The phases of a cyber attack, from discovering a threat to ultimately causing a cybersecurity breach in an organisation, is called the cyber kill chain. The term originates from a military connotation. The cyber kill chain can help organisations understand how threat actors target their systems and bypass system security. In turn, this can help the organisation implement preventive controls.
Many frameworks encapsulate the cyber kill chain. The defence contractor Lockheed Martin defined the most popular of these, and over time such frameworks have evolved and been redefined by other companies. However, the essential phases or stages of a cyber kill chain remain consistent across frameworks:
- Discovery: an attacker conducts reconnaissance on the organisation’s exposed attack surface. These may include public-facing servers, their network, or credentials available on the Internet. The attacker systematically probes for the most likely attack vector, or “the way in” to the organisation’s security perimeter.
- Developing the attack: after assessing weaknesses in the organisation’s network, the attacker will develop the appropriate exploit to deploy on the organisation’s systems. This may be a system payload, such as code to exploit an unpatched system, or social engineering mechanisms, such as crafting a phishing email.
- Infiltration: the attacker deploys the exploit onto the organisation’s systems. The exploit executes code that provides the attacker access to the organisation’s systems or information, such as company credentials or confidential data.
- Persistent access: also known as ‘command and control’ in a military setting, the attacker seeks to install software on the organisation’s assets that will give the attacker continued access, such as remotely controlling the target.
- End goal: the attacker has either reached the goals they set in the discovery phase or new goals based on information available in the infiltration phase. At this stage, the attacker may erase their tracks, revoke their access, or hold the organisation to ransom.
As threats evolve, each stage of the cyber kill chain also evolves. A related term is the cyber kill switch, which is an action that will pause or completely stop the attack in its tracks. The sooner a kill switch is triggered in the kill chain, the better the organisation is protected. For example, during the WannaCry ransomware attack in 2017, a kill switch was triggered during the ‘persistent access’ phase for some companies and the ‘end goal’ phase for others. Marcus Hutchins, aka MalwareTech, the British computer security researcher created a digital diversion for the malware that stopped its spread globally.