Cyber Kill Chain: Understanding & Mitigating Advanced Threats

Cyber Kill Chain: Understanding and Mitigating Advanced Threats

February 13, 2020

Orion Cassetto

Use the kill chain model to understand how Advanced Persistent Threats (APTs) conduct attacks, and how to defend against every phase of the attack.

Cyber attacks have evolved dramatically over the past two decades. Social engineering, insider threats, and cloud technology have changed the way we look at the information security perimeter, and in many people’s minds, has rendered the security perimeter irrelevant.

The cyber kill chain is a traditional security model that describes an old-school scenario — an external attacker taking steps to penetrate a network and steal its data — breaking down the steps of the attack to help organizations prepare. Nevertheless, it is still remarkably successful at describing threat vectors and attacks that are facing organizations today.

In this article you will learn:

What is the cyber kill chain?

The cyber kill chain (CKC) is a classic cybersecurity model developed by the computer security incident response (CSIRT) team at Lockheed Martin. The purpose of the model is to better understand the stages an attack must go through to conduct an attack, and help security teams stop an attack at each stage.

The kill chain model describes an attack by an external attacker attempting to gain access to data or assets inside the security perimeter. The attacker performs reconnaissance, intrusion of the security perimeter, exploitation of vulnerabilities, gaining and escalating privileges, lateral movement to gain access to more valuable targets, attempts to obfuscate their activity, and finally exfiltrate data from the organization.

Figure 1 – Cyber kill chain with examples

The kill chain model mainly describes an advanced persistent threat (APT), a sophisticated attacker waging an organized attack campaign against a specific company.

8 phases of the cyber kill chain explained

Below we briefly explain the stages of an attack according to the LM-CIRT CKC model. In each stage we show a brief list of attacks taken from the MITRE ATT&CK Framework, which is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.

1. Reconnaissance
At the reconnaissance stage, the attacker gathers information about the target organization. They can use automated scanners to find vulnerabilities and weak points that may allow penetration. Attackers will try to identify and investigate security systems that are in place, such as firewalls, intrusion prevention systems and authentication mechanisms.

2. Intrusion
At the intrusion stage, attackers are attempting to get inside the security perimeter. Attackers commonly inject malware into a system to get a foothold. Malware could be delivered by social engineering emails, a compromised system or account, an “open door” representing a gap in security, such as an open port or unsecured endpoint, or an insider accomplice.

Example attacks in the intrusion stage:

  • External remote services
  • Spearphishing attachments
  • Supply chain compromise

3. Exploitation
At the exploitation stage, attackers seek additional vulnerabilities or weak points they can exploit inside the organization’s systems. For example, from the outside, the attacker may have no access to an organization’s databases, but after the intrusion, they can see a database uses an old version and is exposed to a well known vulnerability.

Example attacks in the exploitation stage:

  • PowerShell
  • Local job scheduling
  • Scripting
  • Dynamic data exchange

4. Privilege Escalation
In the privilege escalation stage, the goal of the attacker is to gain privileges to additional systems or accounts. Attackers may attempt brute force attacks, look for unsecured repositories of credentials, monitor unencrypted network traffic to identify credentials, or change permissions on existing compromised accounts.

Example attacks in the privilege escalation stage:

  • Access token manipulation
  • Path interception
  • Sudo attack
  • Process injection

5. Lateral Movement
In the lateral movement stage, attackers connect to additional systems and attempt to find the organization’s most valuable assets. Attackers move laterally from one system to another to gain access to privileged accounts, sensitive data, or access to critical assets. Lateral movement is a coordinated effort that may span multiple user accounts and IT systems.

Example attacks in the lateral movement stage:

  • SSH hijacking
  • Internal spear phishing
  • Shared webroot
  • Windows remote management

6. Obfuscation
At the obfuscation stage the attacker tries to cover their tracks. They may try to delete or modify logs, falsify timestamps, tamper with security systems, and take other actions to hide previous stages in the kill chain and make it appear that sensitive data or systems were not touched.

Example attacks in the obfuscation stage:

  • Binary padding
  • Code signing
  • File deletion
  • Hidden users
  • Process hollowing

7. Denial of Service
At the denial of service (DoS) stage, attackers attempt to disrupt an organization’s operations. Usually the aim is to draw the attention of security and operational staff and cause a distraction, enabling the attackers to achieve their real goal, which is data exfiltration. DoS can be waged against networks and production systems, including websites, email servers, or customer-facing applications.

Example attacks in the DoS stage:

  • Endpoint denial of service
  • Network denial of service
  • Resource hijacking
  • Service stop
  • System shutdown

8. Exfiltration
At the exfiltration stage, an advanced attacker finally “hits home”, getting their hands on the organization’s most sensitive data. Attackers will find a mechanism, typically some sort of protocol tunneling, to copy the data outside the organization, in order to sell the sensitive data, use it for additional attacks (for example, in the case of customer personal data or payment details), or openly distribute it to damage the organization.

Example attacks in the exfiltration stage:

    • Data compressed
    • Data encrypted
    • Exfiltration over alternative protocol
    • Exfiltration over a physical medium
  • Scheduled transfer

Security controls you can use to stop the kill chain

SBS security proposed five methods an organization can use to stop different stages of an attack. These are:

  • Detect—determine attempts to scan or penetrate the organization
  • Deny—stop attacks as they happen
  • Disrupt—intercept data communications carried out by the attacker and interrupt them
  • Degrade—create measures that will limit the effectiveness of an attack
  • Deceive—mislead an attacker by providing false information or setting up decoy assets

The following information shows how security tools can be used to apply each of the security controls to each kill chain stage.


Detect: Web Analytics; Threat Intelligence; Network Intrusion Detection System
Deny: Information Sharing Policy; Firewall Access Control Lists


Detect: Threat Intelligence; Network Intrusion Detection System
Deny: Network Intrusion Prevention System


Detect: Endpoint Malware Protection
Deny: Change Management; Application Whitelisting; Proxy Filter; Host-Based Intrusion Prevention System
Disrupt: Inline Anti-Virus
Degrade: Queuing
Contain: Router Access Control Lists; App-aware Firewall; Trust Zones; Inter-zone Network Intrusion Detection System


Detect: Endpoint Malware Protection; Host-Based Intrusion Detection System
Deny: Secure Password; Patch Management
Disrupt: Data Execution Prevention
Contain: App-aware Firewall; Trust Zones; Inter-zone Network Intrusion Detection System


Detect: Security Information and Event Management (SIEM); Host-Based Intrusion Detection System
Deny: Privilege Seperation; Strong Passwords; Two-Factor Authentication
Disrupt: Router Access Control Lists
Contain: App-aware Firewall; Trust Zones; Inter-zone Network Intrusion Detection System

Command & Control

Detect: Network Intrusion Detection System; Host-Based Intrusion Detection System
Deny: Firewall Access Control Lists; Network Segmentation
Disrupt: Host-Based Intrusion Prevention System
Degrade: Tarpit
Deceive: Domain Name System Redirect
Contain: Trust Zones; Domain Name System Sinkholes

Actions on Objectives

Detect: Endpoint Malware Protection
Deny: Data-at-Rest Encryption
Disrupt: Endpoint Malware Protection
Degrade: Quality of Service
Deceive: Honeypot
Contain: Incident Response


Detect: Data Loss Prevention; Security Information and Event Management (SIEM)
Deny: Egress Filtering
Disrupt: Data Loss Prevention
Contain: Firewall Access Control Lists

Source: SBS Cybersecurity

How UEBA technology helps identify and stop advanced threats

The cyber kill chain model primarily focuses on advanced persistent threats (APT). APT attackers excel at hiding their activity and covering their tracks and can be very difficult to detect once they are inside the corporate network. APT attacks are conducted by a group of skilled hackers who target enterprise systems by infiltrating and moving laterally through the organization over a period of months, while carefully avoiding detection. While each of those steps may evade traditional detection techniques, together they create an anomalous picture.

Modern security tools, such as user and event behavioral analytics (UEBA), can help detect various techniques used by modern attackers. Using machine learning with UEBA provides the ability to learn user behavior and integrate it into the detection engine, saving analysts an enormous amount of detection time.

UEBA dynamically adapts to an environment and unlike traditional methods, can detect subtle changes in behavior. UEBA can analyze massive amounts of data from disparate systems, and identify anomalous behavior with users, machines, networks and applications. When something seems different or suspicious, the UEBA system can pick up on it and alert security teams.

In order to resolve behavioral patterns into attack sequences, security analysts need to see the complete picture of the attack kill chain. UEBA should tie all the relevant events together into a timeline to make sense of the attack. This makes it possible to detect APTs and related attacker techniques early in the game before an actual breach occurs. For example, UEBA can detect reconnaissance activity, which appears as irregular network traffic; identify penetration attempts as unusual or suspicious logins, and pick up on anomalous behavior of compromised user accounts in subsequent stages of the attack.

Time is critical in finding sophisticated attack sequences. With modern tools such as UEBA, security analysts can now trace the steps an attacker has taken and detect them before they cause damage to an organization.

Want to learn more about Information Security?
Have a look at these articles:

Recent Information Security Articles

What Is XDR? Transforming Threat Detection and Response

Read More

Exabeam Cyberversity: A Resource for Cybersecurity Professionals

Read More

XDR Security: 10 Ways XDR Enhances Your Security Posture

Read More

Exabeam Signs Respect in Security Pledge

Read More

Cybersecurity Awareness Month: Time to Recalibrate and Prioritize Security

Read More

Recent Information Security Articles

XDR Security: 10 Ways XDR Enhances Your Security Posture

Read More

What Is XDR? Transforming Threat Detection and Response

Read More

You’ve Suffered a Breach … Now What?

Read More

Exabeam Cyberversity: A Resource for Cybersecurity Professionals

Read More

Exabeam Signs Respect in Security Pledge

Read More