The Cyber Kill Chain - Explained

In this era of computers, cyberspace or the internet has become a perilous place as a multitude of cyber-attacks are wreaking havoc in all sorts of industries. We do have various security setups like honeypots, network intrusion detectors, etc. But how do we stop an attack that is spanned over years? All security measures that we have mostly do not consider the psychological perspective of an attack. We can get the idea from the various detectors that we are being attacked but they don’t tell you what to do next? How to stop this ongoing attack?

The cyber kill chain is a method that deals with these questions.  It is an efficient and effective way of illustrating how an adversary can attack the target organization. This model helps organizations understand the various possible threats at every stage of an attack and the necessary countermeasures to defend against such attacks. The cyber kill chain divides the attack into phases and helps to organize the workforce in times of emergency.


Kill-chain is a military concept describing the structure of an attack that is to be carried out. This is a process of dividing the attack into phases to properly organize and allocate resources. This concept was first incorporated into cyberspace by scientists at Lockheed-Martin in 2011. Currently, there are many customized Cyber Kill Chains for different industries based on their cyberspace characteristics.


There are many kill chains out there but most of them have originated from the Lockheed-Martin Kill Chain from 2011. These kill chains are tailored according to the vendors and modified by adding or combining one or more phases from the Lockheed Martin Kill Chain. This method aims to actively enhance intrusion detection and response. 

The cyber kill chain is equipped with a seven-phase protection mechanism to mitigate and reduce cyber threats. We have mentioned below the fundamentals of any cyber-attack:
  • Reconnaissance: At this phase, the attacker gathers information about the target like email addresses, vulnerable endpoints, network blocks, IP addresses, etc,  to probe for weak points before actually attacking. The information obtained from this phase is used extensively throughout the chain and this phase can be revisited if the attacker is lacking information.
  • Weaponization: At this phase, the attacker analyzes the collected data to identify the techniques to create malware, tailored to exploit vulnerabilities in the chosen system. This phase uses the footprinting info like OS used, Version of patches, etc. obtained in the previous phase.
  • Delivery: At this phase, as the weapon is already created, the attacker decides upon the point of entry as well as the medium to transmit the malware. This is mostly based on the native programs used by the organization and the victim's likely choice to use certain programs. This info can be found through certain techniques of social engineering. This is a key stage that measures the effectiveness of the defence strategies implemented by the target organization based on whether the intrusion attempt of the attacker is blocked or not. 
  • Exploitation: At this phase, the attacker begins executing the malware. This process is also considered important so as to not get flagged as abnormal by the security controls.
  • Installation: At this phase, after successful execution, the attacker injects more malicious software to maintain access inside the network without being detected for as long as possible by using encryption. After injection, the attacker gains the capability to spread the infection to other end systems in the network.
  • Command & Control: At this phase, the attacker creates a command and control channel, which establishes persistent access between the victim's system and the attacker's server to communicate and pass data back and forth. Thus, starts setting up the stage for the final objective.
  • Actions on Objectives: At this stage, the attacker starts to make moves towards the final goal may it be exfiltration, ransom, disruption, etc. The attacker may use this as a launching point to perform other attacks. 
The Cyber Kill Chain

Also check,


Attackers won’t necessarily follow the steps from the implemented attack chains. Sometimes, they skip steps or sometimes they backtrack. Many attacks sometimes combine multiple steps together into one single action. That is to say, the attacks are becoming dynamic day by day and hard to predict. Cyber Kill Chains now are based upon linear predictive models whereas the attacks are completely random. Thus, Cyber Kill Chain models if based upon stochastic processes can become an effective countermeasure for the everchanging cyber-attacks.

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

No comments:

Post a Comment