What is the cyber kill chain?

In 2011, Lockheed Martin adapted a military concept called the kill chain for the cybersecurity industry and named it the cyber kill chain. Like the kill chain, the cyber kill chain identifies the stages of an attack and gives defenders insight into their adversaries’ typical tactics and techniques during each stage. Both models are also linear with the expectation that attackers will follow each stage sequentially.

Since the cyber kill chain was first introduced, cyberthreat actors have evolved their tactics and don’t always follow every stage of the cyber kill chain. In response, the security industry has updated its approach and developed new models. The MITRE ATT&CK® matrix is a detailed list of tactics and techniques based on real attacks. It uses similar stages as the cyber kill chain but doesn’t follow a linear order.

In 2017 Paul Pols in collaboration with Fox-IT and Leiden University developed another framework, the unified kill chain, which combines elements of both the MITRE ATT&CK matrix and the cyber kill chain into a model with 18 stages.

Reconnaissance

The cyber kill chain defines a sequence of cyberattack phases with the goal of understanding the mindset of cyberattackers, including their motives, tools, methods, and techniques, how they make decisions, and how they evade detection. Understanding how the cyber kill chain works helps defenders stop cyberattacks in the earliest stages.

During the weaponization phase, bad actors use the information uncovered during reconnaissance to create or modify malware to best exploit the targeted organization’s weaknesses.

Once they’ve built malware, cyberattackers attempt to launch their attack. One of the most common methods is using social engineering techniques such as phishing to trick employees into handing over their sign-in credentials. Bad actors may also gain entry by taking advantage of a public wireless connection that isn’t very secure or exploiting a software or hardware vulnerability uncovered during reconnaissance.

After cyberthreat actors infiltrate the organization, they use their access to move laterally from system to system. Their goal is to find sensitive data, additional vulnerabilities, administrative accounts, or email servers that they can use to inflict damage on the organization.

In the installation stage, bad actors install malware that gives them control of more systems and accounts.

After cyberattackers have gained control of a significant number of systems, they create a control center that allows them to operate remotely. During this stage they use obfuscation to cover their tracks and avoid detection. They also use denial-of-service attacks to distract security professionals from their true objective.

In this stage, cyberattackers take steps to achieve their primary goal, which could include supply chain attacks, data exfiltration, data encryption, or data destruction.

Although Lockhead Martin’s original cyber kill chain included just seven steps, many cybersecurity experts have expanded it to eight to account for the activities bad actors take to generate income from the attack, such as using ransomware to extract a payment from their victims or selling sensitive data on the dark web.

Understanding how cyberthreat actors plan and conduct their attacks helps cybersecurity professionals find and mitigate vulnerabilities across the organization. It also helps them identify indicators of compromise during the early stages of a cyberattack. Many organizations use the cyber kill chain model to proactively put security measures in place and to guide incident response.

Threat intelligence

One of the most important tools for protecting an organization from cyberthreats is threat intelligence. Good threat intelligence solutions synthesize data from across an organization’s environment and deliver actionable insights that help security professionals detect cyberattacks early.

Often bad actors infiltrate an organization by guessing or stealing passwords. After they get inside, they attempt to escalate privileges to gain access to sensitive data and systems. Identity and access management solutions help detect anomalous activity that may be an indication that an unauthorized user has gained access. They also offer controls and security measures, such as two-factor authentication, that make it more difficult for someone to use stolen credentials to sign in.

Many organizations stay ahead of the latest cyberthreats with the help of a security information and event management (SIEM) solution. SIEM solutions aggregate data from across the organization and from third-party sources to surface critical cyberthreats for security teams to triage and address. Many SIEM solutions also automatically respond to certain known threats, reducing the number of incidents that a team needs to investigate.

In any one organization there are hundreds or thousands of endpoints. Between the servers, computers, mobile devices, and Internet of Things (IoT) devices that companies use to conduct business, it can be nearly impossible to keep them all up to date. Bad actors know this, which is why many cyberattacks start with a compromised endpoint. Endpoint detection and response solutions help security teams monitor them for threats and respond quickly when they discover a security issue with a device.

Extended detection and response (XDR) solutions take endpoint detection and response one step further with a single solution that protects endpoints, identities, cloud apps, and emails.

Not all companies have in-house resources available to effectively detect and respond to threats. To augment their existing security team, these organizations turn to service providers that offer managed detection and response. These service providers take on the responsibility of monitoring an organization’s environment and responding to threats.

Although understanding the cyber kill chain can help companies and governments proactively prepare for and respond to complex, multistage cyberthreats, relying on it exclusively may make an organization vulnerable to other types of cyberattacks. A few of the common critiques of the cyber kill chain are that it’s:

• Focused on malware. The original cyber kill chain framework was designed to detect and respond to malware and is not as effective against other types of attacks, such as an unauthorized user gaining access with compromised credentials.

• Ideal for perimeter security. With an emphasis on protecting endpoints, the cyber kill chain model worked well when there was a single network perimeter to protect. Now with so many remote workers, the cloud, and an ever-expanding number of devices accessing a company’s assets, it can be nearly impossible to address every endpoint vulnerability.

• Not equipped for insider threats. Insiders, who already have access to some systems, are harder to detect with a cyber kill chain model. Instead, organizations need to monitor and detect changes in user activity.

• Too linear. Although many cyberattacks follow the eight stages outlined in the cyber kill chain, there are also many that don’t or combine several steps into a single action. Organizations that are too focused on each of the stages may miss these cyberthreats.

Since 2011 when Lockhead Martin first introduced the cyber kill chain, a lot has changed in the technology and cyberthreat landscape. Cloud computing, mobile devices, and IoT devices have transformed how people work and businesses operate. Cyberthreat actors have responded to these new technologies with their own innovations, including using automation and AI to accelerate and improve their cyberattacks. The cyber kill chain offers a great starting point for developing a proactive security strategy that takes into account the cyberattacker mindset and objectives. Microsoft Security offers a unified SecOps platform that brings together XDR and SIEM into one adaptable solution to help organizations develop a multilayered defense that protects all stages in the cyber kill chain. And organizations are also preparing for emerging, AI-powered cyberthreats by investing in AI for cybersecurity solutions, like Microsoft Copilot for Security.