What is the Cyber Kill Chain? Examples and how it Works

Jason Coggins
| Time 6 min read| Published On - July 22, 2020

The Cyber Kill Chain was developed by Lockheed Martin as a framework to help organizations understand the process of cyber attacks.

If you understand every point in the chain of events of a cyber-attack you can focus your efforts on breaking that chain and mitigating the damages.

Many organizations have taken their own approach to defining the correct Cyber Kill Chain, with varying degrees of success. For the purposes of this article, we will be focusing on the original 7-step Cyber-Kill Chain developed by Lockheed Martin. We will go through each step in the chain involves and how you break the chain to better protect your data.

How the Cyber Kill Chain Works in 7 Steps

Each stage of the Cyber Kill Chain is related to a certain type of threat, both external and internal. For the most part, whatever threat you face (from malware, phishing, insider threats and more) it is likely that they will fall into one or more of the activities on the kill chain.

Step 1 – Reconnaissance

In this stage, attackers are selecting their victim and researching their security vulnerabilities. They may be locating what sensitive data you have, where it’s stored, who has access to it and what the best routes are into the network.

Step 2 – Weaponization

The attackers have finished their research into your organization’s vulnerabilities and have selected their targets. In this step, they are working out how best to get inside the network. This might be through a virus or malware tailored to exploit known vulnerabilities.

Step 3 – Delivery

The attack method is delivered into the target environment. The actual method used may vary but it most commonly comes through malicious email attachments, websites, or USB devices.

Step 4 – Exploitation

In this step, the malicious code has been inserted or the vulnerability has been exploited, and the attackers are setting themselves up to execute on their mission.

Step 5 – Installation

The malware installs an access point that enables the attackers to get access to the target environment.

Step 6 – Command and Control

The attackers now have uninterrupted access to the target environment and can manipulate it at will.

Step 7 – Actions on Objective

The original goals of the attack can now be executed on command. The outcome of this could be anything from data theft to Ransomware. Whatever the objective is, if this step is completed successfully, you have been the victim of a data breach and are likely going to face severe costs to reputation and the bottom line.

Criticisms of the Cyber Kill Chain

Whilst the original Cyber Kill Chain was revolutionary in understanding the nature of cyber-threats, it was created in a time where the belief was that most security threats originated from outside the organization. The Cyber Kill Chain, therefore, does not consider the insider threat, which research suggests is the most prevalent threat you are likely to face.

For example, in the weaponization, delivery and installation stages of the kill chain, it is heavily implied that the attack will be delivered through some sort of malware or virus. In many cases, data breaches occur when privileged users abuse their access controls. In these sorts of attacks, steps 2, 3 and 4 are largely irrelevant.

Other criticisms of the Cyber Kill Chain include the fact that the first few steps are happening outside of the control of security teams, making it practically impossible to break the chain at these points.

An Updated Cyber Kill Chain for Today’s Security Threats

A better way to look at the Cyber Kill Chain would be to combine weaponization and delivery into a simpler “Intrusion” step. In this step the attackers (whether they are insiders or external attackers) will be able to exploit existing vulnerabilities in the network or permissions structure to gain a foothold.

A new step could be added to explain how insiders move throughout your environment. More often than not, when an attacker has privileged access, they move laterally to other systems and user accounts to gain access to even more sensitive data.

Another step missed by Lockheed Martin is where attackers cover their tracks to intentionally try to confuse forensics and investigations. This step should be considered if the attack is premeditated or malicious. Often, data breaches are accidental so this step will not be seen. Often, with malicious attacks, the attackers will attempt to block normal users and systems from having access to data so they can do their work unimpeded. This is known as denial of service.

So, the updated Cyber Kill Chain might look something like this:

  1. Reconnaissance
  2. Intrusion
  3. Exploitation
  4. Privilege Escalation
  5. Lateral Movement
  6. Obfuscation / Anti-Forensics
  7. Denial of Service
  8. Actions on Objective

In order to fully visualize the Cyber Kill Chain you have to imagine it more as a circle. Just because an attacker has reached step 8 in the chain doesn’t mean that the attack is over. Data breaches are a persistent threat to your organization and must be dealt with accordingly.

Breaking the Cyber Kill Chain

Theoretically, the Cyber Kill Chain can be broken at any stage (excluding the reconnaissance phase). Mostly, the chain can be broken through proactive and continuous monitoring of interactions with data and systems.

For example, if you detect that permissions are being escalated through real time alerts, you can take immediate action to prevent the threat from gaining access to sensitive data. Similarly, obfuscation is less effective if you are tracking and monitoring and audit trail of logs.

In some cases, you might even be able to detect threats in the reconnaissance stage. If a user accesses a file containing sensitive data for the first time, and they shouldn’t have access to this file, then you can immediately prevent them from having that access. This might prevent a threat from materializing altogether.

To do this effectively, you cannot be relying on normal event logs or a SIEM solution alone. There will be too much noise to sift through and you will not get the context you need to make real world decisions. Data Security Platforms can help to add more value to your SIEM and provide more detailed reporting and alerting.

If you would like to see how Lepide can help you break the Cyber Kill Chain, schedule a demo of the Lepide Data Security Platform today.

Jason Coggins

Jason Coggins

Jason Coggins came to Lepide directly from the UK government security services, and now leads the UK & EU sales team at Lepide. Based in Lepide’s UK office, Jason has a practical and ‘hands-on’ approach to introducing Lepide to customers and channel partners globally.

Popular Blog Posts