Cyber kill chains

The term ‘kill chain’ was originally used as a military concept relating to structuring an attack into stages from identifying an adversary’s weaknesses to exploiting them. It consisted of target identification, forced dispatch to the target, decision, order to attack the target, and finally, destruction of the target. In simple terms it can be viewed as a stereotypical burglary, whereby the thief will perform reconnaissance on a building before trying to infiltrate and then go through several more steps before taking off with the valuables. In 2011, Lockhead Martin put forward their own ‘Cyber Kill Chain’ to explain the various steps related to a digital attack. In the same way the traditional kill chain describes the seven steps in a physical attack, a cyber kill chain describes the modus operandi of a typical cyber attack.
External Reconnaissance: Learning your victim’s weaknesses and choosing the best attack methods.
Weaponsation and Packaging: Web application exploitation, malware, for example, compound document vulnerabilities delivered in ODF, Office or other document formats, or watering hole attacks.
Delivery: The means of transporting or launching the attack can include many types of digital delivery mechanisms. The delivery of payloads is generally either target-initiated from visiting a malicious web presence or opening a malicious PDF file for example, or attacker-initiated, such as SQL injection.
Exploitation: The payload will then compromise the asset, gaining a foothold. How all this technically happens differs based of the type of attack. In some cases, this involves a technical exploit mechanism, like specialised code that takes advantage of a vulnerability in software to ‘force’ something to happen on your computer. The exploitation could also just be a good phishing mail.
Installation: The next step is to establish persistence: typically, installing malware that will continue to run whenever the device reboots or turns on. This is usually designed to gain persistence at the endpoints where it has access and secretly giving the adversary control.
Command and Control: Simply setting up a communication mechanism – a C2 channel – to control the victim devices and exfiltrate data. This can be as simple as sending data over normal network services, like ICR or HTTP or as complex as hiding specially encrypted traffic in tricky unexpected network services, such as hidden in DNS options or ICMP messages.
Actions on Targets: This final phase covers the malicious actions which could be grabbing password hashes, installing ransomware, key logging, spying with your webcam, gathering any files and data you have, and much more.
Lockheed Martin’s original didn’t properly cover a common stage of attack called lateral movement or pivoting. Often, the first device an attacker gains control of may not be the target so they must take additional steps to gain access to that.
They account for this by considering its cyber kill chain as circular, not linear. However, we believe lateral movement and pivoting deserves a stage of its own, and we have proposed alternate versions that replaces the weaponisation stage with one specifically for lateral movement and pivoting.
For those defending systems and data, understanding the chain can help identify the defences you need in place. While attackers are constantly evolving their methods, their approach always consists of these general stages. The closer to the start of the chain an attack can be stopped the better, so a good understanding of adversaries and their tolls and tactics will help to build more effective defences.
Cyber criminals look for the weakest point of entry to attack a corporate network. This is often through endpoint devices such as laptops and phones which mean that a security strategy needs to strengthen defences on home worker’s endpoint.
Endpoint protection can detect many stages of the chain, completely preventing most threats or allowing you to remediate the most sophisticated ones in later stages, Endpoint protection should include multiple layers of malware detection, host firewalling and intrusion detection services, exploit detection and prevention capability, endpoint detection and response, web and email security capabilities, URL or IP/Domain filtering, patch management.
These security layers can help in many stages. Taking delivery, for example: Good EPP solutions apply many types of web or email malware detection but data and machine learning, combined with a zero-trust model, which ensures unclassified files will not run.
To mitigate a threat, EPP can block unknown application execution until it is validated by blocking any suspicious activity; quarantining malware; killing a compromised process – or even by completely shutting the system down.
The kill chain teaches us that while adversaries must progress through all phases for success, we just need to stop the chain at any step to break it, which is why stopping adversaries at the endpoint drastically reduces the likelihood of success of an cyber attack.