Cyber Kill Chain

From ICANNWiki
Jump to navigation Jump to search

The Cyber Kill Chain is a series of steps for tracing the stages of a cyberattack.[1] The steps include:

  1. Reconnaissance: Attackers assess the situation to identify targets and tactics.
  2. Intrusion: with malware or security vulnerabilities.
  3. Exploitation: of vulnerabilities to deliver malicious code into the system.
  4. Privilege Escalation: Attackers escalate their privileges to the level of Admin to gain access to data and permissions.
  5. Lateral Movement: Attackers move laterally to other systems and accounts, gaining leverage, higher permissions and more data and access.
  6. Obfuscation/Anti-forensics: Attackers cover their tracks with false trails, compromise data, and clear logs to confuse forensics teams.
  7. Denial of Service: Attackers disrupt access for users and systems to evade monitoring, tracking, or being blocked.
  8. Exfiltration: Attackers extract data from the compromised system.[2]


In 2011, Lockheed Martin released a paper defining a Cyber Kill Chain that was similar in concept to the U.S. military’s model.[3] Since then, organizations and companies have released various versions, including AT&T's "Internal Cyber Kill Chain Model"[4] and Paul Pols' "Unified Kill Chain."[5]