The Kill Chain


There is this concept of the “kill chain” in the area of penetration testing. As you would expect, the term comes from the military. As Wikipedia explains, it first was used to describe the phases of a military attack; first target identification, then force dispatch to target, then decision to attack target, and finally the destruction of the target.

Cyber Kill Chain

It was Lockheed Martin that started to apply this concept to information security. They saw the need of a method for modeling intrusions on computer networks, and called it the Cyber Kill Chain framework.

According to Lockheed Martin, an intrusion could be modeled into seven different phases: reconnaissance, weaponization, delivery, exploitation, installation of malware, command and control of the infected machine or machines, and finally actions on objectives.

By using this model you get the idea of how an attacker would act and gives help in ensuring the defensive measures needed are in place. The concept has not been without its critics, and as a response, a unified version of the kill chain has been developed where the Cyber Kill Chain was unified and extended with MITRE’s ATT&CK framework.

Unified Kill Chain

This Unified Kill Chain have no less than 18 unique attack phases that may occur in end-to-end cyber attacks. The model may be used to analyze, compare and defend against end-to-end cyber attacks, but this need to be stressed, it only concerns Advanced Persistent Threats (APTs). This will thus only apply for the most capable and intentional threats (read nation states or organized crime, or mixed).

But no matter if you struggle with these kinds of threat actors, or you’re just a bit intrigued by the subject, I’m thinking it would be interesting to dig a little deeper into the practicalities of the different phases of the unified kill chain.

Therefore, I will start a blog series on the different elements of this model. Follow my quest in learning more about this. Coming blog posts will be linked below:

Elements of the Unified Kill Chain

Initial foothold

  • Reconnaissance
  • Weaponization
  • Delivery
  • Social Engineering
  • Exploitation
  • Persistence
  • Defense Evasion
  • Command & Control

Network propagation

  • Pivoting
  • Discovery
  • Privilege Escalation
  • Execution
  • Credential Access
  • Lateral Movement

The network propagation part may be repeated for each subsystem.

Action on objectives

  • Collection
  • Exfiltration
  • Target Manipulation
  • Objectives