Skip to main content
Custom print
Download Original PDF

2.4 The Cyber Kill Chain Methodology

No: 562240000067 Date(g): 13/5/2019 | Date(h): 9/9/1440 Status: In-Force

Effective from 2019-05-13 - May 12 2019
To view other versions open the versions tab on the right

The Cyber Kill Chain1 provides a conceptual model to describe an attack. The term “chain” reflects the end-to-end process adopted by an attacker. 
 
The Cyber Kill Chain provides a good insight into how an attack works and where the different tools and methods employed at each stage. To lower the risk of a successful attack, defensive measures (e.g. preventive, detective and responsive and corrective) should be considered and taken for each of the steps of the kill chain to reduce the probability of being compromised and improve the resilience of the Member Organization. 
 
The following seven (7) stages characterize an advanced cyber-attack in the cyber kill chain: 
 
 
 
Figure 2 Seven stages of a cyber-attack, with the red team and blue teams main tasks 
 
  1. Reconnaissance: 
     The first stage is about selecting a target and gathering information about the target to determine attack methods. This happens before the attack is executed. Examples of useful information can be: names, phone numbers, email addresses, functions, private or professional areas of interest of employees on the internet and published information about the software that an organization is using. 
     
  2. Weaponize: 
     The attacker creates the malicious payload/file for a specific target based upon information retrieved during the reconnaissance stage. The attack can come in many different formats and is based upon the creativity of the attacker, the available set of defenses and the possible vulnerabilities. 
     
  3. Delivery: 
     The transmission of the crafted attack to the victims by the use of different means, such as: email (attachments), phishing, websites, physical devices or social engineering. 
     
  4. Exploitation: 
     Triggering or activating the malicious payload/file (i.e. malware) will result in a successful penetration of the target's system and network. A staged malware attack limits the possibility of detection. The malware will communicate back to the malicious attacker over a secure channel, which limits the chance of detection. Attackers usually use popular methods and file formats to deliver the malware executables (e.g. Microsoft office files, pdf files, malicious websites, phishing emails and removable media). 
     
  5. Installation: 
     The actual installation of malicious payload/file or software that supports the malicious attacker. In order to make the malware and backdoor(s) persistent, the attackers could install additional malware or malicious software tools to ensure that the attack can continue if the initial compromised system or active malware is disabled. 
     
  6. Command and Control: 
     A compromised system will usually connect back to the attacker, to establish a so-called command-and- control channel, which allows remote control of the malware. Especially in advanced persistent threat (APT) malware, the attacker will control the malware and explore the network by using this type of remote access. 
     
  7. Actions on Objective: 
     After the attacker completed his malicious actions or achieved his goals, the attacker will try to cover his digital tracks and traces by using different techniques, like data exfiltration, or will use the compromised system as starting point to ‘hop on' to other systems in the network (i.e. lateral movement), to search for other high value assets or targets. 
     
1 Computer scientists at Lockheed-Martin corporation developed and described the "intrusion kill chain" framework to defend computer networks in 2011.