Back to All Dictionary

Cyber Kill Chain

The Cyber Kill Chain is a seven-stage framework developed by Lockheed Martin that describes the typical phases of a cyberattack. It helps security teams understand an adversary's steps, from initial reconnaissance to achieving their objective. By identifying these stages, organizations can develop strategies to detect and disrupt attacks at various points before significant damage occurs.

Understanding Cyber Kill Chain

Organizations use the Cyber Kill Chain to analyze and counter cyber threats. For instance, during the 'delivery' phase, an attacker might send a malicious email. Security teams can implement email filters, user training, and endpoint detection to block or identify such attempts. In the 'exploitation' phase, patching vulnerabilities and using intrusion prevention systems are crucial. Mapping security controls to each stage helps create a layered defense, making it harder for attackers to progress. This framework provides a structured approach to incident response and threat intelligence analysis, improving overall defensive posture.

Implementing and maintaining defenses across the Cyber Kill Chain is a shared responsibility, often involving security operations, IT teams, and leadership. Governance policies should mandate regular vulnerability assessments and security awareness training to address early stages. Understanding the kill chain's strategic importance allows organizations to prioritize security investments where they can have the most impact, reducing overall risk. Proactive disruption at any stage significantly lessens the potential for data breaches or system compromise.

How Cyber Kill Chain Processes Identity, Context, and Access Decisions

The Cyber Kill Chain describes the stages an attacker typically follows to achieve their objective. It starts with reconnaissance, where attackers gather information. Then, they weaponize by pairing an exploit with a backdoor. Delivery involves sending the weapon to the target. Exploitation occurs when the weapon triggers vulnerabilities. Installation establishes persistence on the target system. Command and Control (C2) allows the attacker to remotely manage the compromised system. Finally, Actions on Objectives are the attacker's ultimate goals, like data exfiltration or system disruption. Understanding these steps helps defenders identify and disrupt attacks at various points.

The Cyber Kill Chain is a framework for understanding and analyzing cyberattacks. It is not a rigid lifecycle but a conceptual model. Security teams use it to govern their defensive strategies, mapping security controls to each stage. It integrates well with threat intelligence, helping organizations anticipate attacker methods. It also complements other frameworks like MITRE ATT&CK by providing a high-level view of an attack's progression, aiding in incident response and proactive defense planning.

Places Cyber Kill Chain Is Commonly Used

The Cyber Kill Chain helps security teams understand attacker methodologies and build more effective defenses across attack stages.

  • Mapping security controls to specific attack stages for comprehensive defense.
  • Analyzing past incidents to identify where an attack could have been stopped.
  • Developing threat intelligence to predict attacker behaviors and tactics more effectively.
  • Prioritizing security investments based on the most vulnerable kill chain stages.
  • Training security analysts to recognize attack indicators at each phase.

The Biggest Takeaways of Cyber Kill Chain

  • Implement controls at every kill chain stage to maximize disruption opportunities.
  • Focus on early detection in reconnaissance and weaponization to prevent later stages.
  • Regularly review and update defenses based on evolving attacker techniques.
  • Use the framework to improve communication about threats within your security team.

What We Often Get Wrong

It's a rigid, linear process.

The Cyber Kill Chain is a conceptual model, not a strict sequence. Attackers may skip or combine stages, or operate non-linearly. Defenders should not assume a fixed progression, but rather look for indicators across all stages simultaneously.

It covers all attacker behaviors.

While valuable, the Cyber Kill Chain primarily focuses on external, network-based attacks. It is less effective for insider threats or attacks exploiting trust relationships. It should be used alongside other frameworks for a complete threat picture.

Stopping one stage stops the entire attack.

Disrupting one stage is crucial, but attackers are persistent. They may adapt or find alternative paths. A layered defense across multiple stages is essential to ensure resilience and prevent attackers from simply bypassing a single control point.

On this page

Related Terms

Behavioral Baseline
Hybrid Threat Detection
Identity Policy Misconfiguration
Information Compromise
Attack Surface Visibility
Identity Attack Lifecycle
Breach Dwell Time
Attack Assumption

Frequently Asked Questions

What is the Cyber Kill Chain and why is it important?

The Cyber Kill Chain is a framework that outlines the typical stages of a cyberattack, from initial reconnaissance to the attacker achieving their objectives. It helps security professionals understand the adversary's thought process and actions. This model is crucial because it provides a structured way to identify potential points of intervention, allowing defenders to disrupt attacks at various stages before they cause significant damage.

What are the typical stages of the Cyber Kill Chain?

The Cyber Kill Chain typically consists of seven stages. These include reconnaissance, where attackers gather information; weaponization, creating a deliverable payload; delivery, transmitting the weapon; exploitation, triggering vulnerabilities; installation, establishing persistence; command and control (C2), communicating with the attacker; and actions on objectives, achieving the attack's goal. Each stage offers an opportunity for defense.

How can organizations use the Cyber Kill Chain to improve their defenses?

Organizations can leverage the Cyber Kill Chain by mapping their security controls and detection capabilities to each stage. This helps identify weaknesses and implement targeted defenses. For example, firewalls and intrusion prevention systems can block delivery, while endpoint detection and response (EDR) tools can detect exploitation or installation. By breaking any link in the chain, defenders can prevent the attack from progressing.

Are there any limitations to the Cyber Kill Chain model?

While valuable, the Cyber Kill Chain has some limitations. It primarily describes external, linear attacks and may not fully capture the nuances of insider threats or advanced persistent threats (APTs) that often involve more complex, non-linear, or prolonged campaigns. Newer models, like MITRE ATT&CK, offer a more granular view of adversary tactics and techniques, complementing the Kill Chain's broader perspective.