Cyber Kill Chain Definition

KZero Staff
Jul 27, 2023

What is the Cyber Kill Chain?

The Cyber Kill Chain was developed by Lockheed Martin to describe the stages of a cyberattack. The model outlines the main goals that an attacker needs to achieve when carrying out certain types of cyberattack campaigns.

Inside the Cyber Kill Chain

The Cyber Kill Chain assumes that an attacker begins outside an organization’s environment with no special knowledge and access. They move through to achieve their final goals via a seven-step process that includes the following stages:

  • Reconnaissance: During the Reconnaissance stage, the attacker will collect information about their target with the intention of identifying a potential attack vector to exploit. Reconnaissance can involve a combination of passive and active activities, including collecting public information from open sources or scanning and interacting with an organization’s computers and services.
  • Weaponization: After researching and identifying a vulnerability, the attacker develops the strategy and tools to exploit it. For example, an attacker may create a phishing email that contains an infected attachment that will install malware on the user’s system.
  • Delivery: After creating an exploit, the attacker delivers it to the target. In the phishing example, this includes sending the email to the intended recipient.
  • Exploitation: The Exploitation stage often occurs as part of the Delivery stage. When the exploit is delivered to the target, it exploits the identified vulnerability, which could be a software flaw, user opening an attachment, etc.
  • Installation: After exploiting the vulnerability, the malware is installed on the target system. This includes both getting the malware on the system and achieving code execution so that it is running on the computer.
  • Command and Control: During this stage, the malware reaches back out to the attacker. This allows the malware to exfiltrate any data it has collected or to request further instructions from the malware operator.
  • Actions on Objectives: At this point, the attacker has a foothold on the infected system and the ability to communicate with the malware and send it instructions. The attacker can use this access to further explore the target environment and work toward their eventual goals (data theft, ransomware, etc.).

The Value of the Cyber Kill Chain

The Cyber Kill Chain lays out the stages of a specific type of cyberattack. It involves finding a vulnerability, exploiting it, and delivering malware to further the attacker’s goals.

This model isn’t a perfect fit for all cyberattacks. For example, an attacker could guess or steal a user’s account credentials, log in as them, and exfiltrate data from the corporate database. This approach doesn’t involve malware at all and eliminates many of the stages of the Cyber Kill Chain.

That said, the Cyber Kill Chain is still a valuable tool for formalizing how cyber defenders think about cyberattacks. By considering the various stages of the attack and developing potential defenses against them, an organization can reduce the risk that an attacker could successfully breach its defenses.

Even if the model isn’t a perfect fit for an attack chain, it can still be useful for this purpose. For example, considering ways that the organization could be breached (in the Weaponization through Exploitation stages) can be useful for protecting against any threat using that attack vector.

KZero Staff

Explore more insightful content from the knowledgeable KZero staff on our blog and guides section.

Glossary Terms

Stay up to date with the most recent #infosec topics

Trending Topics

Interested In
Next-Gen MFA?

Discover Multi-Pass enterprise passwordless authentication

Share the page: