Cyber Kill Chain: Understanding How Cyberattacks Happen

The Cyber Kill Chain provides a framework for analyzing cyberattacks and developing defenses. Originally developed by Lockheed Martin and modeled on military strategy, the framework breaks attacks down into seven sequential phases. Applying these phases empowers cybersecurity teams to establish intelligence-driven defenses against advanced persistent threat (APT) attacks.

In this blog, we'll explore how the Cyber Kill Chain framework can be incorporated into a pentesting strategy to develop effective defenses. We'll cover:

• What the Cyber Kill Chain is
• The historical development of the Cyber Kill Chain framework
• The phases of the Cyber Kill Chain
• How pentesting can support threat-informed defenses to break Cyber Kill Chain attacks

What Is the Cyber Kill Chain?

The Cyber Kill Chain is a patented framework Lockheed Martin developed to help cybersecurity teams model the steps advanced persistent threat attackers must complete in order to achieve their objectives. It forms part of Lockheed Martin's Intelligence Driven Defense model for identifying and preventing network intrusions.

The Cyber Kill Chain consists of seven steps defining the phases of an advanced persistent threat attack. These steps help analysts monitor attacks and gain insight into attackers' tactics, techniques, and procedures.

Cyber Kill Chain vs. Diamond Model vs. MITRE ATT&CK Frameworks

Lockheed Martin's Cyber Kill Chain framework differs from other popular cybersecurity frameworks such as the Diamond Model and the MITRE ATT&CK knowledge base:

• Where Cyber Kill Chain focuses on steps an APT attacker must complete to achieve their objectives, the Diamond Model focuses on relationships between adversaries and victims and between the adversary's technical infrastructure and attack capabilities.
  
  
• Cyber Kill Chain assumes the attacker will complete a specific sequence of steps involving delivery of a malware payload, while the ATT&CK framework breaks down various tactics, techniques, and procedures attackers may use at any step in an attack without assuming any specific sequence of deployment.

These differences reflect the historical context that inspired the Cyber Kill Chain model:

History of Attack Chains

Lockheed Martin, long an Air Force contractor, borrowed the military metaphor of the kill chain while introducing the Cyber Kill Chain concept in a 2011 paper on intelligence-driven computer network defense. In Air Force military doctrine, the kill chain outlines the aerial attack process. This process begins when a target is found and identified as worthy of engagement, unfolds through tracking and targeting the adversary, and concludes with engaging the target and assessing the results. Countering this process is known as "breaking the kill chain".

Lockheed Martin adapted the kill chain concept to propose a shift from a traditional incident response strategy assuming successful intrusion to an intelligence-driven defense strategy aimed at preventing intrusions. This new paradigm aimed to address the rising frequency of advanced persistent threats by professionally trained attackers mounting long-term campaigns against networks using tactics designed to circumvent traditional defenses. By leveraging insight into attacker strategy, the Cyber Kill Chain framework seeks to attain information superiority over attackers and progressively decrease the odds of successful intrusion.

Lockheed Martin proposed the Cyber Kill Chain framework in 2011, while the cloud and mobile technology were still maturing. Because of this historical context, the Cyber Kill Chain was not designed to address some attack methods that have become characteristic of cloud and mobile intrusions, in contrast to the MITRE ATT&CK framework. Additionally, the Cyber Kill Chain emphasizes threats that originate from external attackers, without addressing insider attacks.

Despite its limitations, the Cyber Kill Chain framework remains useful for visualizing, analyzing, and pre-empting certain types of attacks. Lockheed Martin as well as other organizations have sought to expand the original Cyber Kill Chain model to address emerging threats.

Phases of the Cyber Kill Chain

The Cyber Kill Chain model breaks advanced persistent threat attacks down into seven stages:

1. Reconnaissance: researching targets, identifying their vulnerabilities, and selecting attack surfaces
2. Weaponization: combining malware with an exploit to create a deliverable payload
3. Delivery: transmitting the payload to the target through infected files
4. Exploitation: triggering the malicious code
5. Installation: installing malicious software to enable the intruder to maintain persistent network access
6. Command and control (C2): establishing communication between the infected network and the attacker's Internet control server so the attacker can send remote commands
7. Actions on objectives: leveraging C2 access to achieve attacker goals within the target system

Here's a more detailed look at what each step involves:

1. Reconnaissance

In the reconnaissance phase, the attacker gathers information on targets in order to identify any attack surfaces that may be vulnerable and determine which attack method to use. 

Reconnaissance may gather information on human targets or technical vulnerabilities. Methods of gathering information emphasized in the Cyber Kill framework include crawling websites on conference proceedings, mining mailing lists, harvesting social media networks, and researching operating system and software vulnerabilities.

2. Weaponization

In the weaponization stage, the attacker matches the selected vulnerability to a payload consisting of malware and an exploit designed to introduce the malware. The Cyber Kill framework was designed with remote access trojans in mind, but it applies equally to viruses and worms. At the time the framework was developed, client application files such as Microsoft Office documents or Adobe PDF files typically served as deliverables. Today these file types remain vulnerable, but other file types such as .exe and .sh files have become popular payload deliverables on the web.

3. Delivery

The delivery step initiates the actual attack by delivering the payload to the target. At the time the Cyber Kill framework was introduced, the most common APT delivery vectors were email attachments, websites, and USB removable media. Today these vectors remain vulnerable, but the variety of web-based attacks has multiplied, and mobile devices have opened new attack vectors.

4. Exploitation

In the exploitation stage, the delivered payload triggers the malicious code. This may target vulnerabilities in target operating systems or software applications, or it may seek to manipulate human users into performing actions that initiate the next stage of attack.

5. Installation

In this stage, the triggered code creates an access point that enables the attacker to maintain persistent access to the compromised network. This can be achieved by installing a backdoor, a remote access trojan, or other malware.

6. Command and Control (C2)

Once an access point has been created, the compromised network begins sending messages to the attacker's Internet control server and receiving commands. This allows attackers to manually issue "hands on the keyboard" commands to the target system as well as execute automated attacks.

7. Actions on Objectives

With persistent C2 access established, attackers can pursue their intended purposes in infiltrating target systems. Objectives may include:

• Exfiltrating data
• Altering or destroying data
• Encrypting data
• Denying system availability
• Moving laterally within systems
• Compromising additional systems

Applying the Phases to Erect Intelligence-driven Defenses

The Cyber Kill Chain model provides a template for actionable intelligence by allowing defenders to construct informed defenses against each phase of attack. For each attack stage, the Cyber Kill Chain approach maps a matrix identifying corresponding courses of defensive action. These potentially include the following actions against attackers:

• Detecting exploits
• Denying exploits by patching them
• Disrupting attacks through data execution prevention (DEP)
• Degrading the effectiveness of attacks through countermeasures such as queuing and tarpits
• Deceiving attackers through methods such as DNS redirects
• Destroying attackers

A full Cyber Kill Chain attack matrix includes rows and columns for mapping each phase of attack to each of these courses of action, as applicable. Attacks and defenses can be mapped over time to reconstruct APT campaigns and measure defense effectiveness.

Deploying Pentesting and Threat-informed Defenses to Break Cyber Kill Chains

The Cyber Kill Chain provides a starting point for cyberdefense, but deploying it effectively requires supporting tactical methods and tools to implement courses of defensive action. Penetration testing provides critical support by allowing defenders not only to address advanced persistent threats, but to simulate attacks against all potential attack surfaces and prioritize the highest-risk vulnerabilities.

Building on the Open Worldwide Application Security Project (OWASP) Risk Rating Methodology, Cobalt's team of expert pentesters has developed a system for prioritizing vulnerabilities based on severity levels. This adds clarity to vulnerability risk by enabling security teams to flag vulnerabilities that require immediate attention and triage lower priorities based on urgency.

By leveraging these insights, security teams can prioritize their defenses based on current threats. This intelligence-driven approach allows them to move beyond reactive security measures and adopt a proactive, offensive security strategy. Instead of simply responding to attacks, they can actively hunt for vulnerabilities and neutralize threats before they cause damage.

The risk model used at Cobalt ranks vulnerabilities in terms of:

• Likelihood: defined by how much skill the vulnerability requires to exploit, availability of documented exploits, and ease of exploitation
• Impact: defined by effect on technical and business operations through effects such as confidentiality breaches, data integrity loss, denial of service, financial damage, or reputation damage

Applying these criteria, we rank detected vulnerabilities as follows using a scoring system of 1 to 25:

• Critical (25): Requires immediate attention
• High (16-24): High-probability vulnerabilities with high business impact on the security of your application, platform, hardware, or supported systems
• Medium (5-15): Includes medium risk, medium-impact vulnerabilities; low-risk, high impact vulnerabilities; and high-risk, low-impact vulnerabilities
• Low (2-4): Common vulnerabilities with minimal impact
• Informational (1): Vulnerabilities of minimal risk to your business

In addition to scoring individual risks, we provide clients with aggregated risks of individual findings discovered during pentests.

Pre-empt Cyber Kill Chain Attacks with Cobalt Pentesting

Whether you model attacks using the Cyber Kill Chain model, MITRE ATT&CK, the Diamond Model, or some other approach, the reality of the threat posed by rising cybercrime remains. Today's risks call for offensive security measures to take the initiative away from attackers and give defenders an upper hand informed by threat intelligence.

Penetration Testing as a Service (PTaaS) platform makes it easy for you to schedule tests of any part of your attack surface quickly without waiting for a lengthy procurement process. Our team of experienced expert pentesters works with your team to detect and prioritize vulnerabilities and identify mitigations. Contact us to discuss how we can help you break your Cyber Kill Chain and keep your network secure.