Cyber Kill Chain

A cyber kill chain is a series of 7 stages that model the primary actions conducted in a cyberattack. Lockheed Martin developed the cyber kill chain model in 2011 to help cyber defenders identify and prevent the steps of an attack. Other organizations have slightly different models and critics have noted that attackers increasingly flout the cyber kill chain model, but there is broad agreement that organizations should always strive to eliminate potential threats as early as possible in the cyber kill chain.

Another model for the cyber kill chain is the MITRE ATT&CK framework which provides a detailed list of tactics and techniques attackers will use.

The seven phases of the Lockheed Martin model are: reconnaissance, weaponization, delivery, exploitation, installation, command & control, and actions on objectives. An attacker conducts reconnaissance by probing for security gaps themself (or can purchase reconnaissance services / results as well). Once a weak point has been identified, the attacker moves to the weaponization phase and develops (or purchases) a weapon to exploit it, such as a virus or zero-day. In the delivery phase, the weapon is launched, for example, by email, delivering an infected USB key, via cross site scripting, or accessing a system remotely. Once the target is exploited, the attacker can install tools to maintain access, execute actions remotely, cover their tracks, and gather data. During command and control and actions on objectives, data may be exfiltrated, other systems targeted and, in the case of ransomware, data may be encrypted to get a “double” extortion: First by selling data or access to criminals and then by having the victim(s) pay for access to their own systems and data.