Understanding the Cyber Kill Chain

What is the Cyber Kill Chain?

Originally developed by Lockheed Martin and based of the military’s ‘kill-chain,’ the Cyber Kill Chain framework is a model for identification and prevention of cyber-attacks. It maps what steps adversaries must take in order to achieve their objective. This framework is meant to provide insight into an attack and provide analysts with a greater understanding of that adversary’s tactics, techniques, and procedures in order to decrease chances said adversary achieves their desired outcome.

What are the steps?

1. Reconnaissance: Attacks gather information on the target. Much of the information is readily available to the public.
2. Weaponization: Attackers develop a malicious payload for the victim. The victim is largely unaware.
3. Delivery: Attackers launch their intrusion. The delivery method can take many forms.
4. Exploitation: Attackers compromise their target. Victim may still be unaware.
5. Installation: Attackers gain persistence on their target. Can be the delivery of malware to a computer. If an elaborate attack, may take months to complete.
6. Command and control: Attackers issue commands to their payload. The adversary will operate internal assets remotely.
7. Action on objectives: Attackers complete their end goal. The active attack process can take months.

Why use the Cyber Kill Chain Model?

In mapping out a cyber attack using the Cyber Kill Chain, the idea is that analysts can use several key steps to identify points in an attack where the chain can be broken to prevent of a breach. Each attack is different and many attacks have been gaining in complexity, so it is important to note that not every attack will match up perfectly to the kill chain model.

Perhaps best said by Tenable, “If the goal of the cyber kill chain model is to disrupt or break the chain before major damage occurs, then the method is to divide and conquer: stop the intruder as early in the chain as possible to break his path of destruction. There are many tools in your security arsenal to combat attack chains.”

Why has the Cyber Kill Chain been criticized?

Experts believe that the problem with this model is that it assumes a traditional perimeter defense where a firewall is the main impediment to intruders, which is no longer the case. In many cases, the scope of today’s attacks is much wider than the scope indicated by the Cyber Kill Chain.

Despite its’ focus on an intrusion-centric primarily malware-emphasized attack, there is still value when used with caution. Those who choose to use this model are advised by experts to focus on step 7 primarily so that organizations can detect ongoing attacks before the damage is done.

How can the Cyber Kill Chain still be useful?

Although a seemingly ‘outdated’ method (and I say that with hesitation), the Cyber Kill Chain can be useful in performing threat analysis and in helping incident responders prioritize threats.

In a post by Alien Vault, author Lauren Barraco writes, “As any chess expert knows, the best defense is always based on understanding your attacker’s strategy. When we start mapping our efforts to the attacker’s infiltration steps (known as the cyber kill chain), we can determine where to focus our time. In this case, keeping our attention on the activities towards the end of the cyber kill chain can be a better use of time…. Designing your monitoring and response plan around the cyber kill chain model is an effective method because it focuses on how actual attacks happen.”

By taking this approach, analysts can utilize a method where the prioritization strategy avoids the typical pitfalls and allows you to put yourself in the mind of an attacker, focusing on assets that have a higher risk.

Why learn the Cyber Kill Chain?

Whether you’re an analyst, an indecent responder, or just getting your feet wet in cyber security, the Cyber Kill Chain will help you to understand the challenges of data security and provide a greater insight into attacker methodology. This model presents the opportunity to stop an attack in its tracks where those involved are conditioned to think of the attack not as one lone incident, but as a continuum.

Likewise, “Your security strategy must begin before the attack, be strong during the attack, and stay strong after the attack is complete. By remembering that security is a strategy and not a product, you’ll be on your way to building an effective defensive strategy.”

How can I utilize the Cyber Kill Chain and learn skills to compliment it?

To explore the Cyber Kill Chain in-depth, I recommend the following courses:

• Intro to Cyber Threat Intelligence
• Advanced Cyber Threat Intelligence

For more practical exploration, consider trying a variety of labs, either:

• The CYBRScore Virtual Lab subscription, or
• Network Security Tools Virtual Lab
• Computer Forensics and Investigations Virtual Lab

To Summarize

While the Cyber Kill Chain framework is not a perfect solution for preventing cyber attacks, it can provide those who use it greater insight into their vulnerable assets, allowing better prioritization to be put on those assets. Those new to security or those whose role is tied closely to preventing breaches, creating a strategy, or responding to an incident in its’ aftermath will want to foster a good understanding of this model.