What is the cyber kill chain? A model for tracing cyberattacks

As an infosec professional, you’ve likely heard about using a cyber kill chain to help identify and prevent intrusions. Attackers are evolving their methods, which might require that you look at the cyber kill chain differently. What follows is an explanation of the cyber kill chain and how you might employ it in your environment.

Cyber kill chain definition

The cyber kill chain, also known as the cyberattack lifecycle, is a model developed by Lockheed Martin that describes the phases of a targeted cyberattack. It breaks down each stage of a malware attack where defenders can identify and stop it.

In military parlance, a “kill chain” is a phase-based model to describe the stages of an attack, which also helps inform ways to prevent such attacks. The closer to the beginning of the kill chain an attack can be stopped, the better. The less information an attacker has, for instance, the less likely someone else can use that information to complete the attack later.

The cyber kill chain applies the military model to cyberattacks, with the phases of a targeted attack described such that they can be used for protection of an organization’s network. The stages are shown in the graphic below.

One thing to keep in mind: the closer to the beginning of the chain you can stop an attack, the less costly and time-consuming the cleanup will be. If you don’t stop the attack until it’s already in your network, you’ll have to fix those machines and do a whole lot of forensics work to find out what information they’ve made off with.

Lockheed Martin

Cyber kill chain steps

The steps described in the cyber kill chain are a lot like a stereotypical burglary. The thief will perform reconnaissance on a building before trying to infiltrate it, and then go through several more steps before making off with the loot. Using the cyber kill chain to keep attackers from stealthily entering your network requires quite a bit of intelligence and visibility into what’s happening in your network. You need to know when something is there that shouldn’t be, so you can set the alarms to thwart the attack

Let’s take a closer look at the 7 steps of the cyber kill chain to determine what questions you should be asking yourself to decide whether it’s feasible for your organization.

1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploit
5. Installation
6. Command and control
7. Actions

Reconnaissance At this stage, criminals are trying to decide what are (and are not) good targets. From the outside, they learn what they can about your resources and your network to determine whether it is worth the effort. Ideally, they want a target that is relatively unguarded and with valuable data. What information the criminals can find about your company, and how it might be used, could surprise you.

Companies often have more information available than they realize. Are names and contact details of your employees online? (Are you sure? Think social networks too, not just your own corporate website.) These could be used for social engineering purposes, say, for getting people to divulge usernames or passwords. Are there details about your web servers or physical locations online? These could be used for social engineering too, or to narrow down a list of possible exploits that would be useful to break into your environment.

This is a tricky layer to control, particularly with the popularity of social networking. Hiding sensitive information tends to be a fairly inexpensive change, though being thorough about finding the information can be time intensive.

Weaponization, delivery, exploit, installation These four stages are where the criminals use the information they have gathered to craft a tool to attack their chosen target and put it to malicious use. The more information they can use, the more compelling a social engineering attack can be.

They could use spear phishing to gain access to internal corporate resources with the information they found on an employee’s LinkedIn page. Or they could put a remote access Trojan into a file that appears to have crucial information on an upcoming event in order to entice its recipient into running it.

If they know what software your users or servers run, including OS version and type, they can increase the likelihood of being able to exploit and install something within your network.

These layers of defense are where your standard security wonk advice comes in. Is your software up to date? All of it, on every machine? Most companies have that one box in some back room that is still running Windows 98. If it’s ever connected to the internet, it’s like putting out a welcome mat for attackers.

Do you use email and web filtering? Email filtering can be a good way to stop common document types that are used in attacks. If you require that files be sent in a standard way, such as in a password-protected ZIP archive, this can help your users know when files are being sent intentionally. Web filtering can help keep users from going to known bad sites or domains.

Have you disabled autoplay for USB devices? Giving files the chance to run without approval is seldom a good idea from a security perspective. It’s better to give the user a chance to stop and think about what they’re seeing before it launches.

Do you use endpoint protection software with up-to-date functionality? While endpoint protection software is not intended to deal with brand-new targeted attacks, sometimes they can catch threats based on known suspicious behavior or known software exploits.

Command and control Once a threat is in your network, its next task will be to phone home and await instructions. This may be to download additional components, but more likely it will be contacting a botmaster in a command and control (C&C) channel. Either way, this requires network traffic, which means there is only one question to ask yourself here: Do you have an intrusion detection system that is set to alert on all new programs contacting the network?

If the threat has gotten this far, it has made changes to the machine and is going to require a lot more work from IT staff. Some companies or industries require that forensics be done on the affected machines to determine what data has been stolen or tampered with. Those affected machines will either need to be cleaned or reimaged. It can be less costly and time-consuming if the data has been backed up and there is a standard corporate image that can be quickly replaced onto the machine.

Actions The natural last step in the kill chain would seem to be the attack itself, such as disrupting services or installing malware, but remember, the actions step is about carrying out the intended goal—and once they’ve successfully disrupted, corrupted or exfiltrated, attackers can go back in and do it all over again.

Often the intended goal of an attack is monetization and that can take any number of forms, says Ajit Sancheti, CEO at Preempt Security. For example, attackers can use compromised infrastructure to commit ad fraud or send out spam, extort the company for ransom, sell the data they’ve acquired on the black market, or even rent out hijacked infrastructure to other criminals. “The monetization of attacks has increased dramatically,” he says.

The use of cryptocurrency makes it easier and safer for the attackers to receive money, he adds, which contributes to the change in the motivation behind attacks. The number of different groups involved in the consumption of stolen data has also become more complicated. That could, potentially, create opportunities for enterprise to work with law enforcement authorities and other groups to disrupt the process.

Take, for example, stolen payment card information. “Once credit card data is stolen, the numbers have to be tested, sold, used to procure goods or services, those good or services in turn have to be sold to convert them to cash,” says Monzy Merza, head of security research at Splunk, Inc. All of this is outside the traditional kill chain of a cyberattack, he says. Another area where the black market ecosystem impacts the cyberattack life cycle is before the attack begins. Attackers share lists of compromised credentials, of vulnerable ports, of unpatched applications.

Issues with the cyber kill chain

As recent history has amply demonstrated, attackers aren’t following the playbook. They skip steps. They add steps. They backtrack. Some of the most devastating recent attacks bypass the defenses that security teams have carefully built up over the years because they’re following a different game plan. According to a 2018 report from Alert Logic, 88 percent of attacks combine the first five steps of the kill chain into a single action.

In recent years, we have also seen the rise of cryptocurrency mining malware. “And the techniques they used ignored the traditional steps,” says Matt Downing, principal threat researcher at Alert Logic, Inc. “All the early-stage mitigation and detection techniques wouldn’t work.” Plus, the attackers don’t have to exfiltrate valuable data and then try to sell it on the black market, he adds. “They can directly monetize a compromised asset.”

Attacks featuring compromised credentials, where attackers log in using seemingly legitimate data and use those accounts to steal data, would also not fit the traditional attack framework. “That’s a case where very obviously the Lockheed Martin kill chain doesn’t apply,” Downing says.

Another type of attack that doesn’t fit the traditional model: web application attacks. “When you have an application that’s exposed to the Net, anyone can come and visit,” says Satya Gupta, founder and CTO at Virsec Systems, Inc. “It’s like having a door open in your home.”

The Equifax breach, for example, was traced back to a vulnerability in the Apache Struts web server software. If the company had installed the security patch for this vulnerability it could have avoided the problem, but sometimes the software update itself is compromised, as was the case in Avast’s CCleaner software update in 2017.

Other transformative technologies—internet of things, DevOps, and robotic process automation—are also increasing the attack surface in ways that don’t fit with the traditional cyber kill chain model, says Lavi Lazarovitz, cyber research team leader, at CyberArk Labs.

The traditional cyberattack life cycle also misses attacks that never touch enterprise systems at all. For example, companies are increasingly using third-party software-as-a-service (SaaS) providers to manage their valuable data.

“The problem has grown exponentially in size given the amount of logins people have, the amount of SaaS service there are, the amount of third party connections that exist,” says Ross Rustici, senior director at Cybereason, Inc.  “You could have a business-ending hack without your core network, the one you have control over, ever being touched.”

Cyber kill chain vs. Mitre ATT&CK 

The evolving nature of cyber threats has some organizations looking for a more flexible, and comprehensive, way of thinking about cyberattacks.

A leading contender is the Mitre ATT&CK framework. “There’s a huge movement to show actual attack techniques tied to each step in the kill chain, and this is what ATT&CK from Mitre has done,” says Ben Johnson, CTO at Obsidian Security, Inc. “It’s received incredible reception and buy-in from vendors and the community.”

Rod Soto, director of security research at Jask warns against over-reliance on frameworks. “Adversarial drift is dynamic by nature. Attackers’ tools, techniques and procedures will continue to change as new defense measures make them obsolete. Frameworks like the cyber kill chain can be a part of our tool kit, but it’s up to us as security pros to continue to think creatively so we’re keeping up with attackers and their innovations.”

Editor’s note: This article has been updated to more accurately reflect recent trends.