I’m thrilled to launch this cybersecurity blog by focusing on the Cyber Kill Chain, which serves as an excellent entry point for anyone eager to learn about cybersecurity. Although there are many who feel that the Cyber Kill Chain has become outdated especially when we have MITRE and Unified Kill Chain, this framework presents a logical and structured approach to understanding the tactics employed by attackers, making it an ideal starting point for anyone interested in enhancing their security measures.
I always urge people who are new to cyber security to read, research and most importantly set up a home lab and practice hands-on. It can be anything, setting up a network, configuring routers and switches, doing some PCAP analysis, work on open source security tools or anything.
In this post, i will be explaining:
What is Cyber Kill Chain ?
More about people who invented Cyber Kill chain ?
Different stages of Cyber Kill Chain ?
Is Cyber Kill Chain still relevant ?
What is Cyber Kill Chain?
The Cyber Kill Chain is an intelligence driven framework developed by Lockheed Martin Corporation that outlines the various stages involved in a cyberattack. It helps organizations understand the methodology of attackers, providing insight into how breaches occur and the strategies that can be employed to counteract them.
Known as the cyber attack lifecycle, the Cyber Kill Chain assists organizations in understanding the series of events that lead to a cyberattack and identifies key opportunities for preventing, detecting, or intercepting threats in the future.
The kill chain concept was derived from military operations, involving the identification of an enemy attack, deconstructing it into its various phases, and establishing preventive actions to thwart it. This military strategy inspired the original cybersecurity kill chain, which was initially created by Lockheed Martin in 2011
More about people who invented Cyber Kill Chain ?
Lockheed Martin is a major American aerospace, defense, arms, and information security company. It is one of the world’s largest defense contractors, with a significant presence in both military and civilian sectors. The company is known for producing a wide range of products and services, including Aerospace, Defense, Space systems, cybersecurity and IT
The Cyber Kill Chain was developed by Lockheed Martin’s Computer Incident Response Team (LM-CIRT). This team is part of Lockheed Martin’s Information Systems & Global Solutions (IS&GS) division, which focuses on cybersecurity and IT services for government and commercial sectors.
Lockheed Martin’s Computer Incident Response Team (LM-CIRT) is a specialized group responsible for defending the company’s vast IT and OT networks, which include sensitive military, aerospace, and critical infrastructure systems. LM-CIRT’s primary role is to defend Lockheed Martin’s own networks and systems , and in doing so, they created the Cyber Kill Chain as a structured approach to better understand and defend against advanced persistent threats (APTs).
Different stages of Cyber Kill Chain ?
Lockheed Martin’s foundational Cyber Kill Chain model consists of seven steps and is the most frequently referenced framework in the cybersecurity field. This 7-stage approach delves into the strategies and motivations of cybercriminals across the attack timeline, helping organizations grasp and address potential threats. The seven stages are:
- Reconnaissance
- Weaponization
- Delivery
- Exploitation
- Installation
- Command and control
- Action
In a field like cybersecurity, where there are endless frameworks, how can I possibly remember everything? I rely on abbreviations and funny sentences to help me recall information. Everyone has their unique methods, and this is how I keep track of what I’ve learned.
RWDEICA – “Ready When Donuts Enter, I Can Attack!”
It gives a humorous twist, implying someone is always prepared… especially when donuts are involved!
There is an easy way to remember this.
Lets see the different stages of Cyber Kill Chain !
- Reconnaissance
During the reconnaissance phase, attackers collect vital information about their target organization or individuals. They utilize social media platforms, like LinkedIn or Instagram , to profile key individuals, which can help in planning specific attacks. By reviewing job posts in the organization’s, attackers can identify the technologies and tools in use by the organization. They may also use automated scanning tools to uncover potential vulnerabilities. This phase also involves examining the existing security measures, including firewalls, intrusion prevention systems, and authentication protocols.
2. Weaponization
With the reconnaissance stage complete, the attacker now knows who or what their target is. To proceed with the attack, they need to create or select their weapons. This phase involves developing or identifying tools such as remote access malware, ransomware, or viruses that can exploit vulnerabilities discovered earlier. Attackers might design new forms of malware or tweak existing programs to align with specific weaknesses.
During the weaponization phase, attackers may also seek to minimize the chances of being detected by any existing security measures
3. Delivery
In this stage now that the weapons have been identified , the attackers need to figure out how they can infiltrate their target and deliver the malware. Typical methods involve sending phishing emails, utilizing social engineering strategies, and taking advantage of vulnerabilities in hardware or software systems.
4. Exploitation
Now the malware have been delivered to the target network. Malware can now explore the target further by moving laterally, they can install tools, run scripts, can schedule job locally etc. For example, from the outside, the attacker may have no access to an organization’s databases, but after the intrusion, they can see the real vulnerabilities which can be exploited like a database uses an old version and is exposed to a well-known vulnerability.
5.Installation
In this phase, attackers install malware to gain additional control over the network. This can be using different strategies include using Trojan horses, access token manipulation, command-line interfaces, and backdoors to escalate privileges and change permissions.
6. Command and control (C2)
attackers use the successfully installed attack vector to control devices or identities remotely within the target’s network. Threat actors may also move laterally during the command and control phase in order to avoid detection and establish additional points of entry.
7. Action on objectives
In the final phase of kill chain, attackers take the final steps to carry out their original objective, be it data theft, destruction, encryption or exfiltration. This stage can take weeks or months, depending on the success of previous steps and the attack’s complexity
