What Is the Cyber Kill Chain and How It Can Protect Against Attacks

By Pratik Dholakiya

Cybersecurity is one of the top issues that organizations are battling with every day. In fact, according to Accenture, 68% of business leaders say that their cybersecurity risks are increasing.Woman engineering working at computer.

Ignoring cybersecurity is proving to be one of the most expensive mistakes leading to a 72% increase in the average cost of cybercrime over the past 5 years. 

With cybersecurity, it is not possible to entirely eliminate risks. Hence, having defense strategies in place can be the best possible solution to mitigating cybersecurity risk.

Using a layered security approach, the risks can be minimized. But, how do you ensure that your cybersecurity system is strong enough to withstand any attacks on your organization? This is where the cyber kill chain has a role to play.

In this article, let’s find out about what a cyber kill chain is and how businesses can use it to protect themselves from attacks.


What is a Cyber Kill Chain?

The cyber kill chain is essentially a cybersecurity model created by Lockheed Martin that traces the stages of a cyber-attack, identifies vulnerabilities, and helps security teams to stop the attacks at every stage of the chain.

The term kill chain is adopted from the military, which uses this term related to the structure of an attack. It consists of identifying a target, dispatch, decision, order, and finally, destruction of the target.


How does the Cyber Kill Chain Work?

The cyber kill chain consists of 7 distinct steps:

  1. Reconnaissance
  2. The attacker collects data about the target and the tactics for the attack. This includes harvesting email addresses and gathering other information. 

    Automated scanners are used by intruders to find points of vulnerability in the system. This includes scanning firewalls, intrusion prevention systems, etc to get a point of entry for the attack.

  3. Weaponization
  4. Attackers develop malware by leveraging security vulnerabilities. Attackers engineer malware based on their needs and the intention of the attack. This process also involves attackers trying to reduce the chances of getting detected by the security solutions that the organization has in place.

  5. Delivery
  6. The attacker delivers the weaponized malware via a phishing email or some other medium. The most common delivery vectors for weaponized payloads include websites, removable disks, and emails. This is the most important stage where the attack can be stopped by the security teams.  

  7. Exploitation
  8. The malicious code is delivered into the organization’s system. The perimeter is breached here. And the attackers get the opportunity to exploit the organization’s systems by installing tools, running scripts, and modifying security certificates. 

    Most often, an application or the operating system’s vulnerabilities are targeted. Examples of exploitation attacks can be scripting, dynamic data exchange, and local job scheduling.

  9. Installation
  10. A backdoor or remote access trojan is installed by the malware that provides access to the intruder. This is also another important stage where the attack can be stopped using systems such as HIPS (Host-based Intrusion Prevention System).

  11. Command and Control
  12. The attacker gains control over the organization’s systems and network. Attackers gain access to privileged accounts and attempt brute force attacks, search for credentials, and change permissions to take over the control.

  13. Actions on Objective
  14. The attacker finally extracts the data from the system. The objective involves gathering, encrypting, and extracting confidential information from the organization’s environment. 

    Based on these stages, the following layers of control implementation are provided:

    1. Detect – Determine the attempts to penetrate an organization.
    2. Deny – Stopping the attacks when they are happening.
    3. Disrupt – Intervene is the data communication done by the attacker and stops it then.
    4. Degrade – This is to limit the effectiveness of a cybersecurity attack to minimize its ill effects.
    5. Deceive – Mislead the attacker by providing them with misinformation or misdirecting them.
    6. Contain – Contain and limit the scope of the attack so that it is restricted to only some part of the organization.

    The following security controls can be used to control the attraction at various stages of the kill chain, according to Orion Cassetto of Exabeam:

  15. Reconnaissance
  16. Detect: Web Analytics; Threat Intelligence; Network Intrusion Detection System

    Deny: Information Sharing Policy; Firewall Access Control Lists

  17. Weaponization
  18. Detect: Threat Intelligence; Network Intrusion Detection System

    Deny: Network Intrusion Prevention System

  19. Delivery
  20. Detect: Endpoint Malware Protection

    Deny: Change Management; Application Whitelisting; Proxy Filter; Host-Based Intrusion Prevention System

    Disrupt: Inline Anti-Virus

    Degrade: Queuing

    Contain: Router Access Control Lists; App-aware Firewall; Trust Zones; Inter-zone Network Intrusion Detection System

  21. Exploitation
  22. Detect: Endpoint Malware Protection; Host-Based Intrusion Detection System

    Deny: Secure Password; Patch Management

    Disrupt: Data Execution Prevention

    Contain: App-aware Firewall; Trust Zones; Inter-zone Network Intrusion Detection System

  23. Installation
  24. Detect: Security Information and Event Management (SIEM); Host-Based Intrusion Detection System

    Deny: Privilege Separation; Strong Passwords; Two-Factor Authentication

    Disrupt: Router Access Control Lists

    Contain: App-aware Firewall; Trust Zones; Inter-zone Network Intrusion Detection System

  25. Command & Control
  26. Detect: Network Intrusion Detection System; Host-Based Intrusion Detection System

    Deny: Firewall Access Control Lists; Network Segmentation

    Disrupt: Host-Based Intrusion Prevention System

    Degrade: Tarpit

    Deceive: Domain Name System Redirect

    Contain: Trust Zones; Domain Name System Sinkholes


    Want more tech news? Subscribe to ComputingEdge Newsletter today!

  27. Actions on Objectives
  28. Detect: Endpoint Malware Protection

    Deny: Data-at-Rest Encryption

    Disrupt: Endpoint Malware Protection

    Degrade: Quality of Service

    Deceive: Honeypot

    Contain: Incident Response

  29. Exfiltration
  30. Detect: Data Loss Prevention; Security Information and Event Management (SIEM)

    Deny: Egress Filtering

    Disrupt: Data Loss Prevention

    Contain: Firewall Access Control Lists”


How can Cyber Kill Chain Protect Against Attacks?

A cyber kill chain or cyber-attack simulation platform can be used by organizations to identify and mend the security gaps in their system within seconds.

Here’s how simulating a cyber kill chain can protect against cybersecurity attacks:

  1. Simulate Cybersecurity Attacks
  2. Real cybersecurity attacks can be simulated across all vectors to find vulnerabilities and threats. This includes simulating cyber-attacks through email gateways, web gateways, web application firewall, and similar more.

  3. Evaluate the Controls to Identify Security Gaps
  4. This involves evaluating simulations and identifying the areas of risk. Simulation platforms give you a detailed risk score and report around every vector.

  5. Remediate and Fix the Cybersecurity Gaps
  6. The next step is to fix the security gaps that were identified in the previous step. This may include steps like installing patches and changing configurations to reduce the number of threats and vulnerabilities in the organization’s system.


Final Thoughts

Leaving cybersecurity vulnerabilities open for security attacks is one of the most common mistakes made by organizations today. Continuous security validation across the cyber kill chain can help companies to identify, prevent, stop, and prepare for any such attacks.


About the Author

Pratik Dholakiya is the founder of Growfusely, a content marketing agency specializing in content and data-driven SEO. He regularly speaks at various conferences about SEO, Content Marketing, and Entrepreneurship. Pratik has spoken at the 80th Annual Conference of the Florida Public Relations Association, Accounting and Finance Show, Singapore, NextBigWhat’s UnPluggd, IIT-Bombay, SMX Israel, SEMrush Meetup, MICA, IIT-Roorkee, and other major events. As a passionate SEO and content marketer, he shares his thoughts and knowledge in publications like Search Engine Land, Search Engine Journal, Entrepreneur Magazine, Fast Company, The Next Web, YourStory, and Inc42, to name a few.