Sometimes referred to as CKC or the cyberattack lifecycle, the cyber kill chain is a security defense model developed to identify and stop sophisticated cyberattacks before they impact an organization. Typically comprised of seven steps, a cyber kill chain model breaks down the multiple stages of a cyberattack, allowing security teams to recognize, intercept or prevent them.
Using a cyber kill chain framework can help organizations to better understand relevant threats and improve incident management and response. When done right, cyber kill chains can have significant security benefits — but if done incorrectly, they can put organizations at risk. In fact, certain shortcomings in the kill chain lead to questions about its future. Still, businesses can use cyber kill chain methodology to inform their cybersecurity strategies.
Stick around to see why the cyber security kill chain is a divisive topic in cyber threat management, as we dive into the kill chain’s origins, use cases and cautions.
(Get the docs for the CKC dashboard in Splunk.)
What is a kill chain in cyber security?
You may have heard of the phrase ‘kill chain’ being used in reference to military operations: when an enemy attack is identified, broken down into stages, and preventative measures are put in place. This is the exact concept that inspired the original cyber security kill chain, which was initially created by Lockheed Martin in 2011.
A cyber kill chain’s purpose is to bolster an organization's defenses against advanced persistent threats (APTs), aka sophisticated cyberattacks. The most common threats include the deployment of:
- Trojan horses
- Other social engineering techniques
Cyber kill chains allow enterprises to be prepared and stay one step ahead of hackers at every stage of an attack, from conceptualization to execution.
Cyber kill chain vs MITRE ATT&CK
The cyber kill chain is often compared to the MITRE ATT&CK framework. MITRE ATT&CK also illustrates the phases of a cyberattack, many of which are similar to the cyber kill chain model. The key difference between the cyber kill chain and MITRE ATT&CK is the fact that MITRE tactics are listed in no particular order — unlike the specific grouping of stages and linear structure of the kill chain.
Another difference is that the cyber kill chain framework addresses the cyberattack process in seven phases at a high level, while MITRE ATT&CK explores various techniques and procedures that relate to the granular details of a cyberattack. Elements of both the kill chain and ATT&CK can be incorporated into cybersecurity strategy, but we’ll touch more on this later.
(See how to use MITRE ATT&CK in your defense.)
The 7 stages of a cyber kill chain
The original Lockheed Martin cyber kill chain model describes seven steps. This is the most commonly referenced framework in the industry. Lockheed’s 7-stage cyber kill chain explores the methodology and motivation of a cybercriminal across the entire attack timeline, helping organizations to understand and combat threats. These seven phases are:
- Command and control
Let’s take a look at each phase.
Cyber Kill Chain®, Lockheed Martin (Image source)
The first stage of the cyber security kill chain is reconnaissance, which is essentially the research stage of the operation. Attackers scope out their target to identify any vulnerabilities and potential entry points. This can be as simple as gathering public email addresses, to the advanced deployment of spying tools and automated scanners to detect the types of security systems or third-party applications used.
Reconnaissance is a pivotal step in any sophisticated cyberattack and can be done both online and offline. The more intelligence attackers gain at this stage, the more successful the attack is likely to be.
(See how vulnerabilities relate to threats and risk.)
Once the perpetrator has gathered their information on the target, they can strategize to take advantage of their weaknesses. This is the weaponization stage of the cyber kill chain, in which the attacker creates malware or malicious payloads to use against the target. The process can include:
- Designing new forms of malware
- Modifying existing programs to better match the vulnerabilities they’re trying to exploit
Following weaponization is the delivery stage — when cybercriminals try to infiltrate their target’s network or security system.
Typically, these actors deploy malware into the system via phishing emails and other social engineering tools. It can also involve hacking into a network and exploiting vulnerabilities in an organization’s hardware or software.
After the successful delivery of malware or other forms of hacking, the next step is exploiting the weaknesses they uncovered in the previous cyber kill chain phases. Attackers can now further infiltrate a target’s network and learn of additional vulnerabilities that they were unaware of prior to entering.
At this stage, they often move laterally across a network from one system to another, spotting more potential entry points on the way. Vulnerabilities are much easier to identify now if there are no deception measures in place on the network.
Next is the installation stage (also known as the privilege escalation phase). The attacker tries to install malware and deploy other cyberweapons within the target network in order to gain additional control of more systems, accounts, and data. Strategies include installing malware via:
- Trojan horses
- Access token manipulation
- Command-line interfaces
Tactics begin to intensify, as attackers forcefully infiltrate the target network, seeking out unprotected security credentials and changing permissions on compromised accounts.
6. Command and Control
One of the crucial steps of the cyber security kill chain is the development of a command and control channel (also known as the C2 phase). After gaining control of part of their target’s system or accounts, the attacker can now track, monitor and guide their deployed cyberweapons and tool stacks remotely. This stage can be broken down into two methods:
- Obfuscation is the process by which an attacker makes it look like no threat is present, essentially covering their tracks. This includes methods such as file deletion, binary padding and code signing.
- Denial of service (DoS) is when cybercriminals cause problems in other systems/areas to distract security teams from uncovering the core objectives of the attack. This often involves network denial of service or endpoint denial of service, as well as techniques like resource hijacking and system shutdowns.
The 7 stages of the cyber kill chain culminate with action: the final phase in which cybercriminals execute the underlying objective of the attack. This phase of the cyber kill chain process can take several weeks or months depending on the success of previous steps. Common end goals of a strategic cyberattack include:
Is there an 8th step in the cyber kill chain?
Some security experts advocate for the inclusion of an eighth stage in cyber kill chains: monetization. This can also be considered as the final objective of an attack, but it specifically focuses on the cybercriminal’s financial gain from an attack. The attacker can initiate a ransom request – demanding funds by threatening to release or sell sensitive data (personal information or industry secrets).
Profiteering from cyberattacks has become more of an issue in recent times due to the growing use of cryptocurrency. Crypto makes it easier and safer for attackers to request and receive money, facilitating the dramatic increase of monetizing cyberattacks.
As with most things in life, prevention is the best cure. The earlier an enterprise can intercept and stop an attack, the easier the remediation will be.
For example, stopping an attack in the command and control phase (Phase 6) usually requires more advanced, costly and time-consuming efforts. This can include anything from machine repairs to forensic measures like in-depth network sweeps and endpoint analysis to determine what data has been lost and piece together the overall scale of the attack.
Therefore, organizations should aim to identify and resolve threats at the early stages of the cyber kill chain to reduce the risk to their enterprise and minimize resources.
(See how Splunk helps with advanced threat detection.)
Weaknesses of the cyber kill chain
The Lockheed Martin cyber kill chain model may have its strengths, but some consider the 2011 framework to be outdated or lacking in innovation. A key weakness of the traditional model is that it’s designed to detect and prevent malware and protect perimeter security. Yet, we now face many more security threats, and cybercrime is becoming more and more sophisticated.
Here are the major drawbacks of the traditional seven-step cyber kill chain.
Limited attack detection profile
As we’ve recognized, the kill chain is limited in terms of the types of attacks that can be detected. The original cyber kill chain framework centers around malware and payloads, and therefore does not consider other types of attacks. An example would be web-based attacks including SQL Injective, DoS, Cross Site Scripting (XSS) and certain Zero Day exploits.
Additionally, it does not account for attacks conducted by unauthorized parties who are attempting to leverage compromised credentials.
Does not recognize insider threats
Insider threats pose a significant risk to organizations, yet they are not accounted for in the traditional cyber kill chain process. To identify insider threats, you need to closely monitor both:
- Suspicious changes in user behavior
- Unusual activity in subnets, applications and computers
You can run a behavioral profile on users, whether automated or manual. An automated approach is best as you can set alerts for instances of strange behavior. Over time, you will be able to easily detect both real threats and false-positive instances at a faster rate.
(Solve common challenges with anomaly detection.)
The kill chain is not flexible
Not all attackers follow the cyber kill chain playbook linearly or step by step. They can skip, add and backtrack stages.
For example, attackers sometimes miss out the Reconnaissance step of the kill chain in which they conduct extensive research on their target. The adoption of a “spray and pray” technique is an example of where Reconnaissance is not needed – that’s because it can outsmart an your detection snares by chance.
Attackers may also choose to merge steps of the kill chain. A 2018 report from Alert Logic revealed that nearly 90% of attacks combine the first five stages of the cyber kill chain into a single action. If the traditional framework is followed to the letter, then enterprises could miss or fail to stop threats before they infiltrate the network.
Transformative technologies accelerate the evolution of cyber attacks
The development of recent technologies has paved the way for new attacks that lie outside the original cyber kill chain framework. Innovations such as cloud computing, DevOps, IoT, machine learning and automation, have all broadened the scope of cyberattacks by increasing the number of data sources and entry points.
Other cultural and social factors such as the rise in remote working and cryptocurrency mean there are more points of access for hackers to exploit, and it can be challenging for organizations to cover all bases and secure vulnerable endpoints.
How can the cyber kill chain improve security?
Although the original seven stages of the cyber kill chain have been subject to scrutiny, organizations can still use these principles to help better prepare for existing and future cyberattacks. A cyber kill chain framework can guide a business’s cyber security strategy, whether that’s by identifying flaws with the current strategy or confirming what’s already working well. For example, it could incentivize the adoption of services and solutions such as:
- Endpoint protection software
- Employee training
As the cyberattack landscape continues to evolve, organizations must consider a strategy that incorporates a layered approach of administrative, technical and physical security measures. The cyber kill chain methodology can help to achieve this, but the initial model only stretches so far.
Alternatives to the original cyber kill chain
While every business requires their own tailored cyber kill chain framework, here are some other ways to adapt the original kill chain process:
Unified kill chain
The concept of a unified kill chain combines techniques from MITRE ATT&CK and the original cyber kill chain model. The result is a detailed, integrated framework comprised of 18 individual stages, which can be grouped into three core phases:
- Initial foothold
- Network propagation
- Action on objectives
This approach allows security teams to simultaneously compare indicators of compromise (IOCs) against multiple feeds of threat intelligence in order to effectively respond to threats. A unified kill chain ATT&CK model can be used by defensive and offensive teams to develop security controls.
Simulation of cyber kill chains
Kill chain models can also be used for cyberattack simulation, and there are numerous specialized platforms that can simulate the cyber kill chain process. This enables you to locate and amend any entry points or system vulnerabilities in a very short amount of time.
As well as simulating cyber threats through email, web, and firewall gateways, these platforms can provide you with a risk score/report of system entities to help teams identify key areas of risk. The organization can then take action and prevent future threats with methods such as changing configurations and installing patches.
Don’t kill the cyber chain just yet
The continuous evolution of cyberattacks has led many to question the future of the cyber kill chain. An agile kill chain that incorporates elements of MITRE ATT&CK and extended detection and response (XDR) strategies could identify a broader range of threats, and be able to prevent and neutralize them more effectively.
No matter what your stance on the cyber kill chain framework, addressing existing vulnerabilities and having a comprehensive cyber security strategy in place is crucial for the safeguarding of any business.
What is Splunk?
This article was written in collaboration with Ailis Rhodes and does not necessarily represent Splunk's position, strategies or opinion.