The beginning of most security technologies was rooted in warfare.

The Cyber Kill Chain that I will study today is no different.

What is Cyber Kill Chain?

Kill Chain (1991)

• The term "Kill Chain" was originally a military term used to describe the sequence of steps taken to detect, identify, and defeat an enemy attack.

• In warfare, by understanding each phase of an attack, such as the movement of enemy aircraft, target selection, or launching of weapons, defenders could act at each stage to prevent the final attack.

• - detection, confirmation, tracking, targeting, engagement, evaluation

Cyber Kill Chain (2009)

• The Cyber Kill Chain applies this military Kill Chain concept to cyberattacks.

• Lockheed Martin adapted this military model to cybersecurity, breaking down a cyberattack into seven stages to help identify, prevent, and mitigate attacks.

• - reconnaissance, weaponization, delivery, exploitation, installation, command & control, actions on objectiv

Cyber Kill Chain Stage

The Cyber Kill Chain model consists of seven stages, each representing a specific phase in the process of a cyberattack. Understanding these stages helps defenders identify and disrupt attacks at different points in their lifecycle. Here's a breakdown of each stage:

1. Reconnaissance (Reconnaissance) : Information gathering.

• Description: This is the first stage of an attack, where the attacker gathers information about the target. The goal is to collect data such as system details, network infrastructure, weaknesses, and employee information.

• Methods: Social engineering, open-source intelligence (OSINT), network scanning, phishing.

2. Weaponization: Creating malicious payloads.

• Description: In this stage, the attacker takes the information collected during reconnaissance and creates or customizes a malicious payload. The weaponized code is designed to exploit vulnerabilities in the target system.

• Methods: Crafting malware, such as viruses, Trojans, or ransomware, and embedding them into files, scripts, or other forms of deliverable malware.

3. Delivery

• Description: The attacker delivers the weaponized payload to the target system. The method of delivery can vary based on the attack, but the goal is to get the malicious code into the victim’s system.

• Methods: Phishing emails with malicious attachments, exploiting web applications, USB drives, or even social media links.

4. Exploitation

• Description: After the payload is delivered, the attacker exploits a vulnerability in the system to execute the malicious code. This allows the attacker to take control of the system or gain unauthorized access.

• Methods: Exploiting known software vulnerabilities, such as buffer overflow, privilege escalation, or malware execution after a user opens a malicious attachment.

5. Installation

• Description: The attacker installs malicious software, such as a backdoor or remote access tool (RAT), to maintain persistence within the compromised system.

• Methods: Installing keyloggers, rootkits, or malware that allows the attacker to reconnect to the compromised system, avoiding detection.

6. Command and Control (C2)

• Description: The attacker establishes a channel to communicate with the compromised system, enabling remote control. The attacker can issue commands to the system, exfiltrate data, or propagate the attack.

• Methods: Using encrypted communications, web shells, or command-and-control servers to maintain communication with the compromised system.

7. Actions on Objectives

• Description: This is the final stage where the attacker achieves their goals, whether it's stealing sensitive data, disrupting operations, causing financial damage, or other malicious objectives.

• Methods: Data exfiltration, deploying ransomware, destroying or corrupting data, espionage, or further exploiting other systems within the network.