What Is the Cyber Kill Chain and How It Can Protect Against Attacks

By Pratik Dholakiya
Published 03/22/2021
Share this on:

Cybersecurity is one of the top issues that organizations are battling with every day. In fact, according to Accenture, 68% of business leaders say that their cybersecurity risks are increasing.Woman engineering working at computer.

Ignoring cybersecurity is proving to be one of the most expensive mistakes leading to a 72% increase in the average cost of cybercrime over the past 5 years. 

With cybersecurity, it is not possible to entirely eliminate risks. Hence, having defense strategies in place can be the best possible solution to mitigating cybersecurity risk.

Using a layered security approach, the risks can be minimized. But, how do you ensure that your cybersecurity system is strong enough to withstand any attacks on your organization? This is where the cyber kill chain has a role to play.

In this article, let’s find out about what a cyber kill chain is and how businesses can use it to protect themselves from attacks.


What is a Cyber Kill Chain?

The cyber kill chain is essentially a cybersecurity model created by Lockheed Martin that traces the stages of a cyber-attack, identifies vulnerabilities, and helps security teams to stop the attacks at every stage of the chain.

The term kill chain is adopted from the military, which uses this term related to the structure of an attack. It consists of identifying a target, dispatch, decision, order, and finally, destruction of the target.


How does the Cyber Kill Chain Work?

The cyber kill chain consists of 7 distinct steps:

    1. Reconnaissance

The attacker collects data about the target and the tactics for the attack. This includes harvesting email addresses and gathering other information. 

Automated scanners are used by intruders to find points of vulnerability in the system. This includes scanning firewalls, intrusion prevention systems, etc to get a point of entry for the attack.

    1. Weaponization

Attackers develop malware by leveraging security vulnerabilities. Attackers engineer malware based on their needs and the intention of the attack. This process also involves attackers trying to reduce the chances of getting detected by the security solutions that the organization has in place.

    1. Delivery

The attacker delivers the weaponized malware via a phishing email or some other medium. The most common delivery vectors for weaponized payloads include websites, removable disks, and emails. This is the most important stage where the attack can be stopped by the security teams.  

    1. Exploitation

The malicious code is delivered into the organization’s system. The perimeter is breached here. And the attackers get the opportunity to exploit the organization’s systems by installing tools, running scripts, and modifying security certificates. 

Most often, an application or the operating system’s vulnerabilities are targeted. Examples of exploitation attacks can be scripting, dynamic data exchange, and local job scheduling.

    1. Installation

A backdoor or remote access trojan is installed by the malware that provides access to the intruder. This is also another important stage where the attack can be stopped using systems such as HIPS (Host-based Intrusion Prevention System).

    1. Command and Control

The attacker gains control over the organization’s systems and network. Attackers gain access to privileged accounts and attempt brute force attacks, search for credentials, and change permissions to take over the control.

    1. Actions on Objective

The attacker finally extracts the data from the system. The objective involves gathering, encrypting, and extracting confidential information from the organization’s environment. 

Based on these stages, the following layers of control implementation are provided:

      1. Detect – Determine the attempts to penetrate an organization.
      2. Deny – Stopping the attacks when they are happening.
      3. Disrupt – Intervene is the data communication done by the attacker and stops it then.
      4. Degrade – This is to limit the effectiveness of a cybersecurity attack to minimize its ill effects.
      5. Deceive – Mislead the attacker by providing them with misinformation or misdirecting them.
      6. Contain – Contain and limit the scope of the attack so that it is restricted to only some part of the organization.

The following security controls can be used to control the attraction at various stages of the kill chain, according to Orion Cassetto of Exabeam:

    1. Reconnaissance

Detect: Web Analytics; Threat Intelligence; Network Intrusion Detection System

Deny: Information Sharing Policy; Firewall Access Control Lists

    1. Weaponization

Detect: Threat Intelligence; Network Intrusion Detection System

Deny: Network Intrusion Prevention System

    1. Delivery

Detect: Endpoint Malware Protection

Deny: Change Management; Application Whitelisting; Proxy Filter; Host-Based Intrusion Prevention System

Disrupt: Inline Anti-Virus

Degrade: Queuing

Contain: Router Access Control Lists; App-aware Firewall; Trust Zones; Inter-zone Network Intrusion Detection System

    1. Exploitation

Detect: Endpoint Malware Protection; Host-Based Intrusion Detection System

Deny: Secure Password; Patch Management

Disrupt: Data Execution Prevention

Contain: App-aware Firewall; Trust Zones; Inter-zone Network Intrusion Detection System

    1. Installation

Detect: Security Information and Event Management (SIEM); Host-Based Intrusion Detection System

Deny: Privilege Separation; Strong Passwords; Two-Factor Authentication

Disrupt: Router Access Control Lists

Contain: App-aware Firewall; Trust Zones; Inter-zone Network Intrusion Detection System

    1. Command & Control

Detect: Network Intrusion Detection System; Host-Based Intrusion Detection System

Deny: Firewall Access Control Lists; Network Segmentation

Disrupt: Host-Based Intrusion Prevention System

Degrade: Tarpit

Deceive: Domain Name System Redirect

Contain: Trust Zones; Domain Name System Sinkholes


Want more tech news? Subscribe to ComputingEdge Newsletter today!

    1. Actions on Objectives

Detect: Endpoint Malware Protection

Deny: Data-at-Rest Encryption

Disrupt: Endpoint Malware Protection

Degrade: Quality of Service

Deceive: Honeypot

Contain: Incident Response

    1. Exfiltration

Detect: Data Loss Prevention; Security Information and Event Management (SIEM)

Deny: Egress Filtering

Disrupt: Data Loss Prevention

Contain: Firewall Access Control Lists”


How can Cyber Kill Chain Protect Against Attacks?

A cyber kill chain or cyber-attack simulation platform can be used by organizations to identify and mend the security gaps in their system within seconds.

Here’s how simulating a cyber kill chain can protect against cybersecurity attacks:

    1. Simulate Cybersecurity Attacks

Real cybersecurity attacks can be simulated across all vectors to find vulnerabilities and threats. This includes simulating cyber-attacks through email gateways, web gateways, web application firewall, and similar more.

    1. Evaluate the Controls to Identify Security Gaps

This involves evaluating simulations and identifying the areas of risk. Simulation platforms give you a detailed risk score and report around every vector.

    1. Remediate and Fix the Cybersecurity Gaps

The next step is to fix the security gaps that were identified in the previous step. This may include steps like installing patches and changing configurations to reduce the number of threats and vulnerabilities in the organization’s system.


Final Thoughts

Leaving cybersecurity vulnerabilities open for security attacks is one of the most common mistakes made by organizations today. Continuous security validation across the cyber kill chain can help companies to identify, prevent, stop, and prepare for any such attacks.


About the Author

Pratik Dholakiya is the founder of Growfusely, a content marketing agency specializing in content and data-driven SEO. He regularly speaks at various conferences about SEO, Content Marketing, and Entrepreneurship. Pratik has spoken at the 80th Annual Conference of the Florida Public Relations Association, Accounting and Finance Show, Singapore, NextBigWhat’s UnPluggd, IIT-Bombay, SMX Israel, SEMrush Meetup, MICA, IIT-Roorkee, and other major events. As a passionate SEO and content marketer, he shares his thoughts and knowledge in publications like Search Engine Land, Search Engine Journal, Entrepreneur Magazine, Fast Company, The Next Web, YourStory, and Inc42, to name a few.