Building defenses with the Cyber Kill Chain framework

During this phase, attackers search for vulnerabilities or other target data (such as leaked credentials, open network ports, or social media profile information) to exploit in a cyberattack. 

Attacker activities	Common IOCs	Controls to consider	Defender actions
Network scanning Open-source intelligence gathering Social engineering probing	Port scanning and host discovery Traffic on uncommon ports or protocols Suspicious emails and phone calls	Network intrusion detection and intrusion prevention systems (IDS and IPS), firewall logs, and network flow analysis Threat intelligence data feeds Email security and analytics Web, social media, and breach site monitoring	Detecting and correlating network scanning Implementing security awareness training for employees Controlling access to sensitive information Establishing a social media policy for employees

In this phase, attackers use information gathered during reconnaissance to create specific attacks tailored to the target and overall attack goals. For example, in phishing campaigns, attackers weaponize legitimate organization staff names in fraudulent email messages.

Attacker activities	Common IOCs	Controls to consider	Defender actions
Creating malware payload Embedding and obfuscating malware Creating pretext (email messages, phone call scripts)	Discovery of fake websites and social media profiles Change in the volume or content of spam and phishing emails	Network IDS and IPS Sandboxing Email and file quarantines	Running threat modeling and tabletop exercises Analyzing threat intelligence Performing ongoing tactic, technique, and procedure research

During this phase, attackers use the information gained in the reconnaissance phase to launch the attack developed in the weaponization phase.

Attacker activities	Common IOCs	Controls to consider	Defender actions
Phishing and vishing campaigns Website file dropping Brute force login attempts Structured query language injection Malformed packets	Network anomalies (ports and protocols, traffic volume) Web application errors Suspicious URLs or domain name system queries File creation Failed logons Suspicious emails	Security information and event management and log monitoring Sandboxing Email and file quarantines	Running threat hunting exercises Establishing log review

In this phase, the attack payload, having been successfully delivered during weaponization, is executed on the target system. Controls or defenses that should prevent the attack are bypassed.

Attacker activities	Common IOCs	Controls to consider	Defender actions
Binary and file execution Local system utility execution Account login Disabling security controls	Process creation events Logon session creation Creating new network connections Deleting or disabling antivirus and monitoring tools	Next generation antivirus and endpoint protection platform Endpoint detection and response and extended detection and response Outbound traffic inspection and filtering Restricting logins to trusted locations or location positioning systems and expected time of day	Monitoring running processes and network connections Monitoring user login events – especially administrative sessions Reviewing the health status of security tools

After a successful exploitation of the target, attackers install malware or other access tools on the system. Once completed, attackers will have penetrated the next layer of defensive controls and have control of the target.

Attacker activities	Common IOCs	Controls to consider	Defender actions
Establishing persistence Creating scheduled tasks Creating new user accounts Changing passwords Deleting or clearing logs Attempting to elevate privileges	Unusual log events Registry changes such as startup tasks Suspicious scheduled tasks Modification of system files or configuration New services created or running Unauthorized password changes	Limitations on user permissions to install software Application control	Monitoring software installations and program paths Monitoring user login events – especially administrative sessions

During this phase, attackers can use existing access to continue operating within the target system or network. Attackers can repeat earlier steps to gain additional access or exploit other systems – all with the purpose of achieving the end goal of the attack.

Attacker activities	Common IOCs	Controls to consider	Defender actions
Establishing additional persistence Lateral movement Additional reconnaissance and further exploitation Additional attack tool deployment Attempts to elevate privileges	Uncommon and suspicious network traffic Unauthorized internal network and port scans Suspicious user accounts and applications Unusual host-to-host (east-west) traffic Systems, application, and network performance degraded	Network segmentation Host-based firewalls Network traffic baselines Zero-trust architecture Patch management	Performing threat hunting and log review Investigating alerts and incidents Running endpoint and network scans

During this phase, attackers focus on the ultimate goal of the attack, whether that be data theft or destruction, system disruption, or establishing longer term unauthorized access as part of a larger campaign.

Attacker activities	Common IOCs	Controls to consider	Defender actions
Sensitive data access System and application disruption Data encryption or ransomware Data exfiltration	Abnormal outbound network traffic Abnormal user or host access patterns Large data transfer Change in storage use or backup sizes Encrypted files or ransom notes	Outbound traffic filtering Data loss prevention tools Data backup tools	Confirming isolation and containment Testing and performing incident response procedures Testing and performing backup, restoration, and recovery procedures

These examples are only a few of the common attacker activities, IOCs, controls, and defensive responses organizations should consider when assessing their cybersecurity posture. By holistically understanding the Cyber Kill Chain framework and how each of its phases apply specifically to a unique threat surface, organizations can properly assess those threats and their impact and incorporate that knowledge into their threat modeling process.

To take a proactive approach, organizations should:

• Understand the phases. Become familiar with the Cyber Kill Chain framework, particularly how the phases, from beginning to end, apply to the organization’s unique attack surface.
• Identify potential threats. Analyze each phase and identify potential threats unique to the organization’s environment. Use the preceding examples as a starting point.
• Map threats to the organization, systems, and process. Consider how each threat could exploit a vulnerability and affect assets, data, or users.
• Prioritize threats. Perform risk assessment on threats by considering both potential impact and likelihood. Focus on threats that are most likely and have high impacts.
• Develop or enhance mitigations. Prioritize threats to either enhance existing defensive measures or develop new ones, using the preceding information as a starting point. Include mitigations at all phases of an attack for a solid defense-in-depth strategy.
• Assess effectiveness and iterate. Assess and test controls to confirm they are effective. Revise and adapt mitigations to meet the conditions of the rapidly changing threat landscape.
• Apply lessons learned. Incorporate ongoing reviews and post-mortems into the security program. Use knowledge gained from assessments and incidents to further enhance the organization’s security posture.

Limits of the Cyber Kill Chain framework

While the Cyber Kill Chain framework is an excellent tool for understanding how attackers can move through the phases of a cyberattack, it is not perfect, nor is it the only useful framework.

One criticism of the Cyber Kill Chain framework is that it overemphasizes perimeter defenses at the expense of mitigating insider threats and overall data protection. Another criticism is that it focuses on a very linear attack model with little attention to post-exploitation activity.

Like any framework, the Cyber Kill Chain framework is not the best fit for all attacks, insider threats, or social engineering attacks. Other frameworks that can be used as alternatives to, or in conjunction with, the Cyber Kill Chain framework include:

• The MITRE ATT&CK^® framework, which provides detailed breakdowns of real-world tactics and techniques used by threat actors
• The Unified Kill Chain, an alternative and integrated model that expands on the Cyber Kill Chain and integrates elements from the ATT&CK framework
• The Diamond Model of Intrusion Analysis, which breaks attacks into four components: adversary, infrastructure, victim, and capability

Adapting to today’s threats

Combining the knowledge of the Cyber Kill Chain framework with incident response team threat modeling provides organizations a strong foundation on which to execute, measure, and improve their cybersecurity programs. Furthermore, understanding how to best defend against each phase of an attack enables organizations to better focus targeted defenses and controls where they will be most effective.

Building and using threat models, assessing adversaries, and testing cybersecurity controls are ongoing and iterative processes that require an investment of resources and time. But that investment is worth it. Being secure means continually adapting to today’s threats while proactively protecting against the threats of tomorrow.