Cyber Kill Chain in Cyber Threat Intelligence

The Cyber Kill Chain (aka Intrusion Kill Chain) is a model of the 7 stages an attacker moves through during a cyberattack. The model was developed by defense contractor Lockheed Martin.

The name comes from the idea that the sequential stages form a chain, and by breaking one or more of the links in the chain, you can kill (stop) the attack.

Although the model has decreased in popularity as ATT&CK’s popularity has risen, and the Cyber Kill Chain doesn’t fit all modern cyberattacks, it’s still useful for analyzing attacks and defending against them.

The Cyber Kill Chain

The Cyber Kill Chain by Lockheed Martin

Each of the 7 stages is an opportunity for defenders to detect and stop an attack.

1. Reconnaissance: gather info to prepare for attack
2. Weaponization: create malware to target a vulnerability
3. Delivery: send malware to target
4. Exploitation: take advantage of a vulnerability to execute code on target’s system(s)
5. Installation: install malware on target’s system(s)
6. Command and Control (C2): remotely control target’s system(s)
7. Actions on Objectives: accomplish goal, which is often data exfiltration

The Cyber Kill Chain for CTI

How can CTI analysts use the Cyber Kill Chain? Look at each stage in the chain and see what you can learn about how attackers may attempt that stage. Here are a few examples.

You can gather OSINT to discover what info is available about your organization, which attackers could also uncover during the Reconnaissance stage. If you find info that shouldn’t be available, you can recommend that it be removed.

By analyzing the steps attackers have taken against organizations similar to yours, you can learn how to defend against such an attack against your organization. If attacks against organizations like yours commonly use a certain type of email for the Delivery stage, you can inform the organization to be on the lookout for that type of email.

By studying the TTPs of groups that could target your organization, you can fill in the blanks on the kill chain, predicting how each group could act against your organization. That will help you advise on defending against those steps. If a group that frequently targets organizations like yours is known for using a certain type of malware in the Weaponization, Exploitation, and Installation stages, you can inform defenders to bolster defenses against it.

If you’re able to identify the communication patterns of the malware of the groups most likely to target your organization, you can inform defenders how to block that communication, which can thwart an attacker if they make it to the Command and Control (C2) stage.

Additional Resources

Cyber Kill Chain®

How Can Threat Intelligence Help the Cyber Attack Kill Chain? | Recorded Future

Using Cyber Kill Chain for Threat Intelligence - SOCRadar® Cyber Intelligence Inc.

Seven Ways to Apply the Cyber Kill Chain® with a Threat Intelligence Platform (PDF)