  • Lateral movement through environment
  • Destroy systems
Defenders must detect this stage as quickly as possible by using forensic evidence:

  • Establish incident response playbook, including executive engagement and communications plan
  • Detect data exfiltration, lateral movement, unauthorized credential usage
  • Forensic agents should be pre-deployed to endpoints for rapid triage
  • Conduct damage assessment with subject matter experts

Like other security models, the Cyber Kill Chain is not foolproof. The idea of the model is that the security team can use several steps to identify areas of attack where the chain can be broken to prevent a breach.

Some experts have criticized this model mainly because recent attacks have become more complex and wider in scope. Thus, making this model outdated. However, the goal of the Cyber Kill Chain is to disrupt the chain early, before any major damage takes place.

The Cyber Kill Chain can help you understand the challenges of securing data and provide greater insight into how cybercriminals attack whether you are an analyst, an incident responder or someone with an interest in cybersecurity.

Applying the Cyber Kill Chain as part of your security strategy takes time. To reduce the possibility that threats will slip through unnoticed, you need to implement layered security measures.

Netswitch provides state-of-the-art security solutions that is fit for any organization’s unique requirements.

For more details on how you can utilize the Cyber Kill Chain with cutting-edge security solutions, contact Netswitch today.

*** This is a Security Bloggers Network syndicated blog from News and Views – Netswitch Technology Management authored by Press Release. Read the original post at: