The Cyber Kill Chain Model: A Comprehensive Guide
What is the Cyber Kill Chain Model? How this cybersecurity model stops network intrusions following a military-based approach
The cyber kill chain model offers a detailed perspective and the appropriate methods to recognize incidents surrounding an attack against an organization. This model allows security teams to impede the assault during a certain stage and consequently design stronger security and enhance their incident response and analysis capabilities.
Throughout the past couple of decades, cyber threats have grown drastically in size and complexity. The increasing popularity of the cloud, the development of advanced social engineering techniques, or the rise of Business Email Compromise (BEC) are some of today’s cyber dangers that have rendered traditional security defenses insufficient. For this reason, cybersecurity prevention and mitigation methods were compelled to keep pace with these ever-growing threats.
Although all security strategies should be based on a prevention-first mindset, this approach alone will not suffice. Instead, monitoring and remediation should also be included, especially when it comes to mitigating targeted, high-profile attacks. It’s not only about ensuring absolute prevention – but it’s also about understanding how to respond should an incident occur and achieving a state of cyber resilience.
A means of defending your sensitive network is through the cyber kill chain model. This is a framework used to detect and prevent cyber intrusions, defining what the opponents may do in order to reach their target.
What follows is a complete explanation of what the cyber kill chain is, how it works, and why you should apply it in your organization.
What is the Cyber Kill Chain Model?
“Kill Chain” is a concept that was first adopted by the military to describe the actions used by an adversary to attack and destroy a target. In essence, it relates to what an assault would look like from a military perspective and describes all stages that attackers go through. Recognizing the kill chain phases will help the line of defense correctly identify the intruders and stop them faster. The earlier you find the bad actors, the more likely it is that you will catch them.
Using this military model originally created to find, fight, and defeat the enemy, Lockheed Martin developed the cyber kill chain model. The framework has evolved since its beginning to help predict and detect various cyber threats, such as insider attacks, social engineering, sophisticated malware, APTs, data breaches, etc.
The cyber kill chain is a blueprint for operating in a chained way, that incident response teams, forensics experts, and malware researchers can follow. Fundamentally, the cybersecurity kill chain is the visualization and study of an attacker’s offensive behavior. Thus, it is of paramount importance that security analysts fully understand it so they can strike back.
The 7 steps of the Cyber Kill Chain
The cybersecurity kill chain comprises seven key steps, spanning from detection to lateral movement to data exfiltration, aiming to ensure good visibility and helping security teams better grasp the adversary’s strategies, operations, and procedures. It offers a mechanism of breaking down a dynamic attack into generic steps so that they can be better examined. This layered tactic would allow observers to fix smaller and simpler challenges, while also helping defenders thwart each stage by designing protection and mitigation methods.
The cyber kill chain consists primarily of 7 stages.
Regardless of what vectors of attack we’re looking at and no matter if they’re coming from the inside or outside the organization, they can be successfully identified thanks to this model.
- Reconnaissance – The attackers pick a target and perform a detailed analysis, start collecting information (email addresses, conferences information, etc.) and evaluate the victim’s vulnerabilities to determine how to exploit them.
- Weaponization – During this stage, malicious actors develop a malware weapon and aim to exploit the discovered vulnerabilities.
- Delivery – This phase involves delivering the weapon. Here, the intruder will use various tactics, such as phishing, infected USB drives, etc.
- Exploitation – The stage where intruders start leveraging vulnerabilities to executed code on the victim’s system.
- Installation – The malware weapon is installed.
- Command & Control – A C&C server is used for the remote manipulation of the victim.
- Actions on Objectives – In the final stage, attackers complete their goals.
If security experts manage to break any link in this chain, the attack will be stopped.
Phases of cyber kill chain – Source: Technical Aspects of the Cyber Kill Chain
How does the Cyber Kill Chain Work?
Next, I will break down each of the kill chain stages, as per the analysis shown in the Technical Aspects of the Cyber Kill Chain research paper, authored by Tarun Yadav.
This stage involves collecting data about the future target (a person or an organization).
It is further necessary to break down reconnaissance to target identification, selection, and profiling.
Cyberspace identification primarily means crawling the World Wide Web (e.g. websites, conferences, blogs, social relationships, mailing lists, and network tracing software) to obtain information about the target. In later phases of the cyber kill chain, data collected from reconnaissance is used to plan and distribute the payload.
The reconnaissance stage is classified into two types:
- Passive recognition: This move is achieved by collecting target information without him/her being aware of it.
- Active recognition: This stage requires much thorough analysis of the target.
Reconnaissance offers information about potential targets, which will allow the intruder to determine the type of weapon necessary to infiltrate the target, potential types of delivery methods, issues with malware installation, and the protection measures that need to be circumvented.
Next, you will see how advanced malware is created using the knowledge obtained in the reconnaissance stage.
The cyber kill chain’s Weaponization stage deals with the creation of a backdoor and a penetration strategy using the knowledge gathered from reconnaissance to enable the backdoor to be delivered successfully. In this instance, a Remote Access Tool (RAT) will be used.
Weaponization entails the creation and development of two components:
- RAT (Remote Access Tool)
Typically considered the payload of a cyber-weapon, RAT is a piece of software that executes on the machine of the victim and allows the intruder remote, secret, and unobserved entry. It can provide “system exploration, file upload or download, remote file execution, keystroke monitor, screen capture, webcam or system power on/off with limited or user-level privileges”, Yadav notes.
This is the part of the weapon which allows the RAT to run, acting as a carrier for the RAT and leveraging system or software vulnerabilities. The key aim of using exploits is to evade user detection by using the RAT to construct a silent backdoor entry. There can be several kinds of infection sources, such as MS Office files, PDFs, audio/video, or web pages. More vulnerabilities such as privilege escalation exploits can be used on the target after having a RAT installed to get elevated privileges, and then further disseminate the RAT, ensure permanent access or even break the entire system.
In my colleague’s article, you can find the following Case study: Bank Security’s Excel weaponization via the Metasploit SMB delivery module, so please go through it as well.
Delivery is a crucial component of the cyber kill chain and is responsible for an efficient and powerful cyber-attack. Any type of user activity, such as uploading and executing infected files or accessing malicious web pages will be necessary for most attacks.
For an intruder, delivery is a high-risk assignment because it leaves traces. Many of the attacks are thus carried out anonymously using online payment providers, hacked websites, and compromised email addresses.
Delivery mechanisms include:
- Email attachments
- Drive-by Downloads
- USB/Removal Media
- DNS Poisoning
After the cyber weapon is shipped, the next step is executing the exploit with the aim of silently installing the payload and executing it.
The exploit will only work on outdated systems and most probably will not be picked up by traditional security tools, like Antivirus or Firewalls.
Essentially, exploitation is the most critical stage within the cyber kill chain. We often bring up the importance of patch management and keeping up with the latest software updates to close security holes in your organization. So, on a side note, I suggest you check out our Patch & Asset Management solution, which enables you to achieve compliance, mitigate exploits, close vulnerabilities, deploy updates, and install software remotely and according to your schedule. Our tool covers both Microsoft and 3rd party application management and comes with customizable set-and-forget settings for automatic deployment of software and updates.
Traditionally, an infection vector such as corrupted disposable media will infect a device, which in turn would leave a malware executable that will operate every time the computer boots up. Consequently, users would report this executable to their security provider, who would evaluate it and come up with a signature to detect it and a removal tool. Modern malware no longer works in such a simple manner, now relying heavily on droppers and downloaders to distribute the malware modules in a far more advanced way.
6. Command & Control
The C&C server, used to send remote hidden instructions to compromised computers, is an essential part of any cyber-attacks. It also functions as the location where the data is exfiltrated. Throughout the years, due to the exponential growth of defense mechanisms, including antiviruses, firewalls, IDSs, etc, the design of C&C networks has greatly developed.
C&C server connections can be prevented with DNS filtering tools. For instance, Heimdal Threat Prevention stops threats at the DNS, HTTP, and HTTPS-level, detecting and stopping DNS hijacking, exploits, ransomware, data leaks, and more.
7. Act on Objectives
In the final stage, the intruder executes the commands after the connection with the target device is established. The command used by the attacker depends on the attack’s purpose.
Mass attacks are aimed towards reaching as many targets as possible – multiple systems combined are of concern in mass attacks, rather than a single system. Many of these assaults have the objective of harvesting the victim’s credentials. Botnets, which are mostly used for DDoS attacks and virtual coin mining, are some examples of mass attacks. I’ve also written an article on how to prevent a botnet attack from compromising your business, so I suggest you check it out as well.
Targeted attacks are more sophisticated and more carefully conducted and are aimed towards a single entity, with the purpose of exfiltrating data such as login credentials. For example, when the target is a single enterprise, moving laterally inside the network becomes a primary goal.
The rise of sophisticated attacks carried out by threat actors, who now can gain access to advanced resources and technologies that help them achieve a pervasive and undetected presence, is one of the main challenges faced by organizations. The cyber kill chain examines the cyber-attack flow, with each stage being of critical importance.
Studying the cybersecurity kill chain at every stage of the assault can help security teams detect and minimize threats. The sooner the identification is completed, the better the damage can be mitigated.
Heimdal™ Threat Prevention - Endpoint
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;