Blog > Best Practices Analyzing the 7 Cyber Kill Chain Steps 

Tuesday, Apr 26, 2022

BY: Team Nuspire

The cyber kill chain is an adaptation of a military concept to the world of information security. Developed by technology corporation Lockheed Martin back in 2011, the cyber kill chain outlines the stages common to most cyberattacks.

The usefulness of this concept is that you can establish suitable controls and processes at each different step to prevent, detect and disrupt cyberattacks. Keep reading to get the lowdown on the cyber kill chain steps along with suggested ways to bolster your defenses at each phase.

Cyber Kill Chain Steps

The seven steps of a cyberattack are the nitty gritty of the cyber kill chain. One point worth noting is that when Googling “cyber kill chain,” you’ll often see various websites mentioning eight or even 18 steps. The reason is that other companies attempted to refine or improve upon the original Lockheed Martin kill chain with their own versions. Whether or not these variations are genuine improvements or marketing ploys is another debate entirely; for brevity’s sake, we’ll stick with the original here.

So, why the need for a cyber kill chain at all? Well, today’s threat actors are more technically adept, motivated and resourceful than ever. The aftermath of the most serious cyberattacks, such as advanced persistent threats or double extortion ransomware often reveals a common pattern of activity from adversaries. Understanding this activity and organizing it into a logical framework can prove very useful in thwarting attacks and improving your security posture.

Step 1: Reconnaissance

The reconnaissance phase kicks off the kill chain with a period in which adversaries conduct research to plan a cyberattack. This first step in the kill chain typically focuses on both people and networks to find potential areas of weakness.

The people side of things involves gathering intel from social media and company websites to understand who works for the company, who the important business partners are, and which employees could be most susceptible to social engineering. The network side of things concentrates on understanding network topology, including the applications and operating systems in your environment. A useful analogy is a group of bank robbers planning a heist by surveilling employees and sifting through blueprints.

Suggested controls:

Since reconnaissance can happen passively and covertly, it can be difficult to detect. For example, browsing your website or looking information up online is not something you can do much to deter. However, plenty of reconnaissance is active and requires threat actors to interact with systems. Suggested controls include:

  • Intrusion prevention systems to detect activity such as port scanning
  • Firewalls to control traffic flows and deny attempts at finding out information
  • A sensible information sharing policy that minimizes the information openly available to hackers online

Step 2: Weaponization

In the second of the cyber kill chain steps, adversaries take information gleaned from the recon phase and attempt to tailor some sort of tool that exploits a vulnerability or perceived weakness. The resulting deliverable payload could be a remote access trojan, worm or other form of malware.

Suggested controls:

  • Weaponization is another part of the kill chain that’s hard to do anything about as it happens. There are however some useful strategies, such as:
  • Leveraging threat intelligence to understand the latest attack behaviors, including the weapons adversaries use to infiltrate networks
  • Being aware of your company’s evolving attack surface and potential areas of vulnerability

Step 3: Delivery

In the delivery step, hackers try a variety of ways to get the weapon they created to the target. The most obvious example that probably springs to mind is sending a phishing email with a malicious attachment. Other common delivery methods include installing malware on a vulnerable web server or injecting malicious code into an application.

Suggested controls:

Since this third cyber kill chain step represents the first real opportunity to block a cyberattack, there are multiple layers of defense you can focus on. Suggestions include:

  • Ongoing security awareness training to help staff become familiar with social engineering techniques, including more advanced forms like conversation hijacking
  • Endpoint detection and response (EDR) for monitoring endpoints and mitigating threats on devices/hosts
  • Penetration testing to uncover areas of vulnerability exploitable by threat actors

Step 4: Exploitation

The previous step only delivered a weaponized exploitation; this phase is all about executing malicious payloads to compromise a target system and get a foothold into the environment.

Suggested controls:

  • Advanced threat detection
  • Effective patch management
  • Secure development practices

Step 5: Installation

The installation phase is the step in the kill chain where threat actors try to establish persistent access to your environment and escalate their privileges. Tactics at this phase often include installing backdoors that maintain access while bypassing security controls and hacking admin passwords.

Suggested controls:

  • Implement two-factor or multi-factor authentication to strengthen access controls
  • Enforce the principle of least privilege access
  • Use managed detection and response (MDR) services to get real-time monitoring of threat data and swift response to in-progress attacks

Step 6: Command and Control

From an outside server, the adversary communicates with installed malware and backdoors to remotely control compromised systems. This step is kind of like establishing a tunnel between systems that the hacker controls. Tools used to establish command and control include Cobalt Strike and PowerShell mpire.

Suggested controls:

  • Look for advanced threat hunting capabilities and behavioral analysis to detect activity from Cobalt Strike beacons
  • Scan and filter all inbound and outbound traffic, ideally with an AI-driven solution that continuously self-learns and improves its ability to find malicious communication channels

Step 7: Actions on Objectives

The last of the cyber kill chain steps is the outcome that your business typically wants to avoid. This is the point at which a threat actor fulfills the purpose of the attack, whether that means encrypting critical files with ransomware, exfiltrating sensitive data or taking down an entire network with a DDoS attack.

Suggested controls:

All is not necessarily lost even if an attack progresses to this point. Some ways to halt actions on objectives or mitigate damage include:

  • Data loss prevention solutions that detect potential data breaches and work to prevent that data from leaving your environment or from being destroyed.
  • Backup and disaster recovery plans that rapidly restored key systems and apps in the event of a cyberattack that takes them offline or encrypts devices.
  • Encrypt sensitive data at rest and when in transit.
  • Consider using honeypots to entice threat actors with manufactured attack targets that lure them away from genuine assets.

Stop Attacks in Their Tracks

Using the seven cyber kill chain steps, start working toward refining your cybersecurity strategy and defenses. Each distinct phase presents opportunities to adopt controls and processes that help you get better at stopping cyberattacks.

24/7 monitoring, detection and response should play an important role in how you plan to detect and deter attackers within each stage of the kill chain.

To learn more about how Nuspire addresses every step of the cyber kill chain and improves security for your business, contact the team today.