Table of Contents
The Cyber Kill Chain is a concept developed by Lockheed Martin to outline the stages of a cyber-attack from its inception to its ultimate goal, which typically centres on data exfiltration or system compromise. The model provides a structured framework to understand the anatomy of modern cyber threats, enabling cybersecurity teams to identify and counteract each phase of an attack. By breaking down the Cyber Kill Chain into distinct stages, security professionals can more effectively pinpoint vulnerabilities, develop proper countermeasures, and prioritise their defences to interrupt and halt potential threats at various points in the chain.
The Cyber Kill Chain can be used as a management tool to help continuously improve network defence. Originally designed to combat advanced persistent threats (APTs), the Cyber Kill Chain has grown in relevance and applicability as the cyber threat landscape has evolved. While not all cyber-attacks go through all seven steps of the Cyber Kill Chain, most do. Understanding this framework is pivotal for organisations to proactively defend their digital assets and respond to cyber incidents promptly and efficiently.
Cybersecurity Education and Training Begins Here
Here’s how your free trial works:
- Meet with our cybersecurity experts to assess your environment and identify your threat risk exposure
- Within 24 hours and minimal configuration, we’ll deploy our solutions for 30 days
- Experience our technology in action!
- Receive report outlining your security vulnerabilities to help you take immediate action against cybersecurity attacks
Fill out this form to request a meeting with our cybersecurity experts.
Thank you for your submission.
How the Cyber Kill Chain Works
The Cyber Kill Chain outlines the sequence of steps that an attacker typically follows to execute a cyber-attack. This sequential model offers a structured approach to recognising and disrupting cyber threats at each phase. Instead of viewing an attack as a singular event, the Kill Chain breaks it down into stages, from initial reconnaissance to the final act of data theft or system compromise.
By understanding the typical progression of an attack, security professionals can design their defences around these stages, seeking to detect and counteract the attacker’s moves as early as possible in the chain. If an organisation can disrupt the attacker at an early stage, it may prevent more serious consequences later on. Essentially, the Cyber Kill Chain provides a roadmap for systematically understanding and defending against cyber threats.
7 Stages of the Cyber Kill Chain
The Cyber Kill Chain is divided into seven stages, which provide a comprehensive framework for modelling intrusions on a network. Collectively, these stages offer better attack visibility while deepening the cybersecurity team’s understanding of the adversary’s tactics, procedures, and techniques. The seven stages of the Cyber Kill Chain are as follows:
1. Reconnaissance
In this initial stage, attackers gather information about their target to find vulnerabilities. This can involve studying public websites, social media, or other publicly available data. Reconnaissance is akin to a thief scoping out a house before a break-in, noting its weaknesses and patterns.
2. Weaponization
Here, the attacker creates a malicious payload, which might be a computer virus, worm, or Trojan horse. This payload is often paired with an exploit, a piece of software that takes advantage of system vulnerabilities. This weaponisation stage is about preparing the tools needed for the attack.
3. Delivery
In the delivery stage, the attacker deploys the malicious payload to the victim through methods like phishing emails, malicious downloads, or drive-by downloads from compromised sites. Think of the delivery stage as the launch of the cyber-attack on the target.
4. Exploitation
Upon successful delivery, the attacker exploits a vulnerability within the target’s system using the previously prepared payload. This stage is the critical moment in which the attacker uses their tool to “break in”.
5. Installation
Post-exploitation, the attacker establishes a foothold by installing malicious software (malware) on the victim’s system. This stage is akin to a thief putting a hidden camera or bug inside a house after breaking in.
6. Command and Control (C2)
With malware installed, the attacker can now establish a pathway or channel to remotely control the victim’s system, often without their knowledge. C2 is like a remote control setup allowing attackers to issue commands from afar.
7. Actions on Objectives
In the final stage, the attacker carries out their primary goal, such as data exfiltration, system disruption, or any other malicious objective.
By understanding each of these stages, defenders can tailor their countermeasures and strategies to detect, disrupt, and deter attackers throughout the progression of an attack.
Weaknesses of the Cyber Kill Chain
The Cyber Kill Chain is a widely used framework for modelling intrusions on a computer network. However, there are some weaknesses and challenges associated with the Cyber Kill Chain, which include:
- Limited Attack Detection Profile: The Cyber Kill Chain detects and prevents malware and protects perimeter security. However, it does not recognise insider threats or other types of attacks, which can leave organisations vulnerable to these threats.
- Outdated Model: The Cyber Kill Chain was developed in 2011, and since then, the technology and methods of conducting attacks have evolved significantly. The model has not been modified since its creation, using a dated approach to network security that focuses only on malware.
- Lack of Flexibility: The Cyber Kill Chain is a rigid framework that does not allow much flexibility. It assumes that all attacks follow a linear path, which is not always the case. Attackers can skip or repeat stages, making detecting and preventing attacks difficult.
- Perimeter Security Focus: The Cyber Kill Chain focuses on perimeter security and malware prevention, which is becoming less effective as organisations shift away from traditional on-prem networks.
- Incomplete Threat Coverage: The Cyber Kill Chain does not cover all types of threats, such as DDoS attacks or attacks on third parties where there is little or no visibility into the attacker’s actions.
Despite these weaknesses, the Cyber Kill Chain can still be a valuable tool for organisations to improve their incident response efforts. However, it should not be the only framework used for cybersecurity, and organisations should consider using other frameworks, such as the MITRE ATT&CK framework, to supplement the Cyber Kill Chain.
Cyber Kill Chain vs MITRE ATT&CK
The Cyber Kill Chain and MITRE ATT&CK are two frameworks commonly used to model intrusions on a network. While both frameworks categorise cyber-attack behaviours into sequential tactics, there are fundamental differences between them.
- The Cyber Kill Chain is a linear sequence of stages comprising a cyber-attack, while MITRE ATT&CK is a matrix of intrusion techniques not confined to a specific order of operations.
- The Cyber Kill Chain claims that all cyber-attacks must follow a specific sequence of attack tactics to succeed. However, the MITRE ATT&CK makes no such claim, thereby implying today’s attacks are more dynamic rather than a linear progression.
- MITRE ATT&CK introduces the concept of tactics and techniques that describe attack behaviours more granularly than the Cyber Kill Chain model. The MITRE ATT&CK framework expands the Cyber Kill Chain’s action stage to include seven new tactics: privilege escalation, defence evasion, credential access, discovery, lateral movement, exfiltration, and impact.
- The Cyber Kill Chain detects and prevents malware and protects perimeter security, while MITRE ATT&CK documents and tracks various techniques attackers use throughout the different stages of an attack to penetrate a network and exfiltrate its assets.
The key distinction: The Cyber Kill Chain is a linear model that focuses on malware prevention and perimeter security, while MITRE ATT&CK is a matrix of intrusion techniques that provides a more granular description of attack behaviours. While both Cyber Kill Chain and MITRE ATT&CK frameworks are useful for organisations to improve their incident management and response, they have different approaches and strengths that can be used together effectively.
Cyber Kill Chain and Cybersecurity
The Cyber Kill Chain is a pivotal concept in cybersecurity, serving as a roadmap for understanding the sequential stages of a cyber-attack. By dissecting an attack into distinct phases, from initial reconnaissance to the final objective, the model provides organisations with a structured framework to counteract threats at every step.
In cybersecurity, understanding the Cyber Kill Chain is essential for several reasons:
- Proactive Defence: Recognising the indicators of an impending attack at its earliest stages, such as during reconnaissance or weaponisation, enables cybersecurity professionals to take proactive measures, potentially halting threats before they escalate.
- Incident Response: During a breach, the Cyber Kill Chain can help incident response teams identify the relevant attack stage, allowing for tailored counteractions and mitigation strategies.
- Resource Allocation: By understanding which stages of the kill chain are most vulnerable or frequently targeted, organisations can allocate resources and defences more effectively, ensuring that critical stages are well-protected.
- Threat Intelligence: Analysing past attacks using the Cyber Kill Chain model can provide insights into attackers’ preferences, tactics, and techniques. This threat intelligence can be invaluable for fortifying defences against future attacks.
In essence, the Cyber Kill Chain integrates seamlessly with cybersecurity efforts and grounds defence strategies in the Kill Chain stages. It provides a lens through which organisations can assess, understand, and combat threats. This visibility leads to increased anticipation, counteraction, and mitigation of cyber threats.
How Proofpoint Helps Break the Attack Chain
Proofpoint offers a range of solutions to help organisations break the attack chain and protect their people and data. Proofpoint’s Aegis Platform is an AI/ML-powered, cloud-based threat protection platform that disarms today’s advanced attacks, including business email compromise (BEC), data exfiltration, and ransomware. The company’s new innovations powered by artificial intelligence and machine learning equip cybersecurity professionals with unmatched visibility, flexibility, and depth to detect and disrupt sophisticated adversaries across their organisations’ attack surfaces.
In addition to its technology solutions, Proofpoint emphasises the importance of building a security culture within the organisation to break the attack chain. With security awareness training and additional cybersecurity resources, employees can be more attuned to recognise and report suspicious activity. In turn, organisations can reduce the risk of successful attacks. For more information, contact Proofpoint.