Published
Last Updated

Cyber Kill Chain Explained

Derived from the military's kill chain and developed by Lockheed Martin in 2011, the cyber kill chain model lays out the steps in several common cyberattacks and identifies where security teams can prevent, detect, or catch bad actors. This process helps streamline defenses against advanced persistent threats (APTs) and other sophisticated cyberattacks by setting out key stages and the steps to take at those points to minimize access and damage from a breach.

7 Phases of the Cyber Kill Chain

There are 7 key phases in the cyber kill chain. These follow the chronological order of a common cyberattack, helping security teams cut off adversaries and stop them in their tracks. The steps are as follows:

  1. Reconnaissance: Reconnaissance is the phase in which the adversary identifies their target and hunts for weaknesses and vulnerabilities to leverage to gain access to the network. There is a lot of information gathering in this phase, including obtaining email addresses, login credentials, server locations, operating system information, and more that could be useful in social engineering tactics such as phishing. The reconnaissance phase is paramount to an attack's success as typically the more information the adversary gathers up front, the more likely the attack is to be successful and sophisticated.
  2. Weaponization: The weaponization phase is where the attack is planned. The bad actor develops an attack vector, such as ransomware, to gain access to key information and harm the target. During this phase, they may also set up additional entry points into the network in case their original entry point is closed off.
  3. Delivery: The delivery phase is where the plans go into action. During this phase, attackers launch their attack. Response steps will vary in this phase depending on the type of attack the adversary deploys.
  4. Exploitation: Once the breach has occurred, the exploitation phase can take place. This phase involves the deployment of the malicious code in the target network, officially beginning the siege.
  5. Installation: Quickly following the exploitation phase, this is where the code takes hold, and the attacker has the ability to take control. Here, the adversary will ensure the code is rooted in the target network and the gathering of information and blocking of access can begin.
  6. Command and Control (C2): Malicious code can be leveraged to compromise devices and assume greater control in the C2 phase. This also enables lateral movement to gain additional access to further network environments, allowing for more information to be seen and gathered and the creation of additional entry points for potential later use.
  7. Actions on Objectives: Finally, we get to the objective. This is where the adversary carries out the final phase of their mission, whether that be exfiltration, data theft, encryption, file deletion, or any other goal. Once the attacker reaches this step, they are taking the final step to succeed in their mission.

Cyber Kill Chain vs. MITRE ATT&CK

While the cyber kill chain process and the MITRE ATT&CK framework are both models that aid in cybersecurity operations, they have some key differences in how they are approached.

The cyber kill chain is based on a military concept focused on the high-level phases of a cyberattack. The progression through the stages is linear, mapping out traditional intrusions and defensive measures that can be leveraged against them. Cyber kill chain can often be limiting due to modern cyberattacks reluctance to follow a linear path, but rather a less predictable pattern.

MITRE ATT&CK follows a matrix of attack tactics and techniques and is less linear. This creates a more flexible approach based on a large knowledge base that allows teams to understand where an attacker is, where they're likely going, and how to stop them in their tracks.

The key is to blend both frameworks into your cyber countermeasures. Cyber kill chain is often used to develop defensive strategies, while MITRE ATT&CK is leveraged to stay apprised of the latest tactics and techniques used by bad actors.

Role of the Cyber Kill Chain in Security Operations Centers (SOCs)

Cyber kill chain serves as a fantastic guide for security teams to build out their operational processes. Using the steps outlined in the model, teams can map out the steps they should take in order to keep networks secure or to minimize damage should a breach occur. The processes that can be formed are able to cut off adversaries where they are in the attack process, leading to more successful hunting and ousting of adversaries.

Critiques and Evolution of the Cyber Kill Chain

The cyber kill chain helps guide teams effectively, but it is not without its critiques. It is often seen as too linear, making it seem dated compared to today's sophisticated cyberattacks. Many attacks follow different paths from what the cyber kill chain lays out, with many combining steps into single actions, repeating or skipping steps, or going out of order, making the rigidity of the cyber kill chain restrictive. It also does not go into the specific tactics of an attack, which are rapidly evolving, and instead focuses on the broad, top-level steps along the process of a common attack.

Over time, as cyber threats have become more sophisticated and diversified, the cyber kill chain has also evolved to meet these challenges. One of the notable updates is the introduction of an eighth step known as "Monetization," where cybercriminals focus on profiting from their exploitation by selling stolen data, demanding ransoms, or misusing obtained information directly. This addition highlights the endgame for many attackers, providing a more comprehensive view of their intentions.

Moreover, the cyber kill chain has adapted to better counteract insider threats, recognizing that potential attackers could be within the organization itself. This shift also includes a deeper understanding and anticipation of phishing and other social engineering tactics, which have become prevalent in modern cyberattacks. Additionally, the model now accounts for advanced ransomware attacks, which often involve a combination of techniques and strategies to achieve their malicious goals. By incorporating these updates, the cyber kill chain remains a relevant and useful framework for cybersecurity teams to develop robust defense strategies.

How NETSCOUT Helps

Omnis Network Security has been developed to map to MITRE ATT&CK tactics while also aiding in cyber kill chain processes. Omnis Cyber Intelligence (OCI), the cornerstone product of our NDR solution, is designed to help identify and stop adversaries where they are in the network thanks to unmatched comprehensive network visibility that provides the necessary information to detect threats before they become breaches. Using advanced metadata derived from packets, OCI proves that the only place adversaries cannot hide is on the network.