The cyber kill chain is a series of steps that trace stages of a cyberattack from the early reconnaissance stages to the exfiltration of data. The kill chain helps us understand and combat ransomware, security breaches, and advanced persistent attacks (APTs).

How the Cyber Kill Chain Works

There are several core stages in the cyber kill chain. They range from reconnaissance (often the first stage in a malware attack) to lateral movement (moving laterally throughout the network to get access to more data) to data exfiltration (getting the data out). All of your common attack vectors — whether phishing or brute force or the latest strain of malware — trigger activity on the cyber kill chain.

• Reconnaissance
  The observation stage: attackers typically assess the situation from the outside-in, in order to identify both targets and tactics for the attack.
• Intrusion
  Based on what the attackers discovered in the reconnaissance phase, they’re able to get into your systems: often leveraging malware or security vulnerabilities.
• Exploitation
  The act of exploiting vulnerabilities, and delivering malicious code onto the system, in order to get a better foothold.
• Privilege Escalation
  Attackers often need more privileges on a system to get access to more data and permissions: for this, they need to escalate their privileges often to an Admin.
• Lateral Movement
  Once they’re in the system, attackers can move laterally to other systems and accounts in order to gain more leverage: whether that’s higher permissions, more data, or greater access to systems.
• Obfuscation / Anti-forensics
  In order to successfully pull off a cyberattack, attackers need to cover their tracks, and in this stage they often lay false trails, compromise data, and clear logs to confuse and/or slow down any forensics team.
• Denial of Service
  Disruption of normal access for users and systems, in order to stop the attack from being monitored, tracked, or blocked
• Exfiltration
  The extraction stage: getting data out of the compromised system.

Each phase of the kill chain is an opportunity to stop a cyberattack in progress: with the right tools to detect and recognize the behavior of each stage, you’re able to better defend against a systems or data breach.

Reconnaissance

In every heist, you’ve got to scope the joint first. Same principle applies in a cyber-heist: it’s the preliminary step of an attack, the information gathering mission. During reconnaissance, an attacker is seeking information that might reveal vulnerabilities and weak points in the system. Firewalls, intrusion prevention systems, perimeter security — these days, even social media accounts — get ID’d and investigated. Reconnaissance tools scan corporate networks to search for points of entry and vulnerabilities to be exploited.

Intrusion

Once you’ve got the intel, it’s time to break in. Intrusion is when the attack becomes active: attackers can send malware — including ransomware, spyware, and adware — to the system to gain entry. This is the delivery phase: it could be delivered by phishing email, it might be a compromised website or that really great coffee shop down the street with free, hacker-prone wifi. Intrusion is the point of entry for an attack, getting the attackers inside.

Exploitation

You’re inside the door, and the perimeter is breached. The exploitation stage of the attack…well, exploits the system, for lack of a better term. Attackers can now get into the system and install additional tools, modify security certificates and create new script files for nefarious purposes.

Privilege Escalation

What’s the point of getting in the building, if you’re stuck in the lobby? Attackers use privilege escalation to get elevated access to resources. Privilege escalation techniques often include brute force attacks, preying on password vulnerabilities, and exploiting zero day vulnerabilities. They’ll modify GPO security settings, configuration files, change permissions, and try to extract credentials.

Lateral Movement

You’ve got the run of the place, but you still need to find the vault. Attackers will move from system to system, in a lateral movement, to gain more access and find more assets. It’s also an advanced data discovery mission, where attackers seek out critical data and sensitive information, admin access and email servers — often using the same resources as IT and leveraging built-in tools like PowerShell — and position themselves to do the most damage.

Obfuscation (anti-forensics)

Put the security cameras on a loop and show an empty elevator so nobody sees what’s happening behind the scenes. Cyber-attackers do the same thing: conceal their presence and mask activity to avoid detection and thwart the inevitable investigation. This might mean wiping files and metadata, overwriting data with false timestamps (timestomping) and misleading information, or modifying critical information so that it looks like the data was never touched.

Denial of Service

Jam the phone lines and shut down the power grid. Here’s where the attackers target the network and data infrastructure, so that the legitimate users can’t get what they need. The denial of service (DoS) attack disrupts and suspends access, and could crash systems and flood services.

Exfiltration

Always have an exit strategy. The attackers get the data: they’ll copy, transfer, or move sensitive data to a controlled location, where they do with the data what they will. Ransom it, sell it on ebay, send it to wikileaks. It can take days to get all of the data out, but once it’s out, it’s in their control.