What is a kill chain in cyber security?

Cyber Kill Chain

Definition: The Cyber Kill Chain is a model developed by Lockheed Martin that outlines the stages of a cyber attack, from initial reconnaissance to the accomplishment of the attack's goal (typically data exfiltration or system compromise). It serves as a framework for understanding the sequence of events involved in a cyber intrusion and for developing preventive and defensive strategies.

The Cyber Kill Chain framework breaks down an attack into seven distinct stages: reconnaissance, weaponisation, delivery, exploitation, installation, command and control (C2), and actions on objectives. By analysing each stage, security professionals can identify and disrupt the attack process, ideally before attackers achieve their ultimate objectives.

This model helps in creating layered defensive strategies that address threats at each step of the chain. Although the Cyber Kill Chain has been widely adopted and praised for its structured approach to security, it has also faced criticism for its linear progression model, which does not always represent the fluid nature of cyber attacks.

Key Characteristics:

Proactive Defense: Provides a structure for identifying potential threats and tactics before an attack is successful.
Step-by-Step Analysis: Enables detailed examination of an attacker’s progress through successive stages.
Strategic Countermeasures: Helps in developing targeted defensive strategies at each stage of the intrusion.
Disruptive Tactics: Aims to disrupt or halt the attack process at any point along the chain.

Examples:

Real-World Example: A company applies the Cyber Kill Chain model to strengthen its email filters and user training after identifying that phishing emails are the primary attack delivery method for spear-phishing campaigns.
Hypothetical Scenario: An attacker conducting a ransomware campaign is thwarted during the weaponisation stage due to robust endpoint security software, preventing the delivery and subsequent encryption of the target’s data.

Related Terms:

Reconnaissance: The first step in the Cyber Kill Chain, where attackers gather information about their targets.
Advanced Persistent Threat (APT): A category of threat that often follows a similar progression to the Cyber Kill Chain, involving long-term, strategic assaults on specific targets.
Indicator of Compromise (IoC): Evidence on a computer or network that indicates a potential breach of security, which can be identified at various stages of the Cyber Kill Chain.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cyber Kill Chain

What is the OWASP Top 10: Download our flash cards to find out.

Contact us