Cyber Kill Chain Steps and How to Defend Against APTs

Computer with a lock on the keypad

The Cyber Kill Chain® methodology was developed by the military defense firm, Lockheed Martin, to address cyberattacks by identifying the pattern and behavior of cybercriminals as they carry out an attack. These actions are referred to as cyber kill phases.[1] The Cyber Kill Chain steps identified by Lockheed Martin are:

  1. Reconnaissance: Attackers scope targets out online, harvest public information, conduct in-depth research, and search for weak points in a company’s network.
  2. Weaponization: Once a vulnerability is identified, hackers create their attack to target the weak points.
  3. Delivery: Cybercriminals execute their attacks to intended victims. Common techniques are through phishing email attacks, compromised user accounts, infected USB devices, and more.
  4. Exploitation: Vulnerable software or system architecture is taken advantage of.
  5. Installation: Malware is installed on the target asset.
  6. Command & Control: Attackers gain control of the device, and the supply chain network is established.
  7. Actions on Objectives: Now that the hacker has access to the organization, they execute actions to achieve their objectives.

With sophisticated modern-day technology, attackers can automate these Cyber Kill Chain steps and reach a wide net of potential victims. Professionals in the cybersecurity industry are constantly combating advanced persistent threats (APTs) and streamlining defenses to keep up with the complexity, variety, and volume of attacks. Common types of APTs are malware, Emotet, denial-of-service (DoS), man in the middle (MITM), phishing, SQL injection, and password attacks.[2]

Due to the ever-changing cybersecurity landscape, Cyber Kill Chain models have evolved and today there are other different models that combine or expand on some of the core Lockheed Martin Cyber Kill Chain principles.

Regardless of the model, once you understand the steps or phases of a typical Cyber Kill Chain, you can plot how to defend your organization. The MITRE Corporation recommends the following strategies[3] for an active cyber defense campaign:

  1. Reconnaissance: Use available resources to be aware of malware hacking indicators.
  2. Weaponize: Employ anti-virus software that uses signature-based techniques to detect malware.
  3. Deliver: Intercept malware before installation.
  4. Exploit: Employ tools that can detect zero-day exploitation signatures, trends, and behaviors.
  5. Control: Employ a full-featured intrusion detection system.
  6. Execute: Run these tools to detect existing internal compromises.
  7. Maintain: Continuously monitor on-premises, off-site, and cloud hosts.

Capturing and analyzing the information gleaned in each phase of the Cyber Kill Chain can be seen using the LogRhythm MITRE ATT&K® knowledge base of real-world attack tactics and techniques. LogRhythm captures Cyber Kill Chain linear workflow data and uses that information in their MITRE ATT&K solution to help companies assess the effectiveness of their security processes and procedures to identify areas for improvement, helping those companies mature and strengthen their defenses.

Defending Against APTs

Proactive detection of APTs is key to securing your organization. The LogRhythm NextGen SIEM Platform provides an end-to-end solution enabling the detection, investigation, and neutralization of threats. LogRhythm’s AI Engine provides continuous correlation of all environmental activity via dashboards, enabling you to target and prioritize your threat detection along every step of the Cyber Kill Chain so that you can respond quickly in the event of an incident.

On premises, off-site, and cloud hosted security can be maintained using LogRhythm’s user and entity behavior (UEBA) capabilities to catch anomalous user behavior on a proactive basis using the platform’s CloudAI machine learning functionality to monitor for known threats and behavior changes. Watch how the LogRhythm UEBA’s UserXDR solution performs analytics, anomaly detection, and profile checks to detect and stop an insider threat.

With APT attack strategies changing from a focus on a single company to disrupting entire networks of supply chains, an offensive network threat hunting strategy should be employed all along the Cyber Kill Chain model. MistNet Network Detection and Response (NDR) by LogRhythm is an automated threat detection solution that eliminates blind spots while monitoring your network in real time. The solution’s machine learning capabilities and built-in MITRE ATT&CK engine can help you scale data collection and deliver comprehensive and accurate analytics. With this combined effort, your organization can be proactive against steps taken in the Cyber Kill Chain.

Learn more about how you can reduce risk from APTs and streamline your security operations.

[1] https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

[2] https://onlinedegrees.und.edu/blog/types-of-cyber-security-threats/

[3] https://www.mitre.org/sites/default/files/publications/active_defense_strategy.pdf


Subscribe to our Blog Newsletter