Skip to Content

Compliance Services

Cyber Kill Chain: A Guide to Advanced Targeted Attacks

July 28, 2022

8 minutes

blue chess piece knocks down silver pieces on board | cyber kill chain: a guide to advanced targeted attacks

Contributed by Edward Schmitt, Cybersecurity Analyst, DOT Security

Cyber kill chain may sound deadly, but it’s actually a set of actions determined to help keep businesses safe from attacks through monitoring, learning, and execution. Learn what a cyber kill chain is and how cybersecurity professionals can use it to keep business protected from cyberthreats.

Cybersecurity professionals may use a cyber kill chain to better analyze and understand the battle against cyberattacks, security breaches, and advanced persistent threats.

There are several steps within the cyber kill chain model that emphasize linear progression within a target. Since its creation, the kill chain has evolved to help cybersecurity professionals better anticipate and recognize insider threats, social engineering, advanced ransomware, and innovative attacks, as well as categorize and understand new zero-days as they occur in the wild.

The cyber kill chain model is predicated on a military kill chain, which breaks down detecting and preventing hostile operations into a step-by-step process. The cyber kill chain was first established by Lockheed Martin in 2011 and illustrates the different phases of numerous conventional cyberattacks. This empowers cybersecurity teams to identify the areas of attack as well as impede, and even actively intercept threats.

There are several cyber kill chain frameworks that have been established since the first inception of the Lockheed Martin cyber kill chain, including the Cyber Defense and Military F2T2EA cyber kill chain, the FireEye cyber kill chain, and the MITRE's ATT&CK framework.

Stages of a Cyber Kill Chain

Within the Lockheed Martin cyber kill chain, each stage is related to a certain type of nefarious events and activity in a cyber-attack and follows the linear process in which a threat actor uses to infiltrate a target:

  • Reconnaissance—The preliminary surveillance stage during which cybercriminals analyze the target environment from the outside in order to determine both attack vectors and strategies.

  • Intrusion—Based on the information gathered during the preliminary reconnaissance process, cybercriminals can make an initial penetration within the target environment, often by exploiting known vulnerabilities or misconfigurations within a network or system.

  • Exploitation—Exploiting bugs, misconfigurations, and known vulnerabilities allow cybercriminals to connect the network to a C2 (Command & Control) server to covertly download and install further malicious tools into the target environment in order to gain a better foothold within a network.

  • Privilege Escalation—Cybercriminals will typically require higher level permissions within a network in order to gain access to the targeted data, this step necessitates escalating their privileges to an Administrator level in order to move forward in the cyber kill chain.

  • Lateral Movement—Once cybercriminals have elevated their privileges within the target environment, they can expand their attack laterally throughout the network to other systems and accounts to expand their foothold within the network. This step is incredibly noisy to the network and requires cybercriminals to act very covertly otherwise they will alert security systems to their presence in the environment.

  • Obfuscation/Anti-Forensics—Cybercriminals must conceal their cyber footprints in order to successfully carry out a cyberattack on a target. At this stage, cybercriminals frequently create fake trails, strategically place misleading digital breadcrumbs, breach data, as well as wipe records and event logs in order to mislead or delay cybersecurity professionals investigating into the attack.

  • Denial of Service—In this phase, standard accessibility for users and systems is interrupted to slow down or prevent the cyberattack from being investigated, documented, or inhibited.

  • Exfiltration—Within this phase, the targeted data is extracted from the targeted system, network, or environment back to the C2 server and the attack is concluded.

The MITRE ATT&CK Cyber Kill Chain Framework

Another method, the MITRE's ATT&CK Framework, improves upon and complements the Lockheed Martin cyber kill chain approach by expanding upon the ‘steps’ used within the framework with what is known as ‘Tactics’ (which is comparable to the ‘steps’ of a cyber kill chain) used by threat actors that follow a nonlinear process to illustrate an observed attack by a threat actor.

According to MITRE ATT&CK:

Tactics represent the “why” of an ATT&CK technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an action.” One advantage to using the MITRE's ATT&CK framework is there are 14 Tactics compared to the 8 steps depicted in the Lockheed Martin. These 14 Tactics include: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact. Within each of these tactics lies underlying and supporting Techniques which depict the type of attack occurring alongside Procedures used within these Techniques. Techniques represent ‘how’ an adversary achieves a tactical goal by performing an action. While procedures are the specific implementation the adversary uses for techniques or sub-techniques.

Together these are MITRE's ATT&CK Framework TTPs (Tactics, Techniques, and Procedures). All in all, there are currently 14 Tactics and 245 Techniques defined by MITRE's ATT&CK framework.

How a Cyber Kill Chain is Used in Cybersecurity

We as cybersecurity professionals rely on the advantages provided to us by the Lockheed Martin cyber kill chain and the MITRE's ATT&CK Framework. Many of the applications we use depict attacks and threats using the tactics, techniques, and procedures to help us get a better picture of what is happening within an alert.

Advantages to using the Lockheed Martin cyber kill chain and the MITRE's ATT&CK Framework (versus what?) include:

· Employing these frameworks to establish a cybersecurity strategy for an organization, hardening the network against the well-known MITRE's ATT&CK Framework TTPs as well as tuning applications and solutions to look out for signs of intrusion utilizing well-known MITRE's ATT&CK Framework TTP’s.

· A reference framework for both red and blue cybersecurity teams to build up real-world knowledge of cyberattacks happening in the wild right now and building defensive strategies based on real-world knowledge in real-time.

· A reference framework for Incident Response to understand the complexities of the cyberthreats that organizations face today, and the strategies used to counteract and respond to them.

· A reference framework for Disaster Recovery to piece together an attack that has already occurred and how to trace the steps the attack took within a network.

· Most importantly, the Lockheed Martin cyber kill chain and the MITRE's ATT&CK Framework can be used to assess the current cybersecurity strategy for an organization and helps to harden any holes in security that may be identified.

In Conclusion

Though it sounds menacing, a cyber kill chain is actually a way that security experts keep businesses safe by monitoring and identifying how attacks work and how they can be stopped.

See how cybersecurity professionals keep businesses safe. Learn more about the role of a cybersecurity analyst in a security strategy and explore the tools and expertise they use every day to protect organizations like yours. Read the blog now.