Examining the Cyber-Kill Chain

Back to Home
The term "Cyber-Kill Chain” has been used in various corners of the cyber security world to describe the different stages of a compromise. The Cyber-Kill Chain is an all-encompassing descriptive model which outlines seven steps typically taken by attackers during the course of a breach.  The Cyber-Kill Chain includes actions taken before an attack such as reconnaissance, through post breach steps including data exfiltration. The Cyber-Kill Chain model is optimized when used by a technically competent analyst, who understands investigative processes and maintains relevant technical proficiencies. Information is useful only when placed in the hands of capable professionals that can effectively evaluate it, and ultimately make effective decisions based on experience, aptitude, and ability.
The Cyber-Kill Chain is often criticized for primarily addressing malware infections, and for being intrusion-centric. In fact, the Cyber-Kill Chain is a high-level model which can be viewed in the context of other technical and non-technical external and internal breaches. The Cyber-Kill Chain model can be applied in incidents which may not involve malware or technical sophistication of any kind, such as intellectual property theft by a disgruntled employee.
The seven steps of the Cyber-Kill Chain are as follows:
  1. Reconnaissance
  2. Weaponization
  3. Delivery
  4. Exploitation
  5. Installation
  6. Command and Control
  7. Action on Objectives
The Cyber-Kill Chain model is designed primarily to capture external threats that are targeting an organization’s network. During the course of an insider breach, the steps included in the Cyber-Kill Chain model may be taken by a malicious insider, much in the way that would be seen from an external threat. Methods of malicious insiders vary, and the scope of each breach may extend well beyond the seven step Cyber-Kill Chain. Focusing beyond securing the perimeter from traditional cyber threats is a difficult task, but is paramount to maintaining a strong security infrastructure. The Cyber-Kill Chain model offers an additional resource to use when investigating a breach, and is also an excellent tool to use when presenting investigative findings to decision makers. The following describes how the Cyber-Kill Chain model is implemented in the event of an insider threat: 
  1. Reconnaissance - The employee identifies data he wishes to steal and tests the criminal or competitor market to determine worth. The malicious employee will also find ways to escalate privileges and accesses to view sensitive information.
  2. Weaponization - This may take the form of preparing encrypted flash drives or hidden partitions on removable media for the storage of stolen data. In the event of sabotage, the malicious insider may insert malware to disrupt or cripple organization operations.
  3. Delivery and Exploitation - This may represent the actual copying of data or theft of physical devices from the employer. More sophisticated delivery techniques include the deployment of a remote access Trojan, allowing direct access from an external entity.
  4. Installation - In some circumstances, this may take the form of backdoors or logic bombs installed on company systems to give the employee remote access after their departure. In addition, this may take the form of wiping of systems to cover their tracks.
  5. Command and Control - If backdoors are installed by the employee, this step would enable a rogue employee to maintain access to corporate proprietary data, and to potentially manipulate company data after their departure.
  6. Action on Objectives - This would include the sale of the stolen data, posting the data to the Internet, or providing the data to a competitor company for the purpose of enabling the competitor an unfair advantage. Continued theft of corporate proprietary data and data manipulation also may occur in this phase.
The Cyber-Kill Chain model provides security professionals a general roadmap for the lifecycle of a compromise, whether that be an internal or external compromise. Additionally, the Cyber-Kill Chain model allows for the mapping of a complex compromise in terms and phases that can be understood without diving "into the weeds” in technical details. The use of the Cyber-Kill Chain model is optimized when in competent hands, and when used in conjunction with coherent incident response procedures, a healthy infrastructure, and organizational support.