Occasionally, we take a look at how the vast number of threats and the sophistication of adversaries is ramping up the pressure on CISOs and IT teams, and how, consequently, workloads are increasing with negative knock-on effects for businesses and organizations.

It is for precisely this reason that the frameworks and tools that best aid IT professionals in classifying tactics, techniques, and procedures, or rapidly identifying malware, have become so popular among the cybersecurity community. In this blog we have discussed some of these, including the MITRE ATT&CK model, Yara rules and, more recently, the Adversarial ML Threat Matrix. Yet the Cyber Kill Chain (CKC) is also an important and highly useful framework.

CKC phases_

The term ‘Kill Chain’ has military origins. Admiral Jonathan Greenert, former US Navy Chief of Naval Operations, explains that it is an approach aimed at determining how best to use time, money, and resources to organize one’s own capabilities and gain an advantage over adversaries. A successful attack, he argues, involves finding the target; determining the target’s location, course, and speed; communicating that information coherently to the platform launching the weapon, and launching the attack itself.

However, engineers at Lockheed Martin, one of the world’s leading defense companies, took the concept further in a white paper released in 2011, adapting it specifically to the phases of a cyberattack. The phases of the Cyber Kill Chain are, in short:

  • External Reconnaissance: This step includes the selection of targets, in which an adversary will identify aspects of an organization and the activity of staff, such as mailing lists for email addresses or social network membership.
  • Weaponization: A cyberattack can have many forms, such as web page exploits, targeted malware, files exploiting vulnerabilities, or water hole attacks.
  • Delivery: Transmission of the weapon to the targeted environment, whether triggered by the targets themselves (e.g., when a user visits a website or opens a malicious file) or launched directly by the adversary (via SQL injection or compromising the organization’s network).
  • Exploitation: Once the weapon has been deployed, malware compromises the system, often exploiting a vulnerability, for which in many cases a patch already exists.
  • Installation: During this phase, the malware adopts, or looks for, the form required to communicate with external threat actors. This phase is often silent, with a view to maintaining persistence on an endpoint.
  • Command and Control: Adversaries take control of installed assets using methods (normally remotely) that take advantage of the DNS, the ICMP, websites, and social networks.
  • Actions Inside the Network: This final phase is where threat actors directly damage the IT assets of the organization or exfiltrate the data they are after.

The phases of the CKC are then repeated, as one key aspect of this model is that it is cyclical, in that once adversaries have infiltrated a network, the CKC is repeated, now with greater knowledge of the system, in order to move laterally across the IT infrastructure. It is important nevertheless to underline that even though the methodology is the same, once inside a system, adversaries employ different methods to those used to launch an external attack. This is why we must always think in terms of an extended Cyber Kill Chain that applies to both environments. 



Cytomic EPDR in the Cyber Kill Chain_

Organizations should always consider the CKC model in order to understand how cyberattacks operate, whether external or internal. Yet it is not always easy to focus an entire cyberdefense strategy on the extended Cyber Kill Chain, and traditional security solutions are deemed inadequate in this respect.

As a response to this, the multi-layer security delivered by Cytomic EPDR can ensure that the Cyber Kill Chain will always be disrupted. Cytomic EPDR approaches this by preventing, detecting, and responding to even the most advanced techniques used by adversaries in each phase of the extended CKC.

It also supports cybersecurity teams’ efforts to design a strategy in line with this approach without having to hire more professionals, thanks to the intelligent endpoint detection and response (EDR) capabilities.

For more details about the Cyber Kill Chain and how Cytomic EPDR is designed to tackle it, download our ebook.