What is The Cyber Kill Chain?

So you’ve garnered an interest in cyber security and you’ve heard this term thrown around.. but what is it?

The Cyber Kill Chain is a 7-step outline that breaks down a cyber-threat actors process and the steps they must go through when conducting a successful attack.

Originally developed by Lockheed Martin in 2011, as a part of their Intelligence Driven Defense model, that is intended to identify and prevent cyber-intrusion activities.

[1] Reconnaissance

The initial planning stage of an attack or footprinting, adversaries will gather as much relevant information to their objective as possible to build a clear understanding of the operations within the business and map out a path of attack.

Some of these tactics include: Harvesting e-mail addresses and personal info, identifying employees and social media accounts belonging to them, gathering public disclosures of information, and any other data gathering that can give them a more complete picture of the target organization.

This stage also includes scanning or discovery of internet-facing assets and mapping out possible vulnerabilities to be exploited.

The reconnaissance stage’s main goal is to identify possible vulnerabilities and explore how to exploit them. The more data an attacker has on the people and systems in an organization, the more the chance of a successful attack increases.

[2] Weaponization

Stage 2 is weaponization, using the data obtained in the reconnaissance stage attackers must formulate their plan of attack and develop the tools that they intend to use. This includes things like: malware, spear-phishing e-mails, phishing webpages to steal credentials, etc.

[3] Delivery

The next stage is delivery of the malware, through a malicious attachment, an infected USB stick or a phishing link leading to a copy of an internal employee site intended to steal credentials, the method of delivery will vary from attack to attack based on what information was discovered in the recon stage and what preference of tools or methods the attacker may have. Now the attacker must wait for a successful infection or credential grab so they can gain access to the system.

[4] Exploitation

The fourth stage is exploitation, now that the payload has been weaponized and delivered, if successful execution of the malware occurs through clicking of that malicious attachment or the compromise of user accounts, the attacker now has a foothold in the network. Once inside the network greater information can be gathered through the analysis of the traffic, systems that are connected, and any further possible exploits.

[5] Installation

The main goal of stage 5 is to KEEP ACCESS, now that the system has been infected attackers will go to great lengths to keep access by doing any number of things: installing backdoors or webshells, escalate privileges and try to create privileged accounts, tweak security or firewall settings, or anything else that will ensure that access to the system will last as long as they need to complete their objective.

[6] Command and Control

Next the malware will open a command and control or C2 server that gives the attacker a two-way channel of communication to control or send commands to the malware infected systems and also download or retrieve data from the systems. These often use HTTP or HTTPS protocols to allow the traffic to better blend into the network.

[7] Actions on Objectives

The 7th and final stage of a successful attack is where the attacker actually performs the objective attack: which can be any number of things based on the threat-actor such as ransomware, theft of IP, data exfiltration, malicious destruction, or any number of other things.

The cyber kill-chain is a great basis of knowledge of how a cyber attack is executed and I hope I could help you to more easily understand these concepts.