Splunk is proud to be recognized as a Leader in SIEM by Forrester, Gartner® and IDC. Download the complete set of analyst reports to find out why. Get the reports →
Learn more about Splunk's Security Products & Solutions:
Sometimes referred to as CKC or the cyberattack lifecycle, the cyber kill chain is a security defense model developed to identify and stop sophisticated cyberattacks before they impact an organization. Typically comprised of seven steps, a cyber kill chain model breaks down the multiple stages of a cyberattack, allowing security teams to recognize, intercept or prevent them.
Using a cyber kill chain framework can help organizations to better understand relevant threats and improve incident management and response. When done right, cyber kill chains can have significant security benefits — but if done incorrectly, they can put organizations at risk. In fact, certain shortcomings in the kill chain lead to questions about its future. Still, businesses can use cyber kill chain methodology to inform their cybersecurity strategies.
Stick around to see why the cyber security kill chain is a divisive topic in cyber threat management, as we dive into the kill chain’s origins, use cases and cautions.
(Get the docs for the CKC dashboard in Splunk.)
You may have heard of the phrase ‘kill chain’ being used in reference to military operations: when an enemy attack is identified, broken down into stages, and preventative measures are put in place. This is the exact concept that inspired the original cyber security kill chain, which was initially created by Lockheed Martin in 2011.
A cyber kill chain’s purpose is to bolster an organization's defenses against advanced persistent threats (APTs), aka sophisticated cyberattacks. The most common threats include the deployment of:
Cyber kill chains allow enterprises to be prepared and stay one step ahead of hackers at every stage of an attack, from conceptualization to execution.
The cyber kill chain is often compared to the MITRE ATT&CK framework. MITRE ATT&CK also illustrates the phases of a cyberattack, many of which are similar to the cyber kill chain model. The key difference between the cyber kill chain and MITRE ATT&CK is the fact that MITRE tactics are listed in no particular order — unlike the specific grouping of stages and linear structure of the kill chain.
Another difference is that the cyber kill chain framework addresses the cyberattack process in seven phases at a high level, while MITRE ATT&CK explores various techniques and procedures that relate to the granular details of a cyberattack. Elements of both the kill chain and ATT&CK can be incorporated into cybersecurity strategy, but we’ll touch more on this later.
(See how to use MITRE ATT&CK in your defense.)
The original Lockheed Martin cyber kill chain model describes seven steps. This is the most commonly referenced framework in the industry. Lockheed’s 7-stage cyber kill chain explores the methodology and motivation of a cybercriminal across the entire attack timeline, helping organizations to understand and combat threats. These seven phases are:
Let’s take a look at each phase.
Cyber Kill Chain®, Lockheed Martin (Image source)
The first stage of the cyber security kill chain is reconnaissance, which is essentially the research stage of the operation. Attackers scope out their target to identify any vulnerabilities and potential entry points. This can be as simple as gathering public email addresses, to the advanced deployment of spying tools and automated scanners to detect the types of security systems or third-party applications used.
Reconnaissance is a pivotal step in any sophisticated cyberattack and can be done both online and offline. The more intelligence attackers gain at this stage, the more successful the attack is likely to be.
(See how vulnerabilities relate to threats and risk.)
Once the perpetrator has gathered their information on the target, they can strategize to take advantage of their weaknesses. This is the weaponization stage of the cyber kill chain, in which the attacker creates malware or malicious payloads to use against the target. The process can include:
Following weaponization is the delivery stage — when cybercriminals try to infiltrate their target’s network or security system.
Typically, these actors deploy malware into the system via phishing emails and other social engineering tools. It can also involve hacking into a network and exploiting vulnerabilities in an organization’s hardware or software.
After the successful delivery of malware or other forms of hacking, the next step is exploiting the weaknesses they uncovered in the previous cyber kill chain phases. Attackers can now further infiltrate a target’s network and learn of additional vulnerabilities that they were unaware of prior to entering.
At this stage, they often move laterally across a network from one system to another, spotting more potential entry points on the way. Vulnerabilities are much easier to identify now if there are no deception measures in place on the network.
Next is the installation stage (also known as the privilege escalation phase). The attacker tries to install malware and deploy other cyberweapons within the target network in order to gain additional control of more systems, accounts, and data. Strategies include installing malware via:
Tactics begin to intensify, as attackers forcefully infiltrate the target network, seeking out unprotected security credentials and changing permissions on compromised accounts.
One of the crucial steps of the cyber security kill chain is the development of a command and control channel (also known as the C2 phase). After gaining control of part of their target’s system or accounts, the attacker can now track, monitor and guide their deployed cyberweapons and tool stacks remotely. This stage can be broken down into two methods:
The 7 stages of the cyber kill chain culminate with action: the final phase in which cybercriminals execute the underlying objective of the attack. This phase of the cyber kill chain process can take several weeks or months depending on the success of previous steps. Common end goals of a strategic cyberattack include:
(Watch our Coffee Talk with SURGe on supply chain risk or view the PDF.)
Some security experts advocate for the inclusion of an eighth stage in cyber kill chains: monetization. This can also be considered as the final objective of an attack, but it specifically focuses on the cybercriminal’s financial gain from an attack. The attacker can initiate a ransom request – demanding funds by threatening to release or sell sensitive data (personal information or industry secrets).
Profiteering from cyberattacks has become more of an issue in recent times due to the growing use of cryptocurrency. Crypto makes it easier and safer for attackers to request and receive money, facilitating the dramatic increase of monetizing cyberattacks.
As with most things in life, prevention is the best cure. The earlier an enterprise can intercept and stop an attack, the easier the remediation will be.
For example, stopping an attack in the command and control phase (Phase 6) usually requires more advanced, costly and time-consuming efforts. This can include anything from machine repairs to forensic measures like in-depth network sweeps and endpoint analysis to determine what data has been lost and piece together the overall scale of the attack.
Therefore, organizations should aim to identify and resolve threats at the early stages of the cyber kill chain to reduce the risk to their enterprise and minimize resources.
(See how Splunk helps with advanced threat detection.)
The Lockheed Martin cyber kill chain model may have its strengths, but some consider the 2011 framework to be outdated or lacking in innovation. A key weakness of the traditional model is that it’s designed to detect and prevent malware and protect perimeter security. Yet, we now face many more security threats, and cybercrime is becoming more and more sophisticated.
Here are the major drawbacks of the traditional seven-step cyber kill chain.
As we’ve recognized, the kill chain is limited in terms of the types of attacks that can be detected. The original cyber kill chain framework centers around malware and payloads, and therefore does not consider other types of attacks. An example would be web-based attacks including SQL Injective, DoS, Cross Site Scripting (XSS) and certain Zero Day exploits.
Additionally, it does not account for attacks conducted by unauthorized parties who are attempting to leverage compromised credentials.
Insider threats pose a significant risk to organizations, yet they are not accounted for in the traditional cyber kill chain process. To identify insider threats, you need to closely monitor both:
You can run a behavioral profile on users, whether automated or manual. An automated approach is best as you can set alerts for instances of strange behavior. Over time, you will be able to easily detect both real threats and false-positive instances at a faster rate.
(Solve common challenges with anomaly detection.)
Not all attackers follow the cyber kill chain playbook linearly or step by step. They can skip, add and backtrack stages.
For example, attackers sometimes miss out the Reconnaissance step of the kill chain in which they conduct extensive research on their target. The adoption of a “spray and pray” technique is an example of where Reconnaissance is not needed – that’s because it can outsmart an your detection snares by chance.
Attackers may also choose to merge steps of the kill chain. A 2018 report from Alert Logic revealed that nearly 90% of attacks combine the first five stages of the cyber kill chain into a single action. If the traditional framework is followed to the letter, then enterprises could miss or fail to stop threats before they infiltrate the network.
The development of recent technologies has paved the way for new attacks that lie outside the original cyber kill chain framework. Innovations such as cloud computing, DevOps, IoT, machine learning and automation, have all broadened the scope of cyberattacks by increasing the number of data sources and entry points.
Other cultural and social factors such as the rise in remote working and cryptocurrency mean there are more points of access for hackers to exploit, and it can be challenging for organizations to cover all bases and secure vulnerable endpoints.
Although the original seven stages of the cyber kill chain have been subject to scrutiny, organizations can still use these principles to help better prepare for existing and future cyberattacks. A cyber kill chain framework can guide a business’s cyber security strategy, whether that’s by identifying flaws with the current strategy or confirming what’s already working well. For example, it could incentivize the adoption of services and solutions such as:
As the cyberattack landscape continues to evolve, organizations must consider a strategy that incorporates a layered approach of administrative, technical and physical security measures. The cyber kill chain methodology can help to achieve this, but the initial model only stretches so far.
While every business requires their own tailored cyber kill chain framework, here are some other ways to adapt the original kill chain process:
The concept of a unified kill chain combines techniques from MITRE ATT&CK and the original cyber kill chain model. The result is a detailed, integrated framework comprised of 18 individual stages, which can be grouped into three core phases:
This approach allows security teams to simultaneously compare indicators of compromise (IOCs) against multiple feeds of threat intelligence in order to effectively respond to threats. A unified kill chain ATT&CK model can be used by defensive and offensive teams to develop security controls.
Kill chain models can also be used for cyberattack simulation, and there are numerous specialized platforms that can simulate the cyber kill chain process. This enables you to locate and amend any entry points or system vulnerabilities in a very short amount of time.
As well as simulating cyber threats through email, web, and firewall gateways, these platforms can provide you with a risk score/report of system entities to help teams identify key areas of risk. The organization can then take action and prevent future threats with methods such as changing configurations and installing patches.
The continuous evolution of cyberattacks has led many to question the future of the cyber kill chain. An agile kill chain that incorporates elements of MITRE ATT&CK and extended detection and response (XDR) strategies could identify a broader range of threats, and be able to prevent and neutralize them more effectively.
No matter what your stance on the cyber kill chain framework, addressing existing vulnerabilities and having a comprehensive cyber security strategy in place is crucial for the safeguarding of any business.
See an error or have a suggestion? Please let us know by emailing ssg-blogs@splunk.com.
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.