Security Defined Cybersecurity EncyclopediaWhat is a Cyber Security Kill Chain?

What is the Cyber Security Kill Chain?

6.5 min read

What is the Cyber Security Kill Chain?

The cyber security kill chain model explains the typical procedure that hackers take when performing a successful cyber attack. It is a framework developed by Lockheed Martin derived from military attack models and transposed over to the digital world to help teams understand, detect, and prevent persistent cyber threats. While not all cyber attacks will utilize all seven steps of the cyber security kill chain model, the vast majority of attacks use most of them, often spanning Step 2 to Step 6.

cyber security kill chain definition


What are the Steps of the Cyber Security Kill Chain?

cyber kill chain model steps

There are several other cyber kill chain models developed by other companies, but for the sake of simplicity, we’re going to stick with the Lockheed Martin model, which is the best-known framework in the industry. We’ve included explanations as well as brief solutions for each one so you can better understand the process hackers take to breach a target.


Step 1: Reconnaissance

Like any form of traditional warfare, the most successful cyber attacks start with lots of information gathering. Reconnaissance is the first step in the cyber security kill chain and utilizes many different techniques, tools, and commonly used web browsing features including:

  • Search engines
  • Web archives
  • Public cloud services
  • Domain name registrie
  • WHOIS command
  • Packet sniffers (Wireshark, tcpdump, WinDump, etc.)
  • Network mapping (nmap)
  • DIG command
  • Ping
  • Port scanners (Zenmap, TCP Port Scanner, etc.)

There is a wide range of tools and techniques used by hackers to gather information about their targets, each of which exposes different bits of data that can be used to find doors into your applications, networks, and databases which are increasingly becoming cloud based. It’s important that you secure your sensitive data behind cloud-based SASE defenses, encryption and secure web pages in order to prevent attackers from stumbling on compromising information while browsing through your publicly-accessible assets, including apps and cloud services.


Step 2: Weaponize

Once an attacker has gathered enough information about their target, they’ll choose one or several attack vectors to begin their intrusion into your space. An attack vector is a means for a hacker to gain unauthorized access to your systems and information. Attack vectors range from basic to highly technical, but the thing to keep in mind is that, for hackers, targets are often chosen by assessing cost vs. ROI.

Everything from processing power to time-to-value is a factor that attackers take into account Typical hackers will flow like water to the path of least resistance, which is why it is so important to consider all possible entry points along the attack surface (all of the total points in which you are susceptible to an attack) and harden your security accordingly.

The most common attack vectors include:

  • Weak or stolen credentials
  • Remote access services (RDP, SSH, VPNs)
  • Careless employees
  • Insider attackers
  • Poor or no encryption
  • System misconfiguration
  • Trust relationships between devices/systems
  • Phishing (social engineering)
  • Denial of service attacks
  • Man-in-the-middle attacks (MITM)
  • Trojans
  • SQL injection attacks
  • And many others

Remember: a hacker only needs one attack vector to be successful. Therefore, your security is only as strong as its weakest point and it’s up to you to discover where those potential attack vectors are. Ransomware attacks continue to exploit remote access services to gain entry, make lateral movements, detect sensitive data for exfiltration, all before encrypting and making ransom requests.

So typically once an attacker is in, their next move is to find different ways to move laterally throughout your network or cloud resources and escalate their access privileges so their attack will gather the most valuable information, and they’ll stay undetected for as long as possible. Preventing this kind of behavior requires adopting “Zero Trust” principles, which, when applied to security and networking architecture, consistently demands reaffirmation of identity as users move from area to area within networks or applications.

Reports: Netskope Threat Labs Reports


Step 3: Delivery

Now that a hacker has gained access to your systems, they’ll have the freedom they need to deliver the payload of whatever they have in store for you (malware, ransomware, spyware, etc.). They’ll set up programs for all kinds of attacks, whether immediate, time-delayed or triggered by a certain action (logic bomb attack). Sometimes these attacks are a one-time move and other times hackers will establish a remote connection to your network that is constantly monitored and managed.

Malware detection with Next Gen SWGs to TLS decrypt and inspect web and cloud traffic are key components for preventing the delivery of these types of payloads. Increasingly attacks are cloud delivered with 68% of malware using cloud delivery versus web delivery. Running inline threat scanning services for web and cloud traffic along with accounting for the status of all endpoint devices is crucial in ensuring your company is not infected with any malicious software.


Step 4: Exploit

Once the attacker’s intended payload is delivered, the exploitation of a system begins, depending on the type of attack. As mentioned before, some attacks are delayed and others are dependent on a specific action taken by the target, known as a logic bomb. These programs sometimes include obfuscation features in order to hide their activity and origin in order to prevent detection.

Once the executable program is triggered, the hacker will be able to begin the attack as planned, which leads us to the next few steps, encompassing different types of exploitations.


Step 5: Install

If a hacker sees the opportunity for future attacks, their next move is to install a backdoor for consistent access to the target’s systems. This way they can move in and out of the target’s network without running the risk of detection by reentering through other attack vectors. These kinds of backdoors can be established through rootkits and weak credentials, and so long as their behavior doesn’t throw up any red flags to a security team (such as unusual login times or large data movements), these intrusions can be hard to detect. SASE architecture is uniting security defenses to collect rich metadata on users, devices, apps, data, activity and other attributes to aid investigations and enhance anomaly detection.


Step 6: Callback

Now that the programs and backdoors are installed, an attacker will take control of systems and execute whatever attack they have in store for you. Any actions taken here are solely for the purpose of maintaining control of their situation with the target, which can take all kinds of forms, such as planting ransomware, spyware, or other means for exfiltrating data in the future.

Unfortunately, once you learn of an intrusion and exfiltration, it is probably too late—the hackers have control of your system. That’s why it’s important to have safeguards that monitor and evaluate data movements for any suspicious activity. A machine is far more likely to detect and prevent malicious behavior faster than any network administrator.

White Paper: Protecting Data Using Machine Learning


Step 7: Persist

Everything has led to this. This is the continuous execution stage where an attacker takes action on their target and may encrypt your data for ransom, exfiltrate your data for monetary gain, bring down your network via denial of service, or monitor your system behaviors for any other openings via spyware, to name just a few potential outcomes. Espionage and monitoring are leading actions in this last kill chain step where attackers keep a low profile and persist.

This is where real-time monitoring of data movement and suspicious behavior detection is crucial because attackers will move as quickly as possible to achieve their goals. There is never enough time to react to every possible anomaly within a large corporate structure so your role in prevention must be proactive instead of reactive.

Putting the Cyber Security Kill Chain into Practice

You should now have a rudimentary understanding of the common kill chain stages your company faces, and it’s up to you to fill in the gaps in your security strategy. While these steps were originally developed with traditional, perimeter-focused security in mind, many of these steps are used by insider attackers as well, with techniques including privilege escalation, shoulder surfing, SQL injections, and many others.

There are all kinds of reasons for attacks, including financial, political—even just for fun and recognition. Understanding what motivations an attacker might have for targeting your company will help you plan for potential attack vectors.

When developing your defense strategies, it’s important to look at all possible weak points, from your network to the cloud. The good news is that Netskope is uniquely positioned to take on all kinds of insider and outsider threats to your users, apps, data and cloud infrastructure. Learn more about how Netskope can help you prevent data loss and monitor abnormal movements of cloud data today.


Subscribe to the
Threat Labs Report

Get the monthly Threat Lab Report as soon as it’s released.