Cyber Kill Chain is a term you will come across often, whether it’s part of your studies on your path to getting into a career in cybersecurity or during your time as a cybersecurity professional. It was created by Lockheed Martin, who describe it like so:
Developed by Lockheed Martin, the Cyber Kill Chain® framework is part of the Intelligence Driven Defense® model for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective.
The seven steps of the Cyber Kill Chain® enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques and procedures.
The Cyber Kill Chain can be thought of as being derived from the military concept of a kill chain. I’m no expert on the military kill chain, but a little research on it suggests that it is focused on identifying a target, pulling forces together to attack the target, carrying out the attack and destroying the target. Now we see that cyber attack or cyber warfare capabilities are increasingly seen as part of kinetic / military warfare capabilities.
Back on the cybersecurity side of this, understanding The Cyber Kill Chain - and how we can detect its phases, respond to them, and if necessary recover from them - is a crucial element of cyber defenses. As shown in the Lockheed Martin graphic at the top of this post, The Cyber Kill Chain has 7 phases. Here’s a quick breakdown of what attackers are looking to do/achieve in each of the phases:
Reconnaissance: Gathering information on the targeted organization - on the people, processes, technologies, and vulnerabilities that can potentially be exploited in an attack.
Weaponization: Creating a new attack tool (e.g. malicious software) or modifying an existing tool to exploit any gaps or weaknesses identified in the reconnaissance phase.
Delivery: Deploying the attack tool in the target environment.Over recent years, this is most commonly done through phishing campaigns that lead a user to click on a link or open a malicious attachment. There are a number of other methods of course and attackers are continuously improving on these and developing new methods.
Exploitation: Triggered by the malicious software (malware) delivered in the previous phase, and leveraging weaknesses discovered earlier in the cyber kill chain, attackers can gather more information on the target environment they now have a foothold in and seek out additional vulnerabilities to exploit to achieve their goals.
Installation: Installing additional malware, privilege escalation (acquiring higher level permissions in order to be able to do more damage), and gaining access to more target systems and data.
Command and Control (or C2C): Establishing a communications channel from the target environment out to the attackers’ servers/environment. This channel can be used “inbound” for delivering more attack tools, and “outbound” to exfiltrate (take out, or steal) sensitive data from the target environment.
Actions on Objectives: This is the phase where impact occurs as part of or the ultimate goal of the attackers. This can include data exfiltration, loss of visibility (ability to monitor) key systems or processes, damage to systems that cause disruption to operations (or even a shutdown of operations), or destruction of critical devices or systems.
An offshoot of The Cyber Kill Chain is the Unified Kill Chain, developed by Paul Pols. I came across this while taking the excellent SANS SEC564 - Red Team Exercises & Adversary Emulation course. The Unified Kill Chain builds out a little on The Cyber Kill Chain and is another great resource for cyber defenders. As you can see below, this breaks down into three primary phases and their sub-phases. All of the phases in both the cyber kill chain models are useful in helping cyber defenders to understand the structure and stages of attacks and to review their current security controls and solutions and assess their ability to detect and defend at each phase/sub-phase of attacks.
A common theme in some cyber related discussions is along the lines of “the bad guys just need to find one vulnerability” to win. I prefer to embrace, and believe in, a more optimistic view on this. I want to cite where I first heard this optimistic view, but I will admit I am not 100 percent sure on this. I believe I first heard it via a presentation or conference talk by someone from Dragos, one of the world’s leading ICS Security firms.
The more optimistic view flips the equation, and says that as defenders we just need to detect the attackers at any stage (and hopefully and early stage) of their attack and have the right ability and playbooks in place to respond effectively and thwart the attack, or at least significantly reduce its impact.
Thanks for sharing... great info