What is a cyber kill chain?

How understanding the progression of an online attack can help you defend your business

Graphic of a cyber criminal or hacker

Cyber kill chain? That sounds scary

That might be explained by the fact that it's a military term. The "kill chain" is the complete sequence of an offensive attack: in the context of warfare it can be expanded to "find, fix, track, target, engage and assess".

For computer-based attacks, Lockheed Martin developed the concept of the cyber kill chain, which starts with reconnaissance and then moves through delivery, exploitation and other stages in pursuit of the attacker's final objectives.

Is this something I need to know about?

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The kill chain isn't just about planning attacks: it's also a powerful defensive principle. The closer you are to the start of the kill chain, the better your chances of stopping an attacker in their tracks. In other words, if you catch the bad guys while they're still gathering data, they won't get a chance to use that intelligence against you.

Do employees need to be trained to recognise an attack?

Knowing your enemy is always helpful. And there's no need to be entirely reactive: if you bear the kill chain in mind when devising your processes and systems, that might help you come up with a strategic approach that's inherently resistant to attacks.

Hold on a minute - what do you mean, "might"?

The kill chain, as defined by Lockheed Martin, describes a particular sort of threat that involves external actors acting in a certain way. If you put too much faith in it, you're at risk of being blindsided by attacks that don't neatly map onto its sequential stages.

For example, an agent inside the business can leapfrog your perimeter defences, and may be able to take shortcuts around other steps in the kill chain.

Advertisement - Article continues below

So how exactly do I apply the kill chain principles?

As long as you bear in mind that the kill chain only fully applies to intrusion-based malware attacks, it can be a useful tool. Knowing where to focus your defensive measures - towards the start of the kill chain - can greatly reduce the damage caused by even a partially successful attack.

It's cheaper too: shutting down a rogue connection is a lot quicker than disinfecting a compromised network. Focusing on the kill chain additionally provides a bit of focus and encouragement in an age when the cyber-security battle can sometimes seem unwinnable. It's a reminder that the attacker needs to successfully execute all seven phases of the chain to win, whereas you as a defender just need to stop them at any point.

So how exactly do I mitigate the kill chain phases?

Advertisement
Advertisement - Article continues below

Every business should already have a layered approach to security; devising your layers with the kill chain in mind gives you the best chance of shutting down the attack at an early stage.

For example, restricting access to key security information could deflect many attempted attacks at the very first phase (reconnaissance). Staff training can help at the malware delivery phase, and careful restriction of administrative privileges could help defeat the exploitation phase. The idea may have come from Lockheed Martin, but it's not rocket science.

The seven phases of the cyber kill chain

Recon

First, the attacker researches their target, gathering information about possible vulnerabilities.

Weaponize

Next, the attacker creates (or acquires) a malware or exploit kit that can make the best use of the vulnerabilities they've found.

Deliver

The malware is now delivered to the target, via means such as a malicious link or attachment - or perhaps a social engineering trick.

Advertisement - Article continues below

Exploit

This is the execution of the exploit itself. For example, a privilege-escalation attack might be used to gain access to sensitive data.

Advertisement
Advertisement - Article continues below

Install

"Back door" software is often deployed on the target network, so the attacker can maintain access over a prolonged period without being detected.

Command & Control

An intermediary server - often one that's been compromised without the knowledge of the owner - is frequently used to direct ongoing attack activities.

Advertisement - Article continues below

Action to Objective

Once the first six phases have been successfully executed, the attacker can freely carry out whatever their ultimate objective may be - perhaps stealing sensitive data, or using the compromised network as a route to an ulterior target.

Image: Shutterstock

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now
Advertisement

Recommended

Visit/security/data-breaches/354825/us-agency-that-handles-white-house-security-rocked-by-data-breach
data breaches

US agency that handles White House security rocked by data breach

21 Feb 2020
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/mobile/28299/how-to-use-chromecast-without-wi-fi
Mobile

How to use Chromecast without Wi-Fi

5 Feb 2020
Visit/technology/artificial-intelligence-ai/354796/ai-identifies-11-earth-bound-asteroids
artificial intelligence (AI)

AI identifies 11 earth-bound asteroids

18 Feb 2020
Visit/operating-systems/27717/how-to-fix-a-stuck-windows-10-update
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020
Visit/security/34616/the-top-ten-password-cracking-techniques-used-by-hackers
Security

The top ten password-cracking techniques used by hackers

10 Feb 2020