Cyber Kill Chains: Strategies & Tactics

Sometimes referred to as the CKC or "the cyberattack lifecycle", the cyber kill chain is a security defense model developed to identify and stop sophisticated cyberattacks before they impact an organization.

Typically comprised of seven steps, a cyber kill chain model breaks down the multiple stages of a cyberattack, allowing security teams to recognize, intercept, or prevent them. Using a cyber kill chain framework can help organizations to better understand relevant threats and improve incident management and response.

When done right, cyber kill chains can have significant security benefits — but if done incorrectly, they can put organizations at risk. Certain shortcomings in the kill chain lead to questions about its future. Still, businesses can use cyber kill chain methodology to inform their cybersecurity strategies.

Additionally, the Cyber COBRA approach is a newer tool that you can integrate into a kill chain strategy to provide a more dynamic and contextual assessment of threats. (More on this topic shortly.) 

So, in this article, let's dive into the kill chain’s origins, use cases, and cautions to see why the cyber security kill chain is a classic yet divisive topic in cyber threat management. For now, let's begin with...

What is a kill chain in cybersecurity?

A cyber kill chain is a security framework designed to identify and stop sophisticated cyberattacks by breaking down the attack into multiple stages. This model helps security teams recognize, intercept, or prevent attacks before they impact an organization.

The concept of a kill chain originated from military operations, where an enemy attack is identified, broken down into stages, and preventative measures are put in place. This military strategy inspired the original cybersecurity kill chain, which was initially created by Lockheed Martin in 2011.

The cyber kill chain's purpose is to bolster an organization's defenses against advanced persistent threats (APTs), also known as sophisticated cyberattacks. These threats commonly include:

• Malware
• Ransomware
• Trojan horses
• Phishing
• Other social engineering techniques

Cyber kill chains allow enterprises to be prepared and stay one step ahead of hackers at every stage of an attack, from conceptualization to execution. Incorporating Cyber COBRA into the kill chain process can enhance the framework by providing a more granular and context-specific rating of potential threats, thereby improving response strategies.

(Get the docs for the CKC dashboard in Splunk.)

Cyber kill chain vs. MITRE ATT&CK

The cyber kill chain is often compared to the MITRE ATT&CK framework, an approach from the MITRE Corporation. MITRE ATT&CK similarly illustrates the phases of a cyberattack, many of which are similar to the cyber kill chain model.

The key difference between the cyber kill chain and MITRE ATT&CK is that MITRE tactics are listed in no particular order — unlike the specific grouping of stages and linear structure of the kill chain.

Another difference is that the cyber kill chain framework addresses the cyberattack process in seven phases at a high level, while MITRE ATT&CK explores various techniques and procedures that relate to the granular details of a cyberattack.

Overview of the MITRE ATT&CK matrix for enterprises

The Cyber COBRA methodology, below, can complement both frameworks by adding a scoring system that assesses the threat level based on the specific context of the attack, enabling more precise prioritization of response efforts.

Elements of both the kill chain and ATT&CK can be incorporated into cybersecurity strategy, but we’ll touch more on this later.

(Related reading: how to operationalize MITRE ATT&CK & MITRE D3FEND, a complementary framework.)

Cyber COBRA 

Cyber COBRA (Contextual Objective Rating) is an emerging cybersecurity assessment framework designed to provide a more nuanced and dynamic understanding of an organization's security posture. Unlike established frameworks like the Cyber Kill Chain or MITRE ATT&CK, which focus on specific stages of attacks or tactics, techniques, and procedures (TTPs), Cyber COBRA emphasizes real-time context. Developed as a response to the increasingly complex cyber threat landscape, it integrates continuous monitoring and contextual analysis to evaluate risks based on:

• The current threat environment
• The value of the assets at risk
• The evolving tactics used by adversaries

This approach allows organizations to prioritize their defensive measures more effectively, adapting to changes rather than relying solely on static, periodic assessments. Although it's still gaining traction, Cyber COBRA represents a forward-thinking approach to cybersecurity that aligns with the industry’s move towards more proactive and adaptive defense strategies.

Explore the foundational concepts in Lockheed Martin’s Cyber COBRA whitepaper. Then, see discussions on the evolving use of dynamic cybersecurity frameworks in industry reports such as the SANS Institute's study on context-based security, and in cybersecurity communities like ISACA, which highlights the importance of context-aware security strategies. These resources provide a broader understanding of how frameworks like Cyber COBRA are beginning to be integrated into real-world cybersecurity practices. 

The 7 stages of a cyber kill chain

The original Lockheed Martin cyber kill chain model describes seven steps. This is the most commonly referenced framework in the industry. Lockheed’s 7-stage cyber kill chain explores the methodology and motivation of a cybercriminal across the entire attack timeline, helping organizations to understand and combat threats. These seven phases are:

1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command and control
7. Action

Let’s take a look at each phase.

Cyber Kill Chain^®, Lockheed Martin (Image source)

Stage 1. Reconnaissance

Attackers gather information about their target to identify vulnerabilities and potential entry points. This stage involves:

• Collecting public data (OSINT).
• Deploying spying tools.
• Using automated scanners to detect security systems or third-party applications..

(See how vulnerabilities relate to threats and risk.)

Stage 2. Weaponization

After gathering information, attackers create malware or malicious payloads to exploit identified weaknesses. This process can include designing new malware forms or modifying existing programs to match specific vulnerabilities.

Stage 3. Delivery

Attackers attempt to infiltrate the target's network by delivering malware. Common methods include sending phishing emails, using social engineering tools, and exploiting hardware or software vulnerabilities.

(Related reading: types of vulnerabilities.)

Stage 4. Exploitation

Once the malware is delivered, attackers exploit the target's vulnerabilities, further infiltrating the network. They often move laterally across systems, identifying more potential entry points and weaknesses.

Stage 5. Installation

In this phase, attackers install malware to gain additional control over the network. Strategies include using Trojan horses, access token manipulation, command-line interfaces, and backdoors to escalate privileges and change permissions.

Stage 6. Command and Control

Attackers establish a command and control (C2) channel to remotely monitor and guide their deployed cyberweapons. They use obfuscation techniques to cover their tracks and denial of service (DoS) tactics to distract security teams from the core objectives of the attack.

Stage 7. Action 

The final phase involves executing the attack's primary objective, such as:

• Data exfiltration
• Encryption (and possible attempts to ransom or extort the target)
• Supply chain attacks

This stage can take weeks or months, depending on the success of previous steps and the attack's complexity. 

Is there an eighth step in the cyber kill chain?

Some security experts advocate for the inclusion of an eighth stage in cyber kill chains: monetization. This can also be considered the final objective of an attack, but it specifically focuses on the cybercriminal’s financial gain from an attack. The attacker can initiate a ransom request – demanding funds by threatening to release or sell sensitive data (personal information or industry secrets).

Profiteering from cyberattacks has become more of an issue in recent times due to the growing use of cryptocurrency. Crypto makes it easier and safer for attackers to request and receive money, facilitating the dramatic increase in monetizing cyberattacks.

Preventing cyberattacks

Preventing cyberattacks requires a proactive, multi-layered security approach. Here are strategies to enhance your organization's defenses:

Advanced threat detection tools. Deploy tools like intrusion detection systems (IDS), intrusion prevention systems (IPS), and endpoint detection and response (EDR) solutions. These tools can identify and mitigate threats in real time, reducing the window of opportunity for attackers.

Regular vulnerability assessments & penetration testing. Conduct regular vulnerability assessments and penetration testing to identify and fix security weaknesses before attackers can exploit them. This should include both automated scans and manual testing by skilled security professionals.

Patch management. Ensure that all software, including operating systems, applications, and security tools, is up-to-date with the latest patches and updates. This reduces the risk of attackers exploiting known vulnerabilities.

Network segmentation. Implement network segmentation to limit the movement of attackers within your network. By dividing your network into smaller, isolated segments, you can contain breaches and prevent attackers from accessing sensitive areas.

Multi-factor authentication (MFA). Requires multi-factor authentication for all user accounts, especially those with access to sensitive information and critical systems. MFA adds an extra layer of security, making it harder for attackers to gain unauthorized access.

Employee training & awareness programs. Conduct regular cybersecurity training and awareness programs for employees. Educate them on recognizing phishing attempts, social engineering attacks, and safe online practices. An informed workforce is a critical line of defense against cyber threats.

Incident response planning. Develop and maintain a comprehensive incident response plan. This plan should outline the steps to take in the event of a security breach, including roles and responsibilities, communication protocols, and recovery procedures. Regularly test and update the plan to ensure its effectiveness.

Behavioral analytics. Utilize behavioral analytics to detect anomalies and unusual patterns of activity within your network. By establishing a baseline of normal behavior, you can identify potential threats that traditional security measures might miss.

Zero trust architecture. Adopt a zero-trust security model, which operates on the principle of “never trust, always verify.” This approach requires continuous verification of all users, devices, and applications, both inside and outside the network, before granting access.

Regular data backups. Perform regular backups of all critical data and ensure that backup systems are secure and tested. In the event of a ransomware attack or data loss, having reliable backups can facilitate quick recovery and minimize downtime. 

Weaknesses in the cyber kill chain

The Lockheed Martin cyber kill chain model may have its strengths, but some consider the 2011 framework to be outdated or lacking in innovation. A key weakness of the traditional model is that it’s designed to detect and prevent malware and protect perimeter security. These are the classic, fundamental pillars of cybersecurity.  Today, however, we now face many more security threats, across many, many more attack surfaces, and cybercrime is becoming more and more sophisticated.

Here are the major drawbacks of the traditional seven-step cyber kill chain:

Limited attack detection profile

The kill chain is limited in its ability to detect various types of attacks. Originally designed to address malware and payloads, it doesn't adequately cover modern threats such as:

• File-less malware
• Living-off-the-land attacks
• Advanced web-based exploits like SQL injection, cross-site scripting (XSS), and zero-day vulnerabilities.

Additionally, it overlooks attacks by unauthorized parties leveraging compromised credentials.

No insider threat detection

The traditional cyber kill chain does not account for insider threats, which pose a significant risk to organizations. Insider threats can involve employees or contractors with legitimate access who misuse their privileges. Effective detection requires monitoring user behavior and activity across networks and applications, often through automated systems that set alerts for suspicious activities.

Lack of fexibility

Not all attackers follow the cyber kill chain linearly. They can skip, combine, or backtrack stages. For instance, some attacks might not involve extensive reconnaissance, using broad "spray and pray" tactics instead. One report revealed that nearly 90% of attacks combined the first five stages of the kill chain into a single action.

The rigid structure of the traditional kill chain can cause organizations to miss or inadequately respond to threats that do not fit this pattern.

Transformative technologies

Advances in technology — cloud computing, DevOps, IoT, machine learning, and automation — have broadened the scope of cyberattacks. These innovations introduce new entry points and new data sources, challenging the traditional kill chain framework to adapt. Moreover, the rise of remote working and the prevalence of cryptocurrency have created additional avenues for cybercriminals to exploit.

Emerging threats & techniques

Cybercriminals constantly develop new methods that outpace the original kill chain's capabilities. For instance, techniques like deepfake phishing, AI-driven attacks, and sophisticated ransomware campaigns require more dynamic and responsive security models. Tthe traditional cyber kill chain does not provide adequate guidance for mitigating these advanced threats.

Addressing these weaknesses requires integrating more comprehensive and flexible frameworks, like MITRE ATT&CK and Cyber COBRA, which offer a more detailed and adaptive approach to modern cyber threats. Organizations must continuously evolve their security strategies to stay ahead of attackers and protect their digital assets effectively.

How can the cyber kill chain improve security?

Although the original seven stages of the cyber kill chain have been subject to scrutiny, organizations can still use these principles to help better prepare for existing and future cyberattacks. A cyber kill chain framework can guide a business’s cyber security strategy, whether that’s by identifying flaws with the current strategy or confirming what’s already working well. For example, it could incentivize the adoption of services and solutions such as:

• Endpoint protection software
• VPNs
• Employee training

The inclusion of Cyber COBRA in this framework can add an extra layer of assessment and prioritization, ensuring that the most critical vulnerabilities are addressed promptly. As the cyberattack landscape continues to evolve, organizations must consider a strategy that incorporates a layered approach of administrative, technical, and physical security measures. The cyber kill chain methodology can help to achieve this, but the initial model only stretches so far.

Alternatives to the original cyber kill chain

While every business requires its own tailored cyber kill chain framework, here are some other ways to adapt the original kill chain process:

Unified kill chain

The concept of a unified kill chain combines techniques from MITRE ATT&CK and the original cyber kill chain model. Consequently, the result is a detailed, integrated framework comprised of 18 individual stages, which can be grouped into three core phases:

1. Initial foothold
2. Network propagation
3. Action on objectives

This approach allows security teams to simultaneously compare indicators of compromise (IOCs) against multiple feeds of threat intelligence to effectively respond to threats. A unified kill chain ATT&CK model can be used by defensive and offensive teams to develop security controls.

Simulation of cyber kill chains

Organizations can also use kill chain models for cyberattack simulation, with numerous specialized platforms available to simulate the cyber kill chain process. This enables you to locate and amend any entry points or system vulnerabilities in a very short amount of time.

As well as simulating cyber threats through email, web, and firewall gateways, these platforms can provide you with a risk score/report of system entities to help teams identify key areas of risk. The organization can then take action and prevent future threats with methods such as changing configurations and installing patches.

Don’t kill the cyber chain just yet

The continuous evolution of cyberattacks has led many to question the future of the cyber kill chain. Consequently, an agile kill chain that incorporates elements of MITRE ATT&CK and extended detection and response (XDR) strategies could identify a broader range of threats and be able to prevent and neutralize them more effectively.

Regardless of your stance on the cyber kill chain framework, addressing existing vulnerabilities and having a comprehensive cyber security strategy in place is crucial for the safeguarding of any business.