Cyber Kill Chain - Seven Phases of an Attack
About 2 min read
The cyber kill chain is a framework that classifies the series of processes in a cyberattack into seven stages. It was proposed by the major U.S. defense contractor Lockheed Martin in its 2011 paper "Intelligence-Driven Computer Network Defense." Applying the military term "kill chain" (the sequence from detecting a target to destroying it) to cyberspace, it lets you systematically analyze at which phase an attack can be severed by understanding each stage of the attack.
The Seven Stages
The attacker progresses through these seven stages in order, but the defender can stop the attack by severing the chain at any stage. Detecting and blocking at an early stage (reconnaissance or delivery) prevents damage before it occurs, while detection even at a later stage (C2 or actions on objectives) keeps the damage to a minimum. This framework is also useful for planning incident response.
Comparison with MITRE ATT&CK
| Aspect | Cyber kill chain | MITRE ATT&CK |
|---|---|---|
| Granularity | High-level model of 7 stages | Detailed classification with 14 tactics and hundreds of techniques |
| Structure | Linear (fixed order) | Matrix format (flexible order) |
| Purpose | Grasping the overall picture of an attack, explaining to management | Developing technical detection rules, red team exercises |
| Update frequency | No major revisions since 2011 | New techniques added every quarter |
| Insider threats | Assumes external attackers, so coverage is weak | Also includes insider-threat techniques |
In practice, rather than treating the two as opposites, it is effective to use them in tandem: survey the overall picture of an attack with the kill chain, and drill into the concrete techniques and detection methods of each stage with ATT&CK. Threat intelligence teams use both frameworks on a daily basis.
Criticisms and Limitations
The cyber kill chain has been criticized for the following limitations. First, because it is a model that assumes intrusion from the outside, it does not fit threats posed by insiders well. Insiders can skip the reconnaissance, delivery, and exploitation stages and directly carry out their objectives using legitimate access privileges. Second, in cases such as supply chain attacks where malware is delivered through a trusted channel, detection at the delivery stage is extremely difficult. Third, because it is a linear model, it has a structural constraint that makes it hard to represent cases where an attacker skips stages or advances multiple stages simultaneously.
Even with these limitations, the cyber kill chain remains valuable as an introductory framework for intuitively understanding the overall picture of an attack. It is also important to understand the reality that social engineering is heavily used in the delivery stage.cybersecurity framework books on Amazon are recommended for systematic learning. See also ransomware protection, phishing protection, and incident response for individuals.
Was this article helpful?