Cyber Kill Chain
Appearance
The Cyber Kill Chain is a series of steps for tracing the stages of a cyberattack.[1] The steps include:
- Reconnaissance: Attackers assess the situation to identify targets and tactics.
- Intrusion: with malware or security vulnerabilities.
- Exploitation: of vulnerabilities to deliver malicious code into the system.
- Privilege Escalation: Attackers escalate their privileges to the level of Admin to gain access to data and permissions.
- Lateral Movement: Attackers move laterally to other systems and accounts, gaining leverage, higher permissions and more data and access.
- Obfuscation/Anti-forensics: Attackers cover their tracks with false trails, compromise data, and clear logs to confuse forensics teams.
- Denial of Service: Attackers disrupt access for users and systems to evade monitoring, tracking, or being blocked.
- Exfiltration: Attackers extract data from the compromised system.[2]
History
In 2011, Lockheed Martin released a paper defining a Cyber Kill Chain that was similar in concept to the U.S. military’s model.[3] Since then, organizations and companies have released various versions, including AT&T's "Internal Cyber Kill Chain Model"[4] and Paul Pols' "Unified Kill Chain."[5]