The Cyber Kill Chain is a model introduced by defence contractor Lockheed Martin in 2011 to systematically analyse the progression of cyber-attacks and develop appropriate countermeasures. The concept originally rooted in military strategy has been applied to cybersecurity to combat targeted attacks (advanced persistent threats, APTs).
The Cyber Kill Chain describes the typical progression of a cyber-attack in seven phases. It promotes proactive security management. Each of the seven phases provides an opportunity for security teams to identify and stop the attack. These phases are relatively independent of specific technologies or attack techniques, as the model focuses on the overall attackers’ approach rather than the details.
The Cyber Kill Chain is particularly useful for understanding the general flow of an attack and planning strategic defences by disrupting one or more of the seven phases. The MITRE ATT&CK framework can be used to supplement these strategies with specific, detailed information on attack techniques and tactics, and is often used in threat modelling and red/blue team exercises.
In this phase, attackers gather information about their target. This can be done through public sources, social engineering or targeted scans of networks and systems. The goal is to identify vulnerabilities and potential entry points.
Countermeasures: Organisations should minimise their digital footprint by protecting sensitive information and monitoring network scans.
This is where the attackers create their malware based on the information gathered during the reconnaissance phase. This can include developing exploits or creating phishing emails with malicious attachments.
Countermeasures: Security software, secure development practices, awareness and regular updates can reduce the risk.
The malware is delivered to the target. Common methods include email attachments, infected websites or direct network requests.
Countermeasures: Email filters, secure web gateways and network monitoring can help detect and block malicious deliveries.
In this phase, attackers exploit vulnerabilities in the target system to execute the malware. This can be through unpatched software, weak passwords or other security holes.
Countermeasures: Regular vulnerability assessments and patches, as well as strict authentication policies, can mitigate these risks.
The malware is installed on the target system and allows the attackers to establish a permanent presence. Backdoors are also often set up to provide subsequent access.
Countermeasures: Endpoint detection and response (EDR) solutions and strict monitoring of system changes are critical.
Attackers establish a communication channel with the malware to send commands and retrieve data. This is often done using encrypted connections or hidden protocols.
Countermeasures: Anomaly detection and network activity monitoring can help identify and stop suspicious communications.
In the final phase, the attackers carry out their actual objectives, such as data exfiltration, sabotage or blackmail.
Countermeasures: Data backup, encryption and access management are essential measures to minimise the impact of a successful attack.
System-independent methods and procedures are stored for each of the seven steps. New actions by attackers can be independently updated and added without changing the overall attack pattern. By aggregating individual indicators, faster and better warnings or indications of possible cyber-attacks can be generated. Rather than simply reacting to attacks, the model enables early detection and disruption of attacks.
Even as a theoretical construct, the Cyber Kill Chain can make an immediate contribution to improving security levels. As a reference, prevention and management tool, it can be used to compare the sub-steps with existing systems and processes to determine the current status and potential for improvement of your security posture. It can also be used as a training and awareness tool for the stages and methods of cyber attacks.
By implementing this model, organisations can optimise their security strategy and significantly increase their resilience to cyber-attacks. Here are some of the key benefits that can be achieved by applying the Cyber Kill Chain:
Systematic threat identification and analysis: Better understanding of attack mechanisms and early, targeted action to disrupt the attack.
Improve security architecture: Increasing resilience to a wide range of attack techniques by identifying vulnerabilities and developing a more comprehensive and robust defence strategy.
Efficient use of resources: Optimise the use of available resources and increase the effectiveness of security measures by deploying security measures where they provide the greatest benefit.
Improved incident response: Respond more quickly and effectively to security incidents by developing targeted incident response strategies.
Standardised communication: More effective communication and collaboration through a common understanding and language for security teams, management and external partners.
To maximise the benefits of theCyber Kill Chain and minimise the potential drawbacks, companies should follow a few recommendations. It is important to recognise that even proven concepts cannot provide absolute security.
While the Cyber Kill Chain focuses on targeted attacks, organisations should not neglect other risks such as insider threats or non-targeted attacks. Additional security measures and continuous improvement of the defence strategy are required to counter new attack methods. In addition to the Cyber Kill Chain’s rather abstract view of cyber-attacks, integration with other frameworks such as the MITRE ATT&CK Framework, which provides detailed information on specific attack techniques and tactics, is recommended.
To maximise the potential of the model, we recommend not neglecting any of the seven phases of the Cyber Kill Chain, as each phase provides a potential attack surface. Implement proactive security measures to detect and stop attacks early, such as Threat Intelligence and anomaly detection.
This might also interest you:
Threat Modelling: Guidelines for creating practical threat models
Incident response planning: step-by-step emergency plan for IT security incidents
Effective integration of threat intelligence with cyber defence
https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
https://www.ikarussecurity.com/wp-content/uploads/2024/07/Business-Email-Compromise-600.png
424
600
IKARUS
https://www.ikarussecurity.com/wp-content/uploads/2023/09/IKARUS-Security-Software-1.png
IKARUS2024-07-15 11:33:122024-07-15 11:33:12Business Email Compromise: Risks, trends and defences
https://www.ikarussecurity.com/wp-content/uploads/2024/06/Firefly-bedrohung-zukunft-computer-dark-city-lights.jpg
780
1200
IKARUS
https://www.ikarussecurity.com/wp-content/uploads/2023/09/IKARUS-Security-Software-1.png
IKARUS2024-06-11 14:33:392024-06-11 14:33:40New cybersecurity threats for 2030
https://www.ikarussecurity.com/wp-content/uploads/2024/05/e-mail-verschluesselung-600.png
400
600
IKARUS
https://www.ikarussecurity.com/wp-content/uploads/2023/09/IKARUS-Security-Software-1.png
IKARUS2024-06-06 07:49:042024-06-06 07:49:06Email encryption protects data and blocks attack vectors
https://www.ikarussecurity.com/wp-content/uploads/2024/05/Firefly-Schritt-fuer-Schritt-zum-Notfallplan-fuer-IT-Security-Incidents-600.jpg
600
600
IKARUS
https://www.ikarussecurity.com/wp-content/uploads/2023/09/IKARUS-Security-Software-1.png
IKARUS2024-05-07 13:19:112024-05-07 13:24:27Incident response planning: step-by-step emergency plan
https://www.ikarussecurity.com/wp-content/uploads/2024/04/benutzerkonten.jpg
400
600
IKARUS
https://www.ikarussecurity.com/wp-content/uploads/2023/09/IKARUS-Security-Software-1.png
IKARUS2024-04-10 14:11:292024-04-10 14:11:30Account management: The underestimated risk of forgotten user accounts
https://www.ikarussecurity.com/wp-content/uploads/2024/03/threat.png
353
600
IKARUS
https://www.ikarussecurity.com/wp-content/uploads/2023/09/IKARUS-Security-Software-1.png
IKARUS2024-03-27 12:40:022024-03-27 12:40:03Threat Modelling: Guidelines for creating practical threat models
https://www.ikarussecurity.com/wp-content/uploads/2024/03/Laptop-Alert.jpg
392
600
IKARUS
https://www.ikarussecurity.com/wp-content/uploads/2023/09/IKARUS-Security-Software-1.png
IKARUS2024-03-06 14:32:022024-03-06 14:32:48IoC and IoA: definition, examples, benefits
https://www.ikarussecurity.com/wp-content/uploads/2024/02/menschenmenge.jpg
400
600
IKARUS
https://www.ikarussecurity.com/wp-content/uploads/2023/09/IKARUS-Security-Software-1.png
IKARUS2024-02-12 12:02:112024-02-12 12:09:31Living off Trusted Sites: cyber attackers abuse legal services
https://www.ikarussecurity.com/wp-content/uploads/2024/01/Threat-Intelligence-.jpg
400
600
IKARUS
https://www.ikarussecurity.com/wp-content/uploads/2023/09/IKARUS-Security-Software-1.png
IKARUS2024-01-18 10:50:032024-01-18 10:55:07Effective integration of threat intelligence with cyber defence
https://www.ikarussecurity.com/wp-content/uploads/2024/01/sql-injection.png
404
600
IKARUS
https://www.ikarussecurity.com/wp-content/uploads/2023/09/IKARUS-Security-Software-1.png
IKARUS2024-01-12 10:50:412024-01-12 10:53:09SQL Injection: Attacks by malicious code in website requests
https://www.ikarussecurity.com/wp-content/uploads/2024/01/SMTP-Smuggling.png
400
600
IKARUS
https://www.ikarussecurity.com/wp-content/uploads/2023/09/IKARUS-Security-Software-1.png
IKARUS2024-01-04 13:54:372024-01-04 13:55:41IKARUS mail.security detects SMTP smuggling
https://www.ikarussecurity.com/wp-content/uploads/2023/12/christmas-hack.jpg
401
600
IKARUS
https://www.ikarussecurity.com/wp-content/uploads/2023/09/IKARUS-Security-Software-1.png
IKARUS2023-12-20 13:36:182023-12-20 13:38:32Cyber risks in the holiday season
https://www.ikarussecurity.com/wp-content/uploads/2023/12/passkey.jpg
400
600
IKARUS
https://www.ikarussecurity.com/wp-content/uploads/2023/09/IKARUS-Security-Software-1.png
IKARUS2023-12-11 13:18:532023-12-11 13:18:54Passkeys as a secure alternative to passwords
https://www.ikarussecurity.com/wp-content/uploads/2023/11/dynamische-cybersicherheit.jpg
400
600
IKARUS
https://www.ikarussecurity.com/wp-content/uploads/2023/09/IKARUS-Security-Software-1.png
IKARUS2023-11-27 11:30:282023-11-27 11:30:285 top IT security strategies for dynamic cyber security
https://www.ikarussecurity.com/wp-content/uploads/2023/11/nis2-eu-like.png
400
600
IKARUS
https://www.ikarussecurity.com/wp-content/uploads/2023/09/IKARUS-Security-Software-1.png
IKARUS2023-11-21 14:49:082023-11-21 14:49:09NIS2 Directive successfully implemented
https://www.ikarussecurity.com/wp-content/uploads/2023/11/Harmony-Mobile-300.png
87
300
IKARUS
https://www.ikarussecurity.com/wp-content/uploads/2023/09/IKARUS-Security-Software-1.png
IKARUS2023-11-15 10:01:252023-11-15 10:07:24Harmony Mobile new in the IKARUS portfolio
Scroll to top