Cyber Kill Chain: 7 Phases, Pros/Cons, and Kill Chain vs. MITRE

What Is the Lockheed Martin Cyber Kill Chain? 

The Cyber Kill Chain is a framework developed by Lockheed Martin, an aerospace and defense manufacturer, to outline the typical stages of a cyber attack. This model helps organizations understand the process that attackers follow to achieve their goals, allowing for better identification, prevention, and response to threats. 

Amit Sheps
July 3, 2024

The Cyber Kill Chain is composed of several phases, each representing a different aspect of the attack lifecycle, from initial reconnaissance to the eventual exfiltration of data. By dissecting an attack into these discrete steps, defenders can develop targeted strategies to disrupt the attack at various stages, enhancing overall cybersecurity posture.

This is part of a series of articles about application security

In this article:

How Does the Cyber Kill Chain Protect Against Attacks? 

The Cyber Kill Chain protects against attacks by providing a structured approach to understanding and countering the tactics, techniques, and procedures (TTPs) used by cyber adversaries. By breaking down an attack into its constituent phases, organizations can implement specific security measures tailored to each stage. For example:

  • During the reconnaissance phase, enhanced network monitoring and threat intelligence can detect and block attempts to gather information about the organization.
  • In the intrusion phase, robust authentication mechanisms and timely patch management can prevent attackers from gaining initial access.
  • During exploitation, intrusion detection systems (IDS) and application whitelisting can stop the execution of malicious activities.

By focusing on each phase of the Cyber Kill Chain, organizations can develop a comprehensive security strategy that anticipates and disrupts attacks before they can achieve their objectives. This layered defense approach not only helps in detecting and mitigating ongoing attacks but also strengthens the overall resilience of the network against future threats.

The Cyber Kill Chain Process and Phases 

1. Reconnaissance 

Reconnaissance is the initial phase of the cyber kill chain, where attackers gather information about their target to plan their attack. This stage involves collecting data on vulnerabilities, network defenses, and potential entry points. Attackers may use various techniques such as social engineering, public information searches, and network scanning to accumulate valuable intelligence.

This gathered information enables attackers to tailor their approach, select tools, and devise strategies that are most likely to succeed in compromising the target. Effective defense against reconnaissance efforts requires robust perimeter security, employee awareness training, and monitoring for unusual activity that could indicate a reconnaissance attempt in progress. 

2. Weaponization 

Weaponization involves the attacker creating or repurposing a cyber weapon, such as malware or a virus, tailored to exploit vulnerabilities identified during the reconnaissance phase. This step combines the malicious payload with an exploit into a deliverable format that can be used to target the victim’s system. The creation of this cyber weapon is done with the intent to ensure successful delivery and execution on the target network without detection.

The effectiveness of defensive measures against weaponization relies heavily on understanding and mitigating known vulnerabilities within systems and applications. Regularly updating software, employing vulnerability management programs, and utilizing threat intelligence can help in identifying potential threats before they are weaponized against an organization. 

3. Delivery 

Delivery is the phase where the attacker transmits the weaponized content to the target. This can be achieved through various methods such as email attachments, websites, or direct network penetration. The goal is to ensure that the malicious payload reaches the intended victim and can be executed to further compromise the system. Defenses against delivery attempts include email filtering, web security solutions, and intrusion detection systems that can identify and block malicious transmissions.

In this stage, attackers may employ tactics like phishing or exploiting vulnerabilities in public-facing applications to deliver their payload. It’s crucial for organizations to maintain a high level of vigilance through employee training on recognizing phishing attempts and maintaining robust patch management processes. By doing so, they reduce the risk of successful delivery of malicious payloads, thereby disrupting the attack chain at an early stage. 

4. Exploitation 

Exploitation occurs when the attacker’s delivered payload activates on the victim’s system, exploiting a vulnerability to execute malicious code. This phase marks the successful penetration of the target’s defenses, allowing attackers to establish a foothold within the system. It often leverages software vulnerabilities that have not been patched or are unknown to software vendors (zero-days).

Successful exploitation enables further malicious activities, such as installing malware or stealing sensitive information. Defenses against this phase include rigorous patch management, application whitelisting, and employing intrusion prevention systems that can detect and block attempts at exploiting known vulnerabilities. 

5. Installation 

During the installation phase, attackers establish their presence on the victim’s system by installing malware or other malicious tools. This step is crucial for maintaining control over the compromised system and executing further malicious activities. The malware installed can take various forms, including backdoors, keyloggers, or ransomware, depending on the attacker’s objectives.

To counteract installation efforts, organizations must employ robust endpoint security solutions that include antivirus and anti-malware tools capable of detecting and removing unauthorized software. Regular system scans and updates, coupled with user education on safe computing practices, are essential in minimizing the risk of successful malware installation. 

6. Command and Control 

Command and Control (C2) is the stage where attackers establish a communication channel with the compromised system to control it remotely. This allows them to issue commands, exfiltrate data, or deploy additional malware. C2 activity often involves communicating with servers controlled by the attackers, which can be located anywhere in the world. Detection and disruption of these communication channels are vital for dismantling the control attackers have over compromised systems.

To defend against C2 activities, organizations must monitor network traffic for unusual patterns that may indicate communication with malicious external servers. Implementing network segmentation can also limit the movement of attackers within a network, reducing the impact of compromised systems. Additionally, employing intrusion detection systems and regularly updating firewall rules are effective in identifying and blocking unauthorized communications. 

7. Actions on Objective

Actions on Objective represents the final phase in the Cyber Kill Chain, where attackers achieve their primary goal, be it data exfiltration, destruction of data, or establishing a long-term presence within the target’s network for espionage. At this stage, the attacker has successfully bypassed preceding security measures and executes actions to fulfill their intended objectives. These activities can range from encrypting critical files in ransomware attacks to extracting sensitive information or creating backdoors for future access.

To defend against these actions, organizations need to implement advanced threat detection and response systems that can identify and mitigate threats before they culminate in significant damage. Continuous monitoring of systems and networks for signs of unauthorized access or anomalies is crucial. Employing incident response protocols that can swiftly isolate affected systems and remediate threats ensures minimal impact and quick recovery from attacks.

Cyber Kill Chain vs. MITRE ATT&CK Framework 

The Cyber Kill Chain and the MITRE ATT&CK framework are both widely used in cybersecurity to understand and combat cyber threats, but they have different focuses and applications.

The Cyber Kill Chain is more process-oriented, providing a linear progression of the stages of a cyber attack. It is particularly useful for mapping out traditional, step-by-step intrusions and developing countermeasures for each stage.

The MITRE ATT&CK framework is a more detailed and flexible matrix that categorizes tactics and techniques used by adversaries across various stages of an attack lifecycle. It includes a comprehensive list of techniques that can be employed at any point during an attack, making it adaptable to a wider range of scenarios and attack patterns.

While the Cyber Kill Chain helps in understanding the broader stages of an attack, the MITRE ATT&CK framework offers a granular view of the specific actions attackers might take. Combining both can provide a robust defense strategy: the Cyber Kill Chain for overarching strategic planning and the MITRE ATT&CK framework for detailed, tactical responses to threats.

The Limitations of the Cyber Kill Chain 

The Cyber Kill Chain is a respected and widely-used security model, but it’s important to be aware of its limitations.

Limited Attack Detection Profile

The Cyber Kill Chain model primarily focuses on external threats and may not effectively detect or address multi-vector attacks that do not follow a linear progression. This might lead to gaps in security where non-traditional or less structured attacks can slip through unnoticed.

To adapt, organizations must implement more holistic security solutions that consider a broader range of attack vectors and behaviors, incorporating intelligence from multiple sources to anticipate and respond to threats more dynamically.

Insufficient Focus on Insider Threats

This model largely overlooks the risk posed by insider threats, as it assumes attacks originate from outside the network. Insiders, either malicious or negligent, can cause significant damage without needing to break through external defenses, which the Cyber Kill Chain does not typically address.

Enhanced internal controls, user behavior analytics, and consistent policy enforcement are necessary to mitigate this often-overlooked risk and secure networks from threats both external and internal.

Not Flexible

The Cyber Kill Chain model can be rigid, designed around a specific sequence of steps. Modern attack vectors are increasingly varied and adaptive, which may not always fit into this predefined chain. This restrictiveness can make it difficult to update defense mechanisms against new or transforming threats.

To overcome these limitations, adopting frameworks that allow for more flexibility and adaptiveness, such as the MITRE ATT&CK framework, can provide a more effective stance against a continuously evolving threat landscape.

Amit Sheps
Amit is the Director of Technical Product Marketing at Aqua. With an illustrious career spanning renowned companies such as CyberX (acquired by Microsoft) and F5, he has played an instrumental role in fortifying manufacturing floors and telecom networks. Focused on product management and marketing, Amit's expertise lies in the art of transforming applications into cloud-native powerhouses. Amit is an avid runner who relishes the tranquility of early morning runs. You may very well spot him traversing the urban landscape, reveling in the quietude of the city streets before the world awakes.