Cyber Kill Chain

The Cyber Kill Chain is a model developed by Lockheed Martin to describe the stages of a cyber attack, from initial Reconnaissance to the final objective. The framework helps security professionals understand, detect, and disrupt attacks by breaking down the steps attackers take, providing insights into how to defend against them at each stage.

The Cyber Kill Chain outlines a series of steps that attackers typically follow to infiltrate a target network and achieve their goals. These stages are: Reconnaissance, weaponisation, delivery, Exploitation, installation, command and control (C2), and actions on objectives. By understanding each phase, organisations can identify and disrupt attacks before they reach critical stages.

The purpose of the Cyber Kill Chain is to provide a structured approach to understanding cyber attacks, enabling security teams to develop effective defence strategies. By identifying and breaking the chain of events that lead to a successful attack, organisations can reduce their exposure to threats, detect attacks earlier, and mitigate their impact. The model also supports Threat Intelligence analysis and Incident Response planning.

The stages of the Cyber Kill Chain include: 1. **Reconnaissance** – The attacker gathers information about the target to identify potential vulnerabilities. 2. **Weaponisation** – The attacker creates a deliverable payload, such as a malicious attachment or Exploit code. 3. **Delivery** – The attacker transmits the payload to the target through email, web, USB, etc. 4. **Exploitation** – The attacker triggers the payload to Exploit a Vulnerability on the target system. 5. **Installation** – The attacker installs a Backdoor or other persistent mechanism for continued access. 6. **Command and Control (C2)** – The attacker establishes communication with the compromised system to remotely control it. 7. **Actions on Objectives** – The attacker completes their intended actions, such as data exfiltration, sabotage, or espionage.

Examples of using the Cyber Kill Chain include identifying and disrupting a Phishing campaign during the delivery phase, detecting Malware installation and isolating affected systems, or blocking command and control communications to prevent further compromise. Security tools and strategies can be mapped to specific stages of the chain to enhance defensive capabilities.

While the Cyber Kill Chain is useful for understanding traditional attack paths, it may not fully capture modern attacks, such as those involving Insider Threats, Advanced Persistent Threats (APTs), or multi-vector attacks. Adapting and extending the model to address evolving threats, using frameworks like MITRE ATT&CK, can enhance its effectiveness in today’s complex threat landscape.