The Cyber Kill Chain is a cybersecurity framework for identifying and preventing cyber intrusions that the Lockheed Martin company developed as part of its Intelligence Driven Defense model. It is a roadmap that threat actors use to achieve their goals.
The framework consists of seven essential steps that enhance visibility into attacks and help analysts understand an adversary's tactics, techniques, and procedures. By understanding this roadmap, you can better defend against attacks.
This is the first stage where threat actors plan their attacks. They gather as much information as they can about their target. They might scan network ports or research employee names on LinkedIn.
This phase involves identifying and selecting a target based on specific objectives, such as stealing data or disrupting services. The attacker begins by collecting publicly available information, often through Open-Source Intelligence (OSINT). The goal is to understand the target's environment without alerting them to the impending threat.
During reconnaissance, the attacker may also use network scanning tools to map out the target's infrastructure, identifying IP addresses, open ports, and running services. This helps in assessing the potential attack surface and identifying vulnerabilities that could be exploited later.
Social engineering techniques, such as phishing or pretexting, might also be employed to gather sensitive information directly from individuals within the target organization.
The attacker carefully analyzes the collected data to pinpoint weaknesses, such as outdated software or misconfigurations, that could be leveraged in subsequent attack phases.
The success of the entire attack often hinges on the thoroughness of the reconnaissance phase. A well-executed reconnaissance allows the attacker to plan the attack strategy with precision, increasing the likelihood of achieving their objectives.
In this second step of the Cyber Kill Chain adversaries take the information gathered during the reconnaissance stage and create a weapon specifically designed to exploit identified vulnerabilities. The goal is to design a precise and tailored weapon that is highly effective.
For example, let's say during reconnaissance, an adversary discovers that a company uses outdated software with known vulnerabilities. In the weaponization stage, they might develop a piece of malware designed to exploit that specific vulnerability.
This malware could be a virus, a worm, or even a trojan horse. Each type of malware has its own unique capabilities and will be chosen based on what the adversary aims to achieve.
Another example could be the creation of a phishing email. Here, adversaries could craft an email that looks legitimate, perhaps mimicking a message from a trusted vendor or a high-ranking executive.
The email might contain a malicious attachment or a link to a compromised website. The aim is to trick the recipient into opening the attachment or clicking the link, thus delivering the malware.
In some cases, adversaries might use an exploit kit. These kits are essentially toolboxes filled with various exploits for different vulnerabilities. They can scan a target system and automatically deploy the most effective exploit.
Weaponization is a crucial phase because it's where the attack gains its potency. By creating a customized tool, adversaries significantly increase their chances of successfully infiltrating the target. Understanding this phase helps you anticipate what kind of threats you might face and prepare your defenses accordingly.
In the delivery phase, adversaries launch their crafted tools at the target. Think of it as the method of transport for the weapon created during the weaponization stage. Just like a courier delivering a package, adversaries use various means to get their malware to the intended recipient.
One common method is through phishing emails. You could receive an email that looks like it’s from your boss with an urgent subject line. The email might have a malicious attachment or a link to a compromised website.
The goal is to lure you into either opening the attachment or clicking the link, which then delivers the malware to your system. For instance, the attachment might be an infected PDF or Word document loaded with harmful code.
Another delivery method is through compromised websites. Say an adversary has identified a popular website that many employees at your company visit. They could exploit vulnerabilities in that website to embed malware.
When someone from your company visits the compromised site, the malware automatically downloads and installs on their computer. It’s like stepping on a cleverly hidden trap.
Drive-by downloads are another tactic used by cyber criminals. These happen when users unknowingly download malicious software just by visiting a legitimate but compromised website.
The site might appear completely normal but may be loading malware onto your device in the background. This method is sneaky because it requires no action from the user other than visiting the site.
Adversaries might also use exploit kits in the delivery phase. Once they’ve identified a vulnerable system, they can deploy the exploit kit to automatically find and use the best exploit. This is akin to a burglar using a set of lock picks to find the quickest way inside.
Social engineering plays a significant role too. For example, an adversary might call one of your team members, pretending to be from IT support. They might convince the employee to install "urgent software updates," which are actually malware. This method leverages human trust to bypass technical defenses.
Understanding the delivery phase helps you recognize these tactics and prepare accordingly. By staying vigilant and educating your team members about these methods, you can better defend against the delivery of malicious tools.
This is when the delivered weapon starts to execute its malicious intent, like when a thief who has just picked a lock is now stepping into the house. This phase involves exploiting a vulnerability to gain a foothold in the target system.
Let's say the adversary sent a phishing email with an infected PDF attachment. When the recipient opens the PDF, the embedded malware exploits a flaw in the PDF reader software.
This could be a zero-day vulnerability, which means it’s a security hole unknown to the software vendor. The malware might then install itself quietly in the background. It’s like a burglar sneaking in without setting off any alarms.
Adversaries also use exploit kits in this phase. Suppose they know your network is running old, vulnerable software. The exploit kit scans your system and finds the easiest entry point.
Maybe it’s an outdated version of Flash or a Java plugin. The kit then automatically uses a known exploit to gain access. It’s like a toolkit specifically designed to pick your particular lock.
Even something as simple as outdated software on a network can be exploited. For example, an adversary discovers that your company hasn't updated its operating system. They could deploy malware that exploits this specific weakness, allowing them to gain control over your computer.
The fifth stage of the Cyber Kill Chain is where adversaries establish a persistent foothold in the target system. Think of it as a burglar who has just sneaked into a house and is now setting up camp, ensuring they can come and go as they please. The goal here is to maintain access without detection.
For instance, once malware exploits a vulnerability, it might drop a backdoor on the compromised system. A backdoor is like a secret entrance that lets adversaries re-enter the system at will.
This could be software that runs in the background each time the computer starts up, quietly awaiting further instructions. It’s like an invisible door in your house that only the burglar knows about.
Another common tactic is the installation of a Remote Access Trojan (RAT). A RAT gives adversaries the ability to control the infected system remotely. They can see what you see, manipulate files, and install additional malware.
Sometimes, the installation phase involves setting up keyloggers. These programs record every keystroke you make, capturing sensitive information like usernames, passwords, and credit card numbers. Picture a thief watching over your shoulder every time you type, noting down every detail.
Adversaries might also use rootkits to hide their presence. A rootkit is designed to obscure the fact that the system has been compromised, making it difficult for security software to detect the malware.
Persistence mechanisms are a key aspect of this phase. Adversaries ensure their malware can survive reboots and software updates. They might modify system files or use services that restart automatically with the operating system. It’s akin to the burglar ensuring they have a way back in, even if the locks get changed.
This phase is where threat actors establish communication with the compromised system. It’s like a thief who has successfully broken into a house and now coordinates with an accomplice outside through walkie-talkies. The C2 stage is all about managing and maintaining that illicit access.
Once the adversaries have installed a backdoor or a remote access tool (RAT), they need to communicate with it. This is often done through Command and Control servers.
These servers act like the thief’s walkie-talkie, sending commands and receiving data from the compromised system. For instance, an attacker might send a command to download additional malware or to exfiltrate sensitive data.
One common example is the use of HTTP or HTTPS protocols for C2 communication. Adversaries often disguise their malicious traffic as legitimate web traffic, making it harder to detect. This stealth approach helps them avoid raising alarms.
DNS tunneling is another technique used in this phase. Adversaries encode their communication within DNS queries, which are usually allowed through firewalls without much scrutiny. It’s like sending secret messages through a seemingly innocent channel, bypassing conventional security measures undetected.
Some sophisticated adversaries use peer-to-peer (P2P) networks for C2. Instead of communicating with a single server, the compromised systems connect. This decentralized method makes it more challenging to shut down the operation. It’s like a network of thieves who don’t rely on a single ringleader but coordinate to avoid capture.
Encrypted communication is also prevalent in the C2 phase. Adversaries often use encryption to secure their C2 traffic, making it difficult for defenders to intercept and understand the commands being sent.
In this final step of the Cyber Kill Chain, adversaries execute their ultimate goals, whatever they may be. Think of it as the burglar not just breaking in but actually stealing valuables, vandalizing, or gathering sensitive documents. It's the endgame of their efforts, and it's where the most damage happens.
Let's say an adversary’s objective is data theft. They might use their backdoor access to locate sensitive files and databases. Once found, they start exfiltrating this data, often compressing it into smaller files to avoid detection. They might even use encryption to ensure the data isn't readable if intercepted.
Another common objective is ransomware deployment. Adversaries could deploy malware that encrypts all the data on the targeted systems, rendering it inaccessible. They then demand a ransom for the decryption key. This can cripple businesses, especially if backups are also compromised.
System disruption is another goal adversaries might have. Here, the aim is to disable or destroy critical infrastructure. They could delete essential files, corrupt databases, or even sabotage industrial control systems. It’s like a vandal smashing windows and cutting power lines, causing chaos and operational shutdowns.
In some cases, adversaries focus on financial theft. They might use their access to manipulate financial transactions, siphoning money directly from accounts. They might also install software to track and steal credit card numbers for future use.
Credential harvesting is another objective. Adversaries might focus on collecting usernames and passwords, especially those with higher levels of access.
These credentials can be used in future attacks or sold on the dark web. It’s akin to a burglar finding and copying all your house keys and alarm codes, planning to use or sell them later.
Understanding the Actions on Objectives phase is essential because it highlights the adversaries' ultimate goals. By knowing what they aim to achieve, you can better prepare and respond to mitigate the damage.
This last phase is where the impact on the organization is most severe, making early detection and prevention in the earlier stages crucial.
Social engineering is the exploitation of human psychology to trick people into divulging confidential information. An example is that of a threat actor posing as an IT support technician. They might call an employee, claiming there's an urgent issue that requires immediate action.
The employee, wanting to be helpful, might reveal their login credentials or even install malicious software thinking it's a necessary update.
Another example is phishing emails. These emails often look like they come from trusted sources, like a manager or a well-known company. They might ask the recipient to click on a link or open an attachment, which then delivers malware. It’s all about manipulating trust and human error.
Adversaries use this technique to identify vulnerable systems on a network. Think of it as checking all the doors and windows in a building to find the easiest way in. They might use tools like Nmap to scan for open ports and services.
For example, if they discover an open SSH port, they could attempt brute-force attacks to gain access. Or they might find outdated software versions with known vulnerabilities.
Scanning helps them map out the network and pinpoint where to focus their attacks. It’s a methodical way of gathering technical details that can be exploited later.
This technique involves collecting information from publicly available sources. An adversary might gather data from social media profiles, company websites, and online forums.
For example, they might find a list of employees on LinkedIn. They can then use this information to craft more convincing phishing emails.
Attackers might even discover that the company uses specific software, which could have known vulnerabilities. OSINT is like piecing together a puzzle using information that's out in the open but often overlooked.
Think of this as educating your team to recognize and resist social engineering tactics. For example, you can conduct regular training sessions on identifying phishing emails. These sessions can include real-world examples, like emails pretending to be from high-ranking executives asking for urgent actions.
By showing employees what to look out for, you reduce the chances of them falling for these tricks. You can also run phishing simulations. These are fake phishing campaigns that test employees’ responses. It helps you identify who might need extra training and keeps everyone on their toes. Remember, a well-informed employee is a strong line of defense.
You must also teach employees about the dangers of oversharing on social media. Adversaries often gather information from these platforms to craft personalized attacks.
By making your team aware of this risk, you can limit the amount of useful information that adversaries can gather through OSINT. It’s like telling everyone to close their curtains at night to prevent peeping Toms.
Keeping an eye on your own network is crucial. You can use tools like Nmap to regularly scan your systems for open ports and services.
For instance, if you notice an open SSH port that shouldn't be there, you can quickly investigate and secure it. Regular scans help you identify outdated software before adversaries do.
If you find a system running old software with known vulnerabilities, you can update it immediately. It’s like regularly checking all the locks and windows in your house to make sure they’re still secure.
Automated vulnerability scanners are also handy. Tools like Nessus can help identify potential weak points in your network. These scans can be scheduled to run automatically, ensuring consistent monitoring.
If you detect a vulnerability, you can prioritize patching it based on its severity. It’s a proactive approach that keeps you one step ahead of potential threats.
By dividing the network into smaller, isolated segments, you limit the movement of adversaries if they do manage to get in. For example, you can ensure that sensitive data is only accessible from certain parts of the network, making it harder for adversaries to reach it.
Each stage of the Cyber Kill Chain represents a unique opportunity to thwart adversaries. Missing any one of these stages can give attackers the foothold they need.
In the reconnaissance stage developing an ability to detect unusual network scans can keep you one step ahead of attackers. Blocking or misleading their reconnaissance efforts can make them look for easier targets elsewhere. For example, deploying a honeypot can trick adversaries into revealing themselves before they get too far.
By keeping your software updated and patched, you reduce the vulnerabilities bad actors target in the weaponization stage. If they can't find an easy way in, their custom tools become useless. Regularly updating antivirus definitions can also catch new malware types.
To thwart cyber criminals in the delivery phase, your focus should be on email filtering and user awareness. For instance, spam filters can catch many phishing attempts before they even reach an inbox. Teaching employees to recognize suspicious emails adds another layer of defense.
Having endpoint protection and intrusion detection systems in place helps stop adversaries in the exploitation stage. You can catch their actions as they're happening.
For example, software that monitors for unusual behavior can alert us to malware trying to exploit a system. Rapid response can prevent further damage.
During the installation phase, adversaries establish a foothold. They might install a backdoor or a remote access tool. We need to ensure our systems are configured to limit installations.
Application whitelisting can help, allowing only approved software to run. For instance, if a new, unapproved software tries to install itself, the system blocks it.
In the Command and Control (C2) phase, adversaries communicate with the compromised system. Cutting off this communication can effectively paralyze their efforts.
Network monitoring tools can help you spot unusual outbound traffic. Imagine detecting a computer in your network trying to communicate with an unknown IP address. Blocking that connection can stop adversaries from issuing further commands.
The Actions on Objectives stage is where damage is done and where you have the last chance of the thwarting attack. It is where the adversaries execute their main goals—like data theft or system disruption.
By the time they get here, you ideally detected and contained the threat. But it’s also critical to have strong data encryption and backup strategies. If an adversary manages to steal encrypted data, it remains useless to them. Regular backups ensure you can quickly recover if they try to disrupt or encrypt your systems.
Addressing each stage of the kill chain isn't just about technology. It's also about people and processes. Combining awareness, regular updates, and constant monitoring creates a multi-layered defense.
Each stage represents a chance to stop adversaries before they succeed. By focusing on each one, you make your networks significantly more secure.
GET STARTED