Avast Academy Security Business What Is the Cyber Kill Chain and How Does It Work?

What Is the Cyber Kill Chain and How Does It Work?

The Lockheed Martin cyber kill chain or “cyber-attack chain” was created in 2011 and has grown in prominence, particularly in the business world. We look at the purpose of the cyber kill chain, how it protects your business from virtual threats, and how it can be used to improve business security measures and find weak spots in existing security.

Written by Avast Business Team
Published on December 15, 2021

What is the cyber kill chain?

The cyber kill chain process sets out the stages of a possible cyberattack and allows organizations to identify and protect themselves against threats, such as data theft, malware, ransomware, or network breaches. The term originates from the military’s “kill chain.”

Hamburguer menu icon

This Article Contains :

    The seven stages of a targeted attack

    One example of a cyber kill chain is the original “cyber-attack chain” by Lockheed Martin. This model outlines seven cyber kill chain steps:

    1. Reconnaissance. Malicious hackers accumulate as much information as possible to find any weaknesses in the network.

    2. Weaponization. Having found a "back door," or entry into the system, the attacker now develops a new virus or program that can take advantage of this vulnerability.

    3. Delivery. The hacker delivers the attack to its chosen target, for example via email or USB drive, and it is opened by the recipient.

    4. Exploitation. Once the payload has been opened and downloaded, the hacker can use the device as a host, providing wider access to the network.

    5. Installation. Hackers can now install software that can help them stay undetected, or place malware on the system.

    6. Command and control. Once cybersecurity operations have been compromised, hackers will establish command-and-control (C&C) giving them full access and control of your network.

    7. Actions on objectives. Hackers carry out their ultimate objective, which may include copying customer data, encrypting sensitive data and holding this for ransom, or in some cases, simply causing chaos by disrupting multiple systems.

    1. Reconnaissance

    In the first step, the attacker accumulates as much information as possible. This can be completed through passive or active reconnaissance, or both.

    • Passive reconnaissance is defined as information gained silently, such as information on the company’s IT infrastructure and existing operations, to identify the network’s weaknesses.

    • Active reconnaissance, also known as alternate reconnaissance, is where a hacker gains information by engaging with the system to gather data on current security software, finances, employees, and customers, such as email addresses, and social media account details. Spoofing, such as IP spoofing, is also a popular mechanism — where a malicious hacker pretends to be someone the victim trusts to learn sensitive information.

    The information gathered about individuals is often used for social engineering and phishing attacks.

    2. Weaponization

    The second step, defined as "weaponization," further highlights the attacker’s intentions. Having found a "back door" into the system, the attacker now develops a virus, or other malicious payload, that can take advantage of this vulnerability.

    3. Delivery

    The third stage is where the hacker delivers the attack at its chosen target, for example by:

    • Compromising user accounts.

    • Deploying an infected USB device.

    • Phishing attack.

    • Hacking through a direct access point.

    The virus is placed in an infected document or PDF, which can then be placed in a spear phishing email, using the information learned around employees at the company to entice them to open the file or related malware.

    Some hackers also deploy distributed denial of service (DDoS) attacks to create disruptions to network connectivity to create a distraction.

    SQL injection attacks could also be deployed here, which enable hackers to access sensitive data, as well as change or erase information.

    Once the document is opened by the recipient, the criminal moves to the next stage.

    4. Exploitation

    When the payload has been delivered to its recipient and opened, the intruder's malware code is activated, providing further abilities to gain access and exploit weaknesses to the system.

    The malware will enable the intruder to execute commands, taking control of the system, potentially installing additional malware to support this goal.

    5. Installation

    Once the malicious software is installed into your organization's system, intruders can now access all sensitive information on the network. Additionally, hackers may deploy privilege escalation techniques, giving themselves high-level access to various tools and applications, allowing them to modify existing security information. Other actions may include brute force attacks, installing adware, or stealing sensitive data.

    6. Command and control

    The bad actors will set up the server or other device as the command center, allowing them to manipulate the wider system more easily, deploy further malware, or add connections to a botnet (a series of connected infected devices). A Trojan horse, for example, can deploy a command and control (C&C) framework to enable remote access onto the network.

    The command center, controlled by the attacker, communicates with infected devices by sending signals back and forth. This is known as “beaconing.” Beacons normally adopt an HTTP or HTTPS protocol, allowing them to hide within regular network traffic.

    7. Actions on objective

    The last stage of the cyber kill chain framework is where the cybercriminal achieves their objective. Objectives can range from destroying, extracting, or encrypting data, or breaching confidentiality or integrity of sensitive information.

    To create a smokescreen, the hacker will try to place attention elsewhere by creating additional concerns for IT professionals, such as deleting certain files, overwriting, or changing existing data. Several hackers also commonly launch a further DDoS attack to divert security attention while accessing data.

    It is important to note that not all attackers want to steal data or even get paid. For some hackers, the objective is to get into the system and cause as much disruption as possible, either for bragging rights or personal triumph.

    Pros and cons of the cyber kill chain

    The purpose of the cyber kill chain methodology is to help businesses to reduce the risk of attack by understanding how cybercrime typically progresses. You can use the kill chain to assess existing security measures, identify weaknesses, and fix any security risks.

    However, since Lockheed Martin developed the cyber kill chain in 2011, technology and cyberattacks have advanced significantly — malicious hackers now use a multitude of tactics, techniques, and procedures. In 2013, flaws in the model were proven during the US Senate’s investigation into the breach of the retail company Target. In this case, the cyber kill chain model was not able to stop the attack, highlighting the need for additional methods to protect companies.

    The model also cannot identify insider threats with remote access, where several threats now fall outside of the cyber kill chain’s jurisdiction. The cyber kill chain is also solely focused on network security and preventing malware from being installed, rather than being adapted to counteract multiple attack methods.

    To identify threats not captured by the cyber kill chain model, you should assess the virtual behavior of employees and customers. Completing a behavioral profile of users and their everyday tasks will flag abnormalities, such as persistent failed login attempts or unstable network traffic.

    If you choose to deploy a cyber kill chain, you should do so as part of a wider security policy. This should include a range of technologies and processes, from business antivirus and malware removal tools to password management and multi-factor authentication. Ongoing operational resilience is essential to counteract end-to-end cyberattacks by Advanced Persistent Threats (APTs) and provide long-term effective cybersecurity.

    Interrupt the cyber kill chain and improve your security with Avast Business

    Designed to keep your business safe, Avast Business provides robust endpoint protection and easy-to-deploy network security solutions for data, devices, and applications, protecting your business from advanced cyberthreats like ransomware and phishing.

    Get enterprise-grade security for your business with Avast Business Hub


    Get enterprise-grade security for your business with Avast Business Hub

    Avast Business Team