Kill Chain

A Kill Chain in cybersecurity reveals the phases of a cyber attack, from early reconnaissance to the goal of data exfiltration. Kill chains are also used as management tools for security professionals to help continuously improve their systems and network’s security. According to Lockheed Martin, threats must pass through many phases in the kill-chain, including:

1. Reconnaissance: Intruder selects target, researches it, and attempts to identify vulnerabilities in the target network.
2. Weaponization: Intruder creates remote access malware weapon, such as a virus or worm, tailored to one or more vulnerabilities.
3. Delivery: Intruder transmits weapon to target (e.g., via e-mail attachments, websites or USB drives)
4. Exploitation: Malware weapon’s program code triggers, which takes action on target network to exploit vulnerability.
5. Installation: Malware weapon installs access point (e.g., “backdoor”) usable by intruder.
6. Command and Control: Malware enables intruder to have “hands on the keyboard” persistent access to target network.
7. Actions on Objective: Intruder takes action to achieve their goals, such as data exfiltration, data destruction, or encryption for ransom.

Should SMB’s worry about Kill Chains?

In a word. Yes.  Kill chains simply illustrate the process by which hackers infiltrate your network.  Interrupting the kill chain means discovering the hacker before they complete objective 7 – Actions on Objective.  As an SMB owner, you want to build a robust cybersecurity program that can identify hackers before they execute their objective.  In most cases, that’s installing a ransomware attack to force a bitcoin payment out of you.  SMB’s can interrupt the Kill Chain through education and awareness training to prevent steps 3 to 7 from occurring.

Source: Lockheed Martin, Varonis

To learn more about Kill Chains, watch this short video: