The Kill Chain in Cyberdefense

In cybersecurity, the Kill Chain is the stages of an information systems attack. Developed by Lockheed Martin as a security framework for incident detection and response, the Cyber Kill Chain is comprised of the following stages:

Stage 1. Reconnaissance - The attacker gathers information about the target.

Stage 2. Weaponization - The attacker creates an exploit and malicious payload to send to the target.

Stage 3. Delivery - The attacker sends the exploit and malicious payload to the target by email or other method.

Stage 4. Exploitation - The exploit is executed.

Stage 5. Installation - Malware and backdoors are installed on the target.

Stage 6. Command and Control - Remote control of the target is gained through a command and control channel or server.

Stage 7. Action - The attacker performs malicious actions like information theft, or executes additional attacks on other devices from within the network by working through the Kill Chain stages again.

To defend against the Kill Chain, network security defenses are designed around the stages of the Kill Chain. These are some questions about a company’s security defenses, based on the Cyber Kill Chain:

  • What are the attack indicators at each stage of the Kill Chain?

  • Which security tools are needed to detect the attack indicators at each of the stages?

  • Are there gaps in the company’s ability to detect an attack?

According to Lockheed Martin, understanding the stages of Kill Chain allowed them to put up defensive obstacles, slow down the attack, and ultimately prevent the loss of data. The figure shows how each stage of the Kill Chain equates to an increase in the amount of effort and cost to inhibit and remediate attacks.