The Cyber Kill Chain is a model introduced by defence contractor Lockheed Martin in 2011 to systematically analyse the progression of cyber-attacks and develop appropriate countermeasures. The concept originally rooted in military strategy has been applied to cybersecurity to combat targeted attacks (advanced persistent threats, APTs).
Focus and use of the Cyber Kill Chain
The Cyber Kill Chain describes the typical progression of a cyber-attack in seven phases. It promotes proactive security management. Each of the seven phases provides an opportunity for security teams to identify and stop the attack. These phases are relatively independent of specific technologies or attack techniques, as the model focuses on the overall attackers’ approach rather than the details.
The Cyber Kill Chain is particularly useful for understanding the general flow of an attack and planning strategic defences by disrupting one or more of the seven phases. The MITRE ATT&CK framework can be used to supplement these strategies with specific, detailed information on attack techniques and tactics, and is often used in threat modelling and red/blue team exercises.
The seven phases of the Cyber Kill Chain
1. Reconnaissance
In this phase, attackers gather information about their target. This can be done through public sources, social engineering or targeted scans of networks and systems. The goal is to identify vulnerabilities and potential entry points.
Countermeasures: Organisations should minimise their digital footprint by protecting sensitive information and monitoring network scans.
2. Weaponization
This is where the attackers create their malware based on the information gathered during the reconnaissance phase. This can include developing exploits or creating phishing emails with malicious attachments.
Countermeasures: Security software, secure development practices, awareness and regular updates can reduce the risk.
3. Delivery
The malware is delivered to the target. Common methods include email attachments, infected websites or direct network requests.
Countermeasures: Email filters, secure web gateways and network monitoring can help detect and block malicious deliveries.
4. Exploitation
In this phase, attackers exploit vulnerabilities in the target system to execute the malware. This can be through unpatched software, weak passwords or other security holes.
Countermeasures: Regular vulnerability assessments and patches, as well as strict authentication policies, can mitigate these risks.
5. Installation
The malware is installed on the target system and allows the attackers to establish a permanent presence. Backdoors are also often set up to provide subsequent access.
Countermeasures: Endpoint detection and response (EDR) solutions and strict monitoring of system changes are critical.
6. (Command & Control, C2)
Attackers establish a communication channel with the malware to send commands and retrieve data. This is often done using encrypted connections or hidden protocols.
Countermeasures: Anomaly detection and network activity monitoring can help identify and stop suspicious communications.
7. Actions on Objectives
In the final phase, the attackers carry out their actual objectives, such as data exfiltration, sabotage or blackmail.
Countermeasures: Data backup, encryption and access management are essential measures to minimise the impact of a successful attack.
The Cyber Kill Chain in theory and practice
System-independent methods and procedures are stored for each of the seven steps. New actions by attackers can be independently updated and added without changing the overall attack pattern. By aggregating individual indicators, faster and better warnings or indications of possible cyber-attacks can be generated. Rather than simply reacting to attacks, the model enables early detection and disruption of attacks.
Even as a theoretical construct, the Cyber Kill Chain can make an immediate contribution to improving security levels. As a reference, prevention and management tool, it can be used to compare the sub-steps with existing systems and processes to determine the current status and potential for improvement of your security posture. It can also be used as a training and awareness tool for the stages and methods of cyber attacks.
Benefits of using the Cyber Kill Chain
By implementing this model, organisations can optimise their security strategy and significantly increase their resilience to cyber-attacks. Here are some of the key benefits that can be achieved by applying the Cyber Kill Chain:
Systematic threat identification and analysis: Better understanding of attack mechanisms and early, targeted action to disrupt the attack.
Improve security architecture: Increasing resilience to a wide range of attack techniques by identifying vulnerabilities and developing a more comprehensive and robust defence strategy.
Efficient use of resources: Optimise the use of available resources and increase the effectiveness of security measures by deploying security measures where they provide the greatest benefit.
Improved incident response: Respond more quickly and effectively to security incidents by developing targeted incident response strategies.
Standardised communication: More effective communication and collaboration through a common understanding and language for security teams, management and external partners.
Recommendations for the use of the Cyber Kill Chain
To maximise the benefits of theCyber Kill Chain and minimise the potential drawbacks, companies should follow a few recommendations. It is important to recognise that even proven concepts cannot provide absolute security.
While the Cyber Kill Chain focuses on targeted attacks, organisations should not neglect other risks such as insider threats or non-targeted attacks. Additional security measures and continuous improvement of the defence strategy are required to counter new attack methods. In addition to the Cyber Kill Chain’s rather abstract view of cyber-attacks, integration with other frameworks such as the MITRE ATT&CK Framework, which provides detailed information on specific attack techniques and tactics, is recommended.
To maximise the potential of the model, we recommend not neglecting any of the seven phases of the Cyber Kill Chain, as each phase provides a potential attack surface. Implement proactive security measures to detect and stop attacks early, such as Threat Intelligence and anomaly detection.
This might also interest you:
Threat Modelling: Guidelines for creating practical threat models
Incident response planning: step-by-step emergency plan for IT security incidents
Effective integration of threat intelligence with cyber defence
Sources:
https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html