What is the Cyber kill chain model?

28 October 2022 | by Xavier Bellekens

The cyber kill chain model is a methodology used by defenders to identify, assess, and mitigate threats. It was originally developed by Lockheed Martin to address the threat of sophisticated attacks and has since been adopted by the cybersecurity community at large.

The kill chain is composed of height steps: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives.

Each step represents a different stage of an attack, and each stage presents opportunities for defenders to detect and disrupt the attack. Understanding the cyber kill chain is essential for effective threat defense.

By identifying the steps in an attack, defenders can more effectively design policies and procedures to protect their networks and data.

The 8 Steps of the Cyber Kill Chain model


The cyber kill chain is a series of steps that are typically followed by hackers in order to carry out a successful cyber attack.

These steps are as follows:

Reconnaissance :

The attacker gathers information about the target system in order to find vulnerabilities that can be exploited.

  • Passive Reconnaissance phase can include tools such as
    • Whois
    • ARIN
    • Google
    • Shodan
    • Company Website
    • LinkedIn
    • Physical Locations visits
  • Active Reconnaissance phase can include tools such as
    • Port Scanning (NMAP)
    • Banner Grabbing
    • Nessus
    • Spyse

A great way to identify reconnaissance cyberattacks is to deploy cyber deception assets, focusing on luring adversaries to reveal themselves to you before they manage to bypass security controls, or gain access to any critical services. Decoys are a great way to monitor actively your perimeter security and obtain 100% true positive alerts.

Weaponization:

The hacker creates a malicious code (exploit) or uses a software that can be used to attack the system.

Adversaries often use tools such as:

  • SQLMap
  • Cain&Abel
  • Maltego
  • Metasploit
  • Exploit DB
  • Wapiti
  • Burpsuit


Implementing the basics of security to raise the bar is an excellent step forward to avoid kill chain surprises. Ensure all computers run an antivirus, end-point detection and response (EDR) software. That the network has an intrusion prevention systems (IPS) or an intrusion detection system (IDS). These can be coupled with an NDR, XDR and SOAR. Make sure that all accounts have Multi-Factor Authentication (MFA) enabled, and that Logs are regularly audited.

The infrastructure should also be patched regularly. Cyber deception can also help identify the CVEs adversaries try for, on your online services and servers.

Delivery:

The malicious file or program is delivered to the target system, typically via email or another form of online communication.

The delivery can be done via

  • Websites
  • User Input
  • Emails
  • USB Key
  • Social Media
  • Social engineering


Ensure that WEB and DNS filtering is enabled on your Web Application Firewall (WAF), that users are trained against fishing campaigns and avoid user accounts take-overs. For e-mails, ensure DKIM and SPF are enabled. Disable USB keys by default on laptops and computers. Such attacks are easy to spot and stop and can go a long way to protect your organization from sensitive data theft and security breaches.

Exploitation:

The vulnerability is exploited, and the malicious file, exploit or program is executed on the target system.

The exploitation usually focuses on

  • SQL Injection
  • Buffer Overflow
  • Malware
  • etc

Bridging the security gaps by implementing the basics of cybersecurity and reducing the attack surface can go a long way to reduce attack vectors and stop cyber attackers in their tracks. EDR, AV, Deception and XDR can go a long way to identify common attack vectors, stopping privilege escalation, lateral movement and in turn steal data.

Installation:

The malware is installed on the target system.

Similarly to 4. Exploitation stage, this stage focuses on the ability of the adversary to gain better access to the system. This is usually carried out through.

  • Meterpreter
  • DLL Hijcaking
  • Remote access tools (RAT)
  • Powershell commands



Preventing the installation can be done by disabling powershell on windows, using CHROOT on Unix operating systems. Using cyber deception and EDR for the detection as well as have a well thought of incident response plan against cyber attacks.

Command and Control:

The attacker gains control of the malware, and can now issue commands that will be carried out on the target system. The best step to alleviate remote control of systems by adversaries is to ensure application control, DNS redirect and network segmentation of the target network. These will also help to minimize insider threats issues, and make sensitive information much more difficult to exfiltrate.

Actions on Objectives:

The attacker carries out their desired actions on the target system, such as stealing data or launching a denial-of-service attack.

The actions and objectives often focus on financial, political gain, espionage, malicious insider, insider threat or lateral movement. Deception can be used to monitor for lateral movement and alert your security teams before any damage is done. Cyber deception can reduce the mean time to detect from days to minutes, and even detect privileged accounts take over.

Exfiltration:

The attacker removes any desired data from the target system.

The last part of the kill chain focuses on valuable data exfiltration. Once an adversary, avoid detection and gain entry, bypassing the defense strategies without raising an alarm, it is exceptionally difficult to detect data exfiltration.

Using cyber deception, you can create fake documents, information, data, servers for the adversary to exfiltrate. Leading to an alert being generated.

If you want to know more, about how Lupovis can help you generate documents or data such as email addresses, folders, etc. with the capacity to alert you when they are opened.


These are the typical steps that are followed by hackers in order to carry out a successful cyberattack. However, it should be noted that not all attacks follow this exact path, and some steps may be skipped or carried out in a different order depending on the environment and objectives of the attack.

Is the cyber kill chain obsolete?


The “cyber kill chain” is a model that is used to describe the stages of a typical cyber attack. The cyber kill chain model has been criticized for being too linear and simplistic, and for not taking into account the fact that there are often multiple ways to complete each stage of an attack.

In addition, some stages may be skipped entirely in certain types of attacks. For these reasons, some experts have argued that the cyber kill chain is no longer an accurate or useful way to think about modern cyber attacks.

However, others believe that the model still has value as a tool for understanding the basics of how an attack unfolds. Ultimately, the decision of whether to use the cyber kill chain will depend on the specific needs of each organization.

Cyber Kill Chain vs MITRE Att&ck



Attackers use a variety of methods to breach an organization’s defenses and gain access to its systems and data. To help defenders understand and anticipate these methods, researchers have developed frameworks that categorize and describe the different stages of an attack. Two of the most popular frameworks are the cyber kill chain framework and the MITRE Att&ck framework.

The MITRE Att&ck framework is a newer addition to the field, having been released in 2016. Unlike the cyber kill chain, which is focused on prevention, the att&ck framework is designed to help defenders identify attacks that have already occurred and understand how they can be prevented in the future.

The framework is divided into three categories: tactics, techniques, and procedures. Each category contains a number of subcategories that describe different methods that attackers can use at each stage of an attack.

While the two frameworks may appear similar at first glance, there are some key differences between the cyber kill chain and the MITRE Att&ck framework.

Perhaps the most notable difference is that the cyber kill chain is linear, while the MITRE Att&ck framework is non-linear. In other words, the cyber kill chain outlines a specific order of events that must take place in order for an attack to be successful, while the MITRE Att&ck framework provides a more flexible blueprint that can be adapted to different situations.

Another key difference is that the cyber kill chain focuses on prevention, while the MITRE Att&ck framework emphasizes detection and response.

Ultimately, both frameworks have their own strengths and weaknesses, and it’s up to security professionals to choose the one that best suits their needs.

28 October 2022 | by Xavier Bellekens

Speak to an Expert

Whether you have a specific security issue or are looking for more information on our Deception as a Service platform, simply request a call back with one of our security experts, at a time that suits you.