The Do’s and Don’ts of A Cyber Kill Chain Model

Updated: 23 November 2021
Updated: 23 November 2021

Miklos Zoltan

Fact-checked by

Cybersecurity has long since relied on the “castle and moat” analogy. While it has done a relatively decent job of protecting enterprises from generic cyber attacks, cybersecurity now demands an evolution.

The cyber threat landscape is constantly ebb and flow, with cybercriminals getting more sophisticated with each passing minute.

Apart from that, the integration of hybrid working models implementing the frequent use of remote cloud storage and unprotected data transmission has made cybersecurity weak.

Admittedly, organizations do a reasonably decent job nowadays to ensure endpoint security; however, the sophistication within modern cyber-attacks demands a more layered approach.

It is, therefore, the reason why Lockheed Martin’s cyber kill model has rapidly evolved to become one of the most in-demand cybersecurity solutions.

The layered security model helps security teams implement robust cybersecurity within organizations by building strategies for identifying and stopping cyber attacks.

Related guide: How to encrypt your internet connection
Related guide: The Independent Professional’s Guide to Cyberattacks

The Do's and Don'ts of A Cyber Kill Chain Model

What is the Cyber Kill Chain?

The term “Kill Chain” is originally a military term used to describe the various stages in which an enemy launches an attack over its target. In 2011, Martin Lockheed used this term to define this model, which helped outline the various steps in which the modern cyber attack proceeds.

According to the model, a typical modern cyberattack occurs in seven stages. In theory, the seven stages of the attack presented by the model can help security teams better understand the process, enabling them to detect and stop the attack at respective stages.

The more points at which security teams intercept the threat actors within an attack procedure, the better chance these teams have at protecting, detecting, and even delaying a cyber attack.

While several other Cyber Kill Chain Models have sprung up after Martin Lockheed’s model, it still surpasses in value in contrast to the others.

The reason is that the Martin Lockheed model focuses on the humanistic element of a cyberattack, and within a world where social engineering attacks remain a constant threat, it is a very crucial element to consider.

The humanistic element within a cyber attack has long since faced neglect. Despite social engineering attacks being one of the most common attack vectors for various APTs, the humanistic element meets gross negligence probably because of the standard misconceived view of cybersecurity being “technology-centric.”

However, Martin Lockheed’s Cyber Kill Chain Model focuses on the humanistic element and is very informative on how it addresses the cyber kill chain model.

Understanding and implementing the Cyber Kill Chain Model

There are seven main stages of a cyber kill chain model that need to be appropriately implemented to neutralize, detain, or stop a cyber attack in the process in the best ways possible.

A descriptive overview of the requirements and working of these stages are as follows:

1. Reconnaissance

The threat actor gathers information on the target before launching the actual attack. The threat actor collects data from various social networking platforms such as Facebook, LinkedIn, or Instagram.

Apart from that, the attacker might also collect information through several social engineering techniques such as calling employees, carrying out email interactions, or even dumpster diving.

While it may seem that security teams can do little to prevent the attack, employee behaviors play a crucial role in this stage.

Suppose the organization has employees well aware of social engineering tactics and is vigilant about the amount of information to share over social media platforms and with customer, client, or vendor prospects. In that case, the organization can stop the attack from occurring.

Moreover, any organization following a safety protocol for disposing of sensitive documents and ensuring safe communication over phone calls can also significantly ward off damage.

While such measures might not completely neutralize this stage, they can either help the security team pump up its defense or somewhat thwart the threat actor’s attempts.

2. Weaponization

After gathering all the relevant intel about the target, the attacker proceeds with creating the attack. The attack would range depending upon the intended damage by the attack.

It could either be malware explicitly launched to steal data, a ransomware attack designed to gain money, a business email compromise attack, or even a whaling attack.

The attack can be designed in various ways ranging from phishing emails to infected USB drives and malicious Microsoft document attachments.

Depending upon the security awareness and the use of endpoint security tools, the security team can neutralize the attack at this stage unless the threat actor follows a testing protocol on the target to penetrate past such intermediate defenses.

3. Delivery

This stage outlines the transmission of an attack over the intended victim such that it could involve launching the phishing email or planting the USB drive to attract the victim.

Like the first stage, people play a critical role, despite the availability of several tools present for stopping attacks at this stage.

Most of the major attack vectors found in various reports are weak passwords and phishing, both of which revolve around people.

An attacker can successfully infiltrate a system due to vulnerable password security through a successful social engineering tactic; therefore, proper awareness of such an attack vector can significantly reduce this attack.

However, the problem remains as technology instead of people is taken as the first line of defense.

4. Exploitation

Once the attack is delivered, it proceeds to exploit the vulnerabilities present within the system or the network. If it is a ransomware attack, it will sneakily encrypt all the data present within the devices throughout the organization and hold it hostage for ransom.

An organization facing an attack is often a high-alert situation. Still, security teams can avoid it by deploying proper security awareness to the employees, producing an effective incident response plan, carrying out regular penetration testing and vulnerability scanning, and ensuring endpoint security through various tools.

5. Installation

This phase of an attack implies an attack actively exploiting a running system or a network. At this stage, the threat actor would look for additional vulnerabilities or the availability of privilege escalation to further gain access to the system and sneakily install backdoors and remote access trojans to allow easy execution of future attacks.

Since these backdoors might get detected, the attacker might also deploy various obfuscation techniques to conceal their presence and avoid detection.

The techniques could include:

  • Wiping files and metadata.
  • Modifying critical information to make it seem secure and untouched.
  • Overwriting digital footsteps with false timestamps.
  • Misleading information.

Defense at this stage would involve an active compromise assessment plan, understanding the attack carried out and using various endpoint security tools and techniques for detecting and logging installation activity.

6. Command and Control

Now that the threat actor has managed to infiltrate the network, it connects to an external server to establish a command and control channel.

Establishing this connection allows the threat actor to have complete access to the target network. This stage is most likely the security team’s last best chance to sabotage and stop the cyber attack.

If the security team manages to block the adversaries from issuing commands, they can successfully prevent significant impacts of the launched attacks.

Defense at this step involves conducting a malware analysis and figuring out the command and control network. Apart from that, security teams can also conduct open-source research of the network infrastructure and make proxies mandatory for all types of internet traffic.

Actions on Objectives

Progression through the six steps as mentioned above of the cyber kill chain is how a threat actor can manage to launch a cyber attack. A typical cyber-attack aims to destroy an organization for financial or informational gain.

To achieve such objectives, the attackers go through these steps to gain access to systems and penetrate deep within networks to fully launch an attack that will cause the highest levels of damage.

Understanding all the six stages of the cyber kill chain model can help the security teams implement relevant security strategies and stop the attack midway.

Moreover, if the attacker successfully launched the attack, the security team should have specific security measures to take action and gain back control.

Even at the seventh stage, the security team can protect the organization from dire harm by establishing a robust incident response plan to detect data exfiltration and compromise credentials, and conduct a proper investigation and damage assessment of the incident.

Conclusions

Cybersecurity is a holistic approach that requires an in-depth evaluation of security endpoints, vulnerabilities, and network security infrastructures to best ensure robust cybersecurity.

The cyber kill model provides a layered overview of a cyber that actor’s strategy. The model somewhat allows the security teams to play the game by the threat actors’ playbook, which helps them better understand the attack vectors and build a defense system accordingly.

Written by: Iam Waqas

Connect with the author:

Cybersecurity specialist Waqas is a cybersecurity journalist and writer who has a knack for writing technology and online privacy-focused articles. He strives to help achieve a secure online environment and is skilled in writing topics related to cybersecurity, AI, DevOps, Cloud security, and a lot more. As seen in: Computer.org, Nordic APIs, Infosecinstitute.com and Tripwire.com.

Leave a Reply

Your email address will not be published.