What is the Cyber Kill Chain in Cybersecurity?

  • By Greg Brown
  • May 01, 2023

what is cyber kill chain

The Cyber Kill Chain is a significant piece of work from Lockheed Martin in 2011. The Chain outlines seven essential points at which an IT team can intercept a cyberattack. Numerous experts took the process a bit further to eight steps: “reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on the objective, and monetization.”

Intelligence Driver Defense 

In the last two decades, the number of cyberattacks on individuals, businesses, corporate, and government infrastructure has been astonishing. Global cyberattacks increased 38% from two years ago and show no signs of abatement. 91% of all cyberattacks begin with phishing emails to unsuspected employees. 

Lockheed Martin’s fundamental tenet of cyber protection and the Intelligence Driver Defense: “The Best Offense is A Good Defense; stop offensive maneuvers during a cyber-attack while maintaining a defensive posture.”

The Cyber Kill Chain

Lockheed Martin’s cyber framework for identifying and preventing attacks consists of seven layers. The model attempts to identify what an adversary must complete in order to obtain their objective. The right approach to Cyber Kill Chain can yield impressive organizational results. The defense model bolsters an organization’s cyber protection against persistent threats.

  1. Reconnaissance, or the research stage of a cyber-attack, is when attackers actively seek corporate targets. The hacker is actively looking for vulnerabilities in the network with easy entry points. This step for the attack may be as easy as compiling a list of emails or deploying advanced spy tools such as automated scanners. Attackers use online and offline resources to stage successful assaults.
  2. Weaponization is the second stage in Lockheed Martin’s model. Once attackers have gathered sufficient information on their target, strategies for attack are developed. Attackers create malicious payloads for use on their targets. Hackers may use new malware attacks or modify existing programs to match vulnerabilities. 
  3. Delivery involves the steps to infiltrate the target’s network or security systems. 91% of all global cyber attacks begin with a phishing email to an unwitting employee. Emails are sent to a groomed list of company employees. Undoubtedly, one worker bee will open the attachment or click a link hoping to get a massive discount. 

Saudi Aramco is a favorite of predators, with multiple attacks on the books. The largest-ever oil and gas attack occurred on 15 August 2012, when a self-replicating virus called Shamoon infected over 30,000 company computers. A $50 million ransom was asked for, and what was paid is unclear. It is known that parts of Saudi Aramco were so damaged it took the company back to hand-held calculators.

It was discovered that a low-level manager opened the phishing email that infected Saudi Aramco.

  1. Exploitation is the next stage for successful hackers. Malware or malicious code has been delivered, and predators are taking stock of their spoils. Hackers infiltrate the network further to discover additional vulnerabilities. The code moves laterally across the network nodes infecting each machine as it moves, locating potential entry points. The code is free to move where it wants without security interference. 
  2. The privilege Escalation Phase has the attacker installing additional malware and other cyber weapons to maximize the installation fully. Once the attacker knows the network is theirs, the company’s infrastructure is exploited to gain additional control over subsystems, accounts, and the most sensitive data files. Strategies to access other networks are developed using trojans, token manipulations, command line interface hacks, and backdoors. Hacker tactics, such as changing credentials on high-level accounts and security, begin to intensify.
  3. Command and control are crucial in the “Cyber Kill Chain” process. With the network under control, attackers can track, monitor, and guide the cyber weapons and tools remotely, often without the network admin or owner knowing its presence. This stage is broken down further into two additional parts:
  1. Obfuscation is where the attackers begin to hide their tracks. The methods used are file deletion, code signing, and binary padding.
  2. Denial of Service (DOS) is an attack method where hackers go after areas of the network as a distraction, so security teams are unaware of the core objective of the attack.
  1. The Action stage culminates with the “Cyber Kill Chain” executing its objective. The action stage can take weeks or months, depending on the efficiency of the previous steps. 

End goals for the attackers may include:

  • Supply chain and infrastructure attacks
  • Data extraction, compression, or encryption

Eighth Stage of the “Cyber Kill Chain”

Most cyber-attacks have ransom as their objective due to the global acceptance of cryptocurrency. Profiteering from cyberattacks and using current technologies has turned what was once a few disparate predators into global powerhouses making millions.

In 2011, the cyber attack landscape was nothing like today’s technology. Advancements in scanning and detection have made hacking a lot easier. Crypto makes it much safer and quicker for attackers to request and take in funds, marking the dramatic rise in monetizing cyberattacks.

Experts began adding an eighth stage to Lockheed Martin’s initial work. 

  1. Monetization is the final objective of an attack. Cybercriminals’ primary goal is to decide how much money can be made by attacking a particular corporate business or infrastructure project. Once the steps have been completed, hackers initiate ransom requests demanding funds, or they release sensitive data.

Final Word

The Cyber Kill Chain has its strengths and weaknesses; however, the security model was developed in 2011 and has become outdated, and many concepts lack innovation. In today’s modern environment, there are many more threats and attacks, and cybercrime has become more sophisticated.

Drawbacks to the threat model are limited to the types of cyber attacks that can be detected. The original Kill Chain focused on malware delivery and did not consider other more complex forms of attack. The most significant shortcoming of the “Cyber Kill Chain” was insider threats. Lockheed Martin did not consider changes in user behavior or unusual activity on subnets, applications, and computers.

The most significant shortfall of Cyber Kill Chain was its failure of flexibility. Attackers do not follow a script and may pass by one of the stages. Steps may also be merged or missed altogether. It has been found that hackers generally follow the Cyber Kill Chain stages but may combine the first five or six steps into one massive push. These missed steps and other changes can fail to stop infiltration into a network.


About the Author
IDStrong Logo

Related Articles

How To Make Your IG Account Private

There are occasions when it makes more sense to have a private Instagram (IG) account. You might w ... Read More

Windows 10 Privacy Settings You Should Change Now

Privacy is a buzzword we hear a lot these days in the wake of data breaches, Wikileaks, and other ... Read More

How to Delete Your Facebook Account

It might seem absurd to some people who live on Facebook, deleting your Facebook account. But, man ... Read More

How to Change Network From Public to Private On Windows

Privacy has become a major concern for many of us after reading about all the data breaches, hacki ... Read More

Twitter Security and Privacy Settings Made Simple

With data breaches and ransomware intrusions in the news daily, privacy is the word on everyone&rs ... Read More

Latest Articles

Health Organization Records Stolen via Welltok’s MOVEit - 930k+ Including Minors

Health Organization Records Stolen via Welltok’s MOVEit - 930k+ Including Minors

The number of victims caused by the global MOVEit data breach continues to climb; Welltok has announced more exposures, this time from three more health organizations.

MOVEit Breach Creates More Victims; 105k Records Stolen from Insurance Group

MOVEit Breach Creates More Victims; 105k Records Stolen from Insurance Group

"Pan American Life Insurance Group Building - New Orleans" by Tony Webster is licensed under CC BY 2.0. Source: Flickr

New York Healthcare Provider Notified 600k Following Network Cyberattack

New York Healthcare Provider Notified 600k Following Network Cyberattack

East River Medical Imaging (ERMI) has three locations in New York City and Westchester County.  ERMI is a "multi-modality radiology center," including patient-centered solutions like MRIs, CTs, ultrasounds, imaging, radiology, fluoroscopy, and x-rays.

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address