Deconstructing the Cyber Kill Chain

Posted by Susan Sison on Feb 23, 2017 8:20:06 AM
breach attacks

When is a breach not bad news? When your security team ends up not only stopping it before it does real damage, but also learning more about it than it does from you.

That’s the idea behind the cyber kill chain (CKC), a methodology to help security teams better understand attackers’ game plans so that they can create more proactive, intelligent defenses.

With cyber attackers constantly upping the frequency and sophistication of attacks, companies that rely solely on prevention as a defense strategy are bound to fail. Once an attacker figures out how to sneak past a given preventive control, all bets are off.

A better strategy is to focus on understanding the attack sequence so you can continually hone and target your security countermeasures. That’s where the CKC comes in.

A military concept retooled for cybersecurity by Lockheed Martin, the CKC details the seven steps attackers take to compromise a target. Armed with that knowledge, security can then target its defenses to thwart each step, increasing the likelihood of disrupting attacks before they cause problems:

  1. Reconnaissance: The attacker researches the target to uncover details that can be used to ensure a successful breach. Usually this means scanning the network and/or leveraging social media to uncover details to aid in the attack such as vertical industry, identities of top management and IT staff, and IT technologies in place. Key defensive strategies here include use of regular penetration tests, threat intelligence, hardened perimeter controls and even honeypots to monitor adversary tactics.
  2. Weaponization: With intelligence gained during reconnaissance, attackers create and package malware to exploit the vulnerabilities uncovered. Key defenses here include shoring up vulnerabilities through strong vulnerability and patch management programs as well as targeted threat intelligence.
  3. Delivery: Attackers deliver the malware, usually by enticing users to click on a phishing email, browse to a malware-laden website or open a malicious document. A variety of controls help here, from website whitelisting to AV and malware sandboxing to intrusion prevention/detection (IDS/IPS). Good security awareness training is also important.
  4. Exploitation: Once delivered, the malware compromises the target. Defensive measures here include prevention tools like firewalls, AV, endpoint protection and IPS as well as strong threat intelligence and analytics that funnel up to a SIEM or centralized management tool.
  5. Installation: The malware installs itself on the target and communicates out to the attacker to confirm success. Removing administrative privileges on endpoints, leveraging endpoint protection software or restricting application installs via enterprise mobile management (EMM) tools can go a long way here.
  6. Command and control: The attacker communicates back to the compromised source and with tools like screen captures, key stroke monitoring and password cracking, gathers as much sensitive data as possible, then encrypts, compresses and preps it for exfiltration. Defenses here include traffic analysis/monitoring via tools like NetFlow in addition to IP and DNS reputation services.
  7. Actions on objectives: In this phase, attackers reach their goal by exfiltrating data or damaging IT assets — all while masquerading as a trusted network user. Defensive strategies here include data loss prevention (DLP) tools or network behavior analysis to pinpoint anomalous traffic. Next-generation firewalls or IDS/IPS can also alert on malicious activity such as an FTP session to an unknown server.

A partner of Fortinet, NCA can deliver a strategy that weaves together intelligence and best-in-class technology to thwart threats no matter where they are in the cyber kill chain. Contact NCA


Network Computing Architects, Inc. is a premier provider of high quality sustainable and secure networking, information security solutions and unified communications. We partner with our clients to provide answers to business initiatives where leading technologies converge.

NCA achieved ISO 27001:2005 certification in December 2007 and is currently ISO 27001:2013 certified. The scope of NCA's ISMS is client confidential information within NCA Professional Services Practice.