Unified Kill Chain in Cyber Threat Intelligence
The Unified Kill Chain is a combination of the Cyber Kill Chain and MITRE ATT&CK tactics. It’s meant to be an updated version of the Cyber Kill Chain to better fit modern attacks.
Attack Phases (Tactics)
The Unified Kill Chain includes 18 phases or tactics, which are the steps a cyberattack may progress through. Any particular attack can skip phases, repeat phases, or go out of order.
- Reconnaissance: identify and select targets
- Weaponization: set up infrastructure for attack
- Delivery: send weaponized object (e.g., malware) to target
- Social Engineering: manipulate people to perform unsafe actions
- Exploitation: take advantage of a vulnerability on target’s systems (possibly to execute code)
- Persistence: maintain access to systems
- Defense Evasion: avoiding detection and defenses
- Command and Control: communicate with compromised systems to control them
- Pivoting: use a controlled system to gain access to others
- Discovery: gain knowledge about system and network
- Privilege Escalation: gain higher-level permissions
- Execution: run attacker-controlled code
- Credential Access: steal usernames and passwords
- Lateral Movement: access and control other systems
- Collection: gather data of interest
- Exfiltration: steal data from the network
- Impact: manipulate, interrupt, or destroy systems or data
- Objectives: use social and technical means to achieve strategic goal
Attack Phase Combinations
The Unified Kill Chain describes 3 ways in which phases are combined to achieve intermediate goals.
- Initial Foothold: compromise a system to gain access to network (Reconnaissance, Weaponization, Delivery, Social Engineering, Exploitation, Persistence, Defense Evasion, Command and Control, Pivoting)
- Network Propagation: gain additional access within network (Pivoting, Discovery, Privilege Escalation, Execution, Credential Access)
- Action on Objectives: achieve goal of attack (Credential Access, Lateral Movement, Collection, Exfiltration, Impact, Objectives)
Unified Kill Chain in CTI
CTI analysts can use the Unified Kill Chain to model attacks and threat actors. If you want to describe the steps of a particular attack, you can put the tactics that were used into an attack-specific kill chain.
If you want to describe the behavior of a particular threat actor, you can put their tactics into an actor-specific kill chain.
Provide these kill chains to defenders so they can improve defenses. It’s important to remember that any particular attack can skip phases, repeat phases, or go out of order, so defense in depth is critical.
