ⓘ Kill chain

Kill chain

ⓘ Kill chain

The term kill chain was originally used as a military concept related to the structure of an attack; consisting of target identification, force dispatch to target, decision and order to attack the target, and finally the destruction of the target. Conversely, the idea of "breaking" an opponents kill chain is a method of defense or preemptive action. More recently, Lockheed Martin adapted this concept to information security, using it as a method for modeling intrusions on a computer network. The cyber kill chain model has seen some adoption in the information security community. However, acceptance is not universal, with critics pointing to what they believe are fundamental flaws in the model.


1.1. The military kill chain F2T2EA

One military kill chain model is the "F2T2EA", which includes the following phases:

  • Track: Monitor the targets movement. Keep track of the target until either a decision is made not to engage the target or the target is successfully engaged.
  • Assess: Evaluate effects of the attack, including any intelligence gathered at the location.
  • Fix: Fix the targets location. Obtain specific coordinates for the target either from existing data or by collecting additional data.
  • Engage: Apply the weapon to the target.
  • Find: Identify a target. Find a target within surveillance or reconnaissance data or via intelligence means.
  • Target: Select an appropriate weapon or asset to use on the target to create desired effects. Apply command and control capabilities to assess the value of the target and the availability of appropriate weapons to engage it.

This is an integrated, end-to-end process described as a "chain" because an interruption at any stage can interrupt the entire process.


1.2. The military kill chain Previous terminology

The "Four Fs" is a military term used in the United States military, especially during World War II.

Designed to be easy to remember, the "Four Fs" are as follows:

  • Fix the enemy – Pin them down with suppressing fire
  • Fight the enemy – Engage the enemy in combat or flank the enemy – Send soldiers to the enemys sides or rear
  • Finish the enemy – Eliminate all enemy combatants
  • Find the enemy – Locate the enemy

1.3. The military kill chain North Korean nuclear capability

A new American military contingency plan called "Kill Chain" is reportedly the first step in a new strategy to use satellite imagery to identify North Korean launch sites, nuclear facilities and manufacturing capability and destroy them pre-emptively if a conflict seems imminent. The plan was mentioned in a joint statement by the United States and South Korea.


2.1. The cyber kill chain Attack phases and countermeasures

Computer scientists at Lockheed-Martin corporation described a new "intrusion kill chain" framework or model to defend computer networks in 2011. They wrote that attacks may occur in phases and can be disrupted through controls established at each phase. Since then, the "cyber kill chain™" has been adopted by data security organizations to define phases of cyber-attacks.

A cyber kill chain reveals the phases of a cyber attack: from early reconnaissance to the goal of data exfiltration. The kill chain can also be used as a management tool to help continuously improve network defense. According to Lockheed Martin, threats must progress through several phases in the model, including:

  • Reconnaissance: Intruder selects target, researches it, and attempts to identify vulnerabilities in the target network.
  • Command and Control: Malware enables intruder to have "hands on the keyboard" persistent access to target network.
  • Delivery: Intruder transmits weapon to target
  • Installation: Malware weapon installs access point e.g., "backdoor" usable by intruder.
  • Exploitation: Malware weapons program code triggers, which takes action on target network to exploit vulnerability.
  • Weaponization: Intruder creates remote access malware weapon, such as a virus or worm, tailored to one or more vulnerabilities.
  • Actions on Objective: Intruder takes action to achieve their goals, such as data exfiltration, data destruction, or encryption for ransom.

Defensive courses of action can be taken against these phases:

  • Degrade: counter-attack command and control
  • Contain: network segmentation changes
  • Disrupt: stop or change outbound traffic to attacker
  • Deny: prevent information disclosure and unauthorized access
  • Detect: determine whether an attacker is poking around
  • Deceive: interfere with command and control

A U.S. Senate investigation of the 2013 Target Corporation data breach included analysis based on the Lockheed-Martin kill chain framework. It identified several stages where controls did not prevent or detect progression of the attack.


2.2. The cyber kill chain Alternative kill chains

Different organizations have constructed their own kill chains to try to model different cyber threats. FireEye proposes a linear model similar to Lockheed-Martins. In FireEyes kill chain the persistence of threats is emphasized. This model stresses that a threat does not end after one cycle.

  • Privilege escalation/ lateral movement/ data exfiltration
  • Install various utilities
  • Establish a backdoor into the network
  • Obtain user credentials
  • Maintain persistence
  • Reconnaissance
  • Initial intrusion into the network

2.3. The cyber kill chain Critiques of the cyber kill chain

Among the critiques of Lockheed Martins cyber kill chain model as threat assessment and prevention tool is that the first phases happen outside the defended network, making it difficult to identify or defend against actions in these phases. Similarly, this methodology is said to reinforce traditional perimeter-based and malware-prevention based defensive strategies. Others have noted that the traditional cyber kill chain isnt suitable to model the insider threat. This is particularly troublesome given the likelihood of successful attacks that breach the internal network perimeter, which is why organizations "need to develop a strategy for dealing with attackers inside the firewall. They need to think of every attacker as potential insider".


3. The unified kill chain

A unified version of the kill chain was developed to overcome common critiques against the traditional cyber kill chain, by uniting and extending Lockheed Martins kill chain and MITRE’s ATT&CK framework. The unified kill chain is an ordered arrangement of 18 unique attack phases that may occur in end-to-end cyber attacks, which covers activities that occur outside and within the defended network. As such, the unified kill chain improves over the scope limitations of the traditional kill chain and the time-agnostic nature of tactics in MITREs ATT&CK. The unified model can be used to analyze, compare and defend against end-to-end cyber attacks by advanced persistent threats APTs.