The Top Security Tools to Use Across the Cyber Kill Chain

The cyber kill chain, a military-inspired cybersecurity concept developed by Lockheed Martin, can be used to build a foundation for cybersecurity across your organization. The cyber kill chain essentially breaks down the phases an attacker goes through to penetrate your network and leave undetected with data.

DevOps Connect:DevSecOps @ RSAC 2022

Your organization can learn a great deal from the cyber kill chain and apply helpful tools, technologies, and strategies in each phase.

Here are the security controls you could implement to mitigate threat actors across each phase of the cyber kill chain:

Reconnaissance Phase & Security Controls 

During this phase, threat actors attempt to collect as much information about a target. The hacker works on identifying the attack types that will allow them to enter the network and applications to steal data.

To handle threats in this phase, you might consider threat intelligence feeds, perimeter controls, identity, and access management, system hardening, honeypot. The goal here is to put in place prevention and detection processes and technology to prevent a threat actor from obtaining too much information.


During the weaponization phase, a threat actor begins creating malware and other advanced threats to implement their plan developed in the reconnaissance phase. A hacker is putting together their arsenal that will be used during the delivery or attack phase.

At this stage, your organization should be leveraging vulnerability scanners, patch management systems, and Intrusion Detection Systems. Your security team may want to leverage the Dark Net to study the latest malware and become familiar with what’s out there on the black market. The team may even be able to reverse engineer malware to combat a hacker’s attack.


A threat actor targets users and endpoints by delivering social engineering schemes like phishing, cross scripting, and other forms of compromise to deliver the malware and advanced threats developed in the weaponization phase.

Potential security controls during the delivery phase include next-gen firewalls, next-gen IPS, email and web gateway security, DDoS mitigation tools, network behavior analysis, user and entity behavior analytics (UEBA), DNS security, NetFlow, packet analysis, and security awareness. The goal in this phase is to detect and respond as quickly as possible to an active threat.


During this phase, the threat actor leverages their malware weapon to obtain deeper access within your IT environment. The hacker is exploiting vulnerabilities and open entry points in your network to gain access to critical systems and applications.

To put a stop to a threat actor in this phase, you can leverage SIEM and log management, firewalls, EPP, web application firewalls (WAF), advanced threat detection technology, user and entity behavior analytics, and threat intelligence. All of these technologies will aid in detection and prevention when a threat actor has entered into your network. These tools will also allow your incident responders to address a security breach quickly.


At this stage, the hacker attempts to expand their foothold throughout the IT environment. Containment and incident response are critical for a defender at this stage.

The helpful tools and technologies in this phase include EPP solutions, Managed Detection and Response, Identity and Access Management (IAM) tools, incident response workflows, backups, and incident reporting.

Command and Control

At this point, a threat actor overrides control within the IT environment and collects as much data as possible. Your incident responders should be equipped with SIEM and log management, application security, NBA tools, reputation filtering, network monitoring, and more.


The goal is to put a stop to the threat actor in prior stages. However, if the threat actor successfully exfiltrated data, your team will need to have a strategy and plan in place for when sensitive data is leaked.

The technologies and tools that can help put a stop to data leaving the organization may include Data Loss Prevention (DLP), SIEM, UEBA, IAM, NGFWs, backup and restore capabilities.

Across each phase, your organization has an opportunity to put a stop to a threat actor. Strategies, tools, and technologies can aid significantly in protecting your organization and preventing it from becoming a victim of a significant data breach.

If your organization is unable to procure these various technologies and tools, consider a managed security services provider that extend its security expertise directly into your organization. Learn more in our whitepaper below!

6 Reasons to Adopt an MSSP


*** This is a Security Bloggers Network syndicated blog from Cipher Cyber Security Blog authored by Cipher. Read the original post at: