Cyber Kill Chain

What Is the Cyber Kill Chain?

The Cyber Kill Chain®, developed by Lockheed Martin, is a list of stages in a cyberattack that threat actors must complete in order to achieve their objective. By identifying an attack's stage of progress, an organization can better defend against and stop a cyber incident.

Though the Cyber Kill Chain was introduced more than a decade ago, many organizations still use it to help define their cybersecurity processes. 

Cyber Kill Chain Stages

Stages of the Cyber Kill Chain

The Cyber Kill Chain model is a step-by-step process that outlines the potential path of cyberattacks. The idea is that there are several points during an attack at which organizations have the opportunity to intervene and stop it, so long as they can identify how far along in the process it’s progressed.

1. Reconnaissance

According to the Cyber Kill Chain method, the first sign of a cyberattack involves the attacker exploring a network’s weaknesses and vulnerabilities. This is the stage at which threat actors use tactics like phishing to gather information like email addresses, login credentials, applications, and details about the operating system.

2. Weaponization

Next, attackers create an attack vector based on their findings. For example, they might use remote access malware, viruses, or worms to exploit a known vulnerability. They also put backdoors in the system to gain access if their original entry point gets blocked.

3. Delivery

This is the point at which the attacker launches their attack. The specific vectors they use will depend on the information gathered from Stages 1 and 2 as well as the goals of the attack. Then they wait for the perfect moment to strike. 

4. Exploitation

In the exploitation phase, the attacker executes malicious code within the victim’s system. They could attack a specific device, send an email with a malicious link, or attack the entire network at the browser level. 

5. Installation

in this phase, the attacker installs malware, ransomware, or a virus on the victim’s system. If this phase is carried out successfully, the environment will be controlled by whoever launched the attack.

6. Command and Control (C2)

By this point, the attacker has assumed complete remote control of a device or identity on the target network. It can be difficult to trace an attacker at this stage because they will look like any other user, allowing them to move laterally throughout the network and establish more entry points for future attacks. 

7. Actions on Objective

This phase could happen immediately, or the attacker could do more recon to learn about your network before coming back to stage a high-scale attack. An organization will be at the attacker’s mercy when they decide to take action toward their objective, like data encryption, exfiltration, or destruction. 

How to Use the Cyber Kill Chain

The Cyber Kill Chain can help organizations establish a cybersecurity strategy to withstand attacks. It shows organizations the different levels of an attack and where security may be lacking.

As a part of the Cyber Kill Chain model, organizations should adopt security technologies to protect their network at each stage of the process. These solutions and services might include:

  • Detection tools
  • Preventative measures that keep unauthorized users from harvesting credentials
  • Encryption to hide data being shared throughout the network
  • Response tools and alerts that enable companies to respond to attacks in real-time
  • Procedures to prevent lateral movement within the network

The Cyber Kill Chain provides cybersecurity teams with a framework to design their security ecosystem depending on their needs and vulnerabilities. 

Evolution of the Cyber Kill Chain

As technology has evolved, so have the skills and abilities of threat actors. Cyberattacks are becoming more sophisticated—and more expensive for organizations to recover from. But the basic design of the Cyber Kill Chain remains the same.

Security experts criticize the Cyber Kill Chain model for its focus on perimeter security. Many organizations run on software-defined systems to enable collaboration and streamline data sharing, but the Cyber Kill Chain doesn’t address the needs of remote-work organizations or IoT devices and other endpoints that do not live on business networks. 

It also doesn’t account for innovative threat actors’ various attack types and techniques. Web-based attacks, insider threats, and compromised credentials are unaccounted for in the Cyber Kill Chain model. 

Cyber Kill Chain vs. MITRE ATT&CK

Cyber Kill Chain and MITRE ATT&CK® are both frameworks for addressing cyberattacks targeting businesses and other organizations. While the Cyber Kill Chain addresses cyberattack processes with a high-level overview, MITRE ATT&CK enables companies with more granular information about cyber attacks. 

MITRE ATT&CK was designed to gain intelligence about cyber threats and provide a standard reference and vocabulary for different cyberattacks. It’s a free and open resource that organizes cybersecurity information from around the web into a simple hierarchical framework. Plus, each level of the framework offers detailed procedures to follow depending on various attack techniques so that professionals at all skill levels can provide their organizations with a secure environment. 

On the other hand, the Cyber Kill Chain claims that cyberattacks tend to follow the same techniques and strategies every time. This isn’t the case, and new attack vectors and methods are being discovered as technology evolves. MITRE ATT&CK is not a sequence of attack and defense tactics; it’s an extensive knowledgebase that provides cybersecurity professionals with actionable information to deal with specific attack types from experts in their field. 

BlackBerry Cybersecurity Proven 100% Effective in MITRE ATT&CK Emulations

BlackBerry’s suite of Cylance cybersecurity solutions was 100 percent successful in preventing both the Wizard Spider and Sandworm attack emulations very early in MITRE ATT&CK's 2022 evaluation—before any damage occurred. 

BlackBerry’s CylancePROTECT® and CylanceOPTICS® solutions provided comprehensive detections on individual attack techniques with high confidence, helping to reduce wasted resources spent chasing false positives.

Learn More

Related Resources:

Resource Icon Data Loss Prevention (DLP) Resource Icon Endpoint Security Resource Icon Endpoint Protection Platforms (EPP) Resource Icon Endpoint Detection and Response (EDR) Resource Icon Extended Detection and Response (XDR) Resource Icon Identity and Access Management (IAM) Resource Icon Managed Detection and Response Resource Icon Managed XDR Resource Icon MITRE ATT&CK Framework Resource Icon Mobile Threat Defense (MTD) Resource Icon User and Entity Behavior Analytics (UEBA) Resource Icon Zero Trust Architecture Resource Icon Zero Trust Network Access (ZTNA) Resource Icon Zero Trust Security Resource Icon Security Information and Event Management (SIEM) Resource Icon Secure Access Service Edge (SASE)
More Resources