What is a cyber kill chain?

Credit: Martyn Williams/IDG

The American military was the first to formalise the concept of a ‘kill chain’, loosely defined as the six steps in a chain to go through to eliminate a target. These steps fall under the acronym F2T2EA: Find, Fix, Track, Target, Engage, Assess.

It’s a chain because if any of these points are missed the whole process can unravel. In 2011, defence contractor Lockheed Martin came up with a kill chain model to be applied to cyber security threats, and this is the ‘cyber kill chain’.

The cyber kill chain therefore refers to the seven steps that are generally taken to successfully pull off a cyber attack. These are:

– Reconnaissance: collecting information and scouting the target. This could be through gathering email addresses, or social engineering techniques. Looking up the target on social networks, or any other available information about them on the open web. It could also mean scanning for open servers, or internet-facing servers to target that might have default credentials (openly available info – through Shodan for example).

– Weaponisation: Lockheed describes this as “coupling exploit with backdoor into deliverable payload”. In other words, building a system of attack – a way to compromise the network, finding the right malware for the job, e.g. a remote access trojan, and a technique that will lure the target to execute it.

– Delivery: Lockeed says: “Delivering a weaponized bundle to the victim via email, web, USB, etc.”. Pretty self-explanatory, it’s the logistics of getting the payload from A to B to C.

– Exploitation: using a vulnerability on the target system to execute the malicious code.

– Installation: installing said code.

– Command and Control: “Command channel for remote manipulation of victim” – now that the target is fully compromised, the compromised system will ping back to the attacker, often by way of a bot, zombie, or other compromised system to further abstract the trail from the initial attacker.

– Actions on Objectives: this is where the attacker achieves what they set out to in the first place. It could be anything from espionage, to compromising deeper systems on the network, stealing credentials, installing ransomware, or simply causing havoc.