11:00 AM
Giora Engel
Giora Engel
Connect Directly

Deconstructing The Cyber Kill Chain

As sexy as it is, the Cyber Kill Chain model can actually be detrimental to network security because it reinforces old-school, perimeter-focused, malware-prevention thinking.

Created by defense giant Lockheed Martin, the term “Cyber Kill Chain” has been widely used by the security community to describe the different stages of cyber attacks. It’s a compelling model, easy to understand... and, let’s face it, the name sounds really cool.

However, whenever we look under the hood of the Cyber Kill Chain diagram that graces the Lockheed Martin website, we can’t help but try to scroll down farther than the diagram reaches. Because -- in a year that’s seen successful targeted attacks on consumer-facing giants like Target, JPMorgan, and Home Depot -- it has become clear that the actual scope of today’s cyberthreats extends far beyond that of the Cyber Kill Chain.

Beyond intrusion
Lockheed Martin’s model is intrusion-centric, which was the focus of cyber security when it was created, and is indeed still the focus of (too) much cyber security effort today.

The following is a brief description of its seven steps.

  • Step 1: Reconnaissance. The attacker gathers information on the target before the actual attack starts. He can do it by looking for publicly available information on the Internet.
  • Step 2: Weaponization. The attacker uses an exploit and creates a malicious payload to send to the victim. This step happens at the attacker side, without contact with the victim.
  • Step 3: Delivery. The attacker sends the malicious payload to the victim by email or other means, which represents one of many intrusion methods the attacker can use.
  • Step 4: Exploitation. The actual execution of the exploit, which is, again, relevant only when the attacker uses an exploit.
  • Step 5: Installation. Installing malware on the infected computer is relevant only if the attacker used malware as part of the attack, and even when there is malware involved, the installation is a point in time within a much more elaborate attack process that takes months to operate.
  • Step 6: Command and control. The attacker creates a command and control channel in order to continue to operate his internal assets remotely. This step is relatively generic and relevant throughout the attack, not only when malware is installed.
  • Step 7: Action on objectives. The attacker performs the steps to achieve his actual goals inside the victim’s network. This is the elaborate active attack process that takes months, and thousands of small steps, in order to achieve.

In fact, steps 1 through 6 of the Chain relate solely to intrusion, which is, as we know from recent attacks, only a very small part of a targeted attack. Along these same lines, the Chain is disproportionate on an attack time scale: Steps 1 through 6 take relatively little time, whereas step 7 can take months.

Further, it’s worth considering that steps 1, 2, and 3 are not relevant from an operational point of view. These are just the documentation of steps an attacker may take behind the scenes, not something that security professionals can directly address or influence.

Then we have the fact that the Chain is completely malware-focused. But malware is only one threat vector facing today’s networks. What about the insider threat? Social engineering? Intrusion based on remote access, in which no malware or payload is involved? The list of threat vectors facing today’s networks is far, far longer than those covered by the Chain.

What we’re left with, after we eliminate non-practicable steps and steps that are too narrow in their focus to maintain broad relevance, is infinite space between steps 6 and 7 (“Command and control” and “Actions on objectives”). And it is in this vast place that today’s targeted attackers are thriving -- many of them invisible to the Cyber Kill Chain paradigm.

The takeaway
We’re not afraid to say it: Over-focus on the Cyber Kill Chain can actually be detrimental to network security.

Why? Because the Cyber Kill Chain model, as sexy as it is, reinforces old-school, perimeter-focused, malware-prevention thinking. And the fact is that intrusion prevention solutions cannot provide 100% protection. A persistent, highly determined, and highly skilled attacker will always find a way in. And once the attacker is past your perimeter, traditional Cyber Kill Chain-style prevention solutions like firewalls, sandboxes, and antivirus can’t help. Once they’ve bypassed these solutions, attackers are free to operate in your network unobstructed.

The answer? If you must use the Chain model, zero in on No. 7. Focus on detecting ongoing attacks -- attackers that have already breached your perimeter -- before the damage is done. Instead of analyzing old malware, deploy a breach detection system that automatically detects and analyzes the changes in user and computer behavior that indicate a breach. These subtle changes are usually low-key and slow, and affect only a small number of computers, but the right analysis and context can flag them as malicious.

Want another point of view on Kill Chain effectiveness? Check out Leveraging The Kill Chain For Awesome.


Giora Engel, vice president, product & strategy at LightCyber is a serial entrepreneur with many years of technological and managerial experience. For nearly a decade, he served as an officer in an elite technological unit in the Israel Defense Forces, where he initiated and ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/14/2015 | 10:25:48 PM
Second layer needed
The misunderstanding is to think of the kill chain as a one-time thing. It's actually an iterative process that occurs internally post-exploitation; recon, etc. happens all over again repeatedly as an intruder establishes persistence and digs their claws deeper and deeper into your systems.
User Rank: Moderator
3/8/2015 | 3:41:34 PM
Re: Good breakdown of the Kill Chain - how prevalent is it?
What I would like to see from the author is a comprehensive alternative model that's practicle and useable in real world SecOps.  Something just as useable as the Kill Chain model is.  I dislike seeing darts being thrown without cause.  Its too easy and seems quite shallow to do so.  That is what this article feels like.  As my CSM was fond of saying, "Don't bitch without a solution".  :)
User Rank: Moderator
3/8/2015 | 3:28:34 PM
Re: Flaws in security kill chain
Is this the same RobertH from CI, and formerly from LM?
User Rank: Apprentice
2/17/2015 | 2:58:48 PM
Overuse of Kill Chain - Agreement with the Author
Like the Author, I belive the "kill chian" has become an over used buzzword that focuses on the initial vectors of attack, failing to detail or define what happens once the intrusion occurs and how to detect and defend properly.

Lockheed (and others), we're wrong in so far as they went, but like many things, a catchy phrase has been overused, and over extraploated as the solution and map for all things security.



David Swift
User Rank: Apprentice
11/19/2014 | 9:03:03 AM
Truly Understanding the Cyber Kill Chain
This article follows all the misconceptions that people have over the CKC.


1. The CKC is not a step by step process for responding to an incident. Instead, it's a methodology to organize an attack into distinct sections that help identify and predict tactics used by attackers. These TTPs can then be correlated between attacks to predict and prevent future attacks. The CKC should be used during an investigation to ensure that all CKC intel is extracted but its real strength is post-intrusion analysis of the data collected.


2. The CKC was created to stop IR teams from playing whack-a-mole. It emphasizes the intel pulled out of an incident. Using this intel an IR team can create behavioral blocks/detections and break free from the "here and now" incident response.


3. The CKC is not malware focused. Almost all attacks involve malware so it may seem that way but the CKC does apply to all incidents (non-malware included). For instance, insider threat has recon (how do they identify their target), Weaponization (gaining access to a computer or person in order to gain access to the end goal), etc.


4. The CKC doesn't claim to break down pieces of an attack into equal time slices. It makes sure that all relevant intel from an attack is identified, extracted, and hopefully documented. AoO usually does take the most time to accomplish. Saying that it is too big of a chunk because there are so many methods for AoO again shows lack of understanding in the CKC. There are 100 different delivery methods but we still clump them all into Delivery. AoO is the same. Stating that many attacks are "invisible to the Cyber Kill Chain" is completely wrong in that all CKC steps still have to be executed for a successful attack. Delivery may be a disgruntled worker using legitimate credentials to extract data from a server. Just because you don't understand to classify this activity as Delivery does not mean that Delivery doesn't happen.


In reality, states like "the CKC doesn't apply to all attacks" or "perimeter-focused" just shows that the true problem is lack of understanding of the CKC. Please don't take this as an insult because I was the same way for years. It wasn't until I saw the CKC in action that its benefits were clear. In that "aha" moment I instantly became a huge CKC advocate. Most clients that I deal with are in the same boat as you. They claim to understand the CKC but don't understand the methodology. The CKC goes way beyond the 7 basic stages. It's provides tips on how to fully exhaust an investigation and a framework for post-intrusion analysis.

User Rank: Apprentice
11/18/2014 | 6:24:22 PM
Flaws in security kill chain
Great post here on the security kill chain and it's flaws. Indeed, the kill chain was designed to address APT, and more specifically targeted spear-phishing attacks. It doesn't fit every attack vector. I do agree with the author that most organizations should spend their time dealing with step 7, focusing on ongoing attacks. However, I disagree that "steps 1, 2, and 3 are not relevant from an operational point of view". There are many methods to address "malware delivery defeat" - ® Bob Huber ; ) You can also address step 1-Recon via attack surface reduction. Indeed, there are opportunities at every step to address them. That said, this model is not apprpriate for most attacks. If you want to keep with the "cool" military jargon, F2T2EA, D3A or some version of the military targeting methodology/process could be very useful as a model (someone can pick that up for a paper).
User Rank: Strategist
11/18/2014 | 6:06:06 PM
Re: Good breakdown of the Kill Chain - how prevalent is it?
The term Cyber Kill Chain is suprisingly very prevalent in the industry. I think that almost every security vendor that I can think about used it at least once. I can say for sure that in some cases people don't use it correctly, as they are less familiar with the attackers' tactics and the comlexity of cyber attacks.

When Lockheed Martin was a victim of a targeted attack the whole concept of creating an exploit and using it to target a specific company was realatively new and therefore this was most of the focus in their terminology. Surprisingly people still use this same scheme.

A lot has happened since that breach and I personally know about some targeted attacks that used generic malware and exploits in order to enter a network. The focus today should be the atctive state of the breach, inside the network.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
11/18/2014 | 4:20:28 PM
Good breakdown of the Kill Chain - how prevalent is it?
Curious to know from our readers how many of you follow the Cyber Kill Chain model, or some version of it?

And for @Giora Engel -- how prevalent is it, industry wide?

Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Cybercrime has become a well-organized business, complete with job specialization, funding, and online customer service. Dark Reading editors speak to cybercrime experts on the evolution of the cybercrime economy and the nature of today's attackers.