The Cyber Kill Chain framework breaks down an attack into seven distinct stages: reconnaissance, weaponisation, delivery, exploitation, installation, command and control (C2), and actions on objectives. By analysing each stage, security professionals can identify and disrupt the attack process, ideally before attackers achieve their ultimate objectives.
This model helps in creating layered defensive strategies that address threats at each step of the chain. Although the Cyber Kill Chain has been widely adopted and praised for its structured approach to security, it has also faced criticism for its linear progression model, which does not always represent the fluid nature of cyber attacks.
Key Characteristics:
- Proactive Defense: Provides a structure for identifying potential threats and tactics before an attack is successful.
- Step-by-Step Analysis: Enables detailed examination of an attacker’s progress through successive stages.
- Strategic Countermeasures: Helps in developing targeted defensive strategies at each stage of the intrusion.
- Disruptive Tactics: Aims to disrupt or halt the attack process at any point along the chain.
Examples:
- Real-World Example: A company applies the Cyber Kill Chain model to strengthen its email filters and user training after identifying that phishing emails are the primary attack delivery method for spear-phishing campaigns.
- Hypothetical Scenario: An attacker conducting a ransomware campaign is thwarted during the weaponisation stage due to robust endpoint security software, preventing the delivery and subsequent encryption of the target’s data.
Related Terms:
- Reconnaissance: The first step in the Cyber Kill Chain, where attackers gather information about their targets.
- Advanced Persistent Threat (APT): A category of threat that often follows a similar progression to the Cyber Kill Chain, involving long-term, strategic assaults on specific targets.
- Indicator of Compromise (IoC): Evidence on a computer or network that indicates a potential breach of security, which can be identified at various stages of the Cyber Kill Chain.