What is the Cyber Kill Chain?

In military theory, warfare divides into three levels. The first is tactics, the second is operations, and the third is strategy. Each of these levels provides several aspects into the art of war, making you much more versatile as a practitioner. When it comes to cyber security, there is no difference. When trying to learn hacking, it is easy to focus on the commands, tools, and techniques to hack your target. However, this can deviate you from the bigger picture of why you are hacking in the first place.  

The Cyber Kill Chain Framework  

The cyber kill chain framework was first published in a 2013 paper that was titled as, “Intelligence-Driven Computer Network Defense.” Eric Hitchins, Micheal Coppert, and Rohan Amin collectively developed an analogy for offensive cyber security with the example of a military kill chain. They adapted the cyber kill chain into seven steps.  

These seven steps are as follows:  

  • Reconnaissance 
  • Weaponization  
  • Exploitation 
  • Delivery  
  • Installation  
  • Command and Control  
  • Actions on Objective  

Modern cyber-attacks are likely to integrate these steps during an attack by using automation techniques.  



There are two forms of reconnaissance: active and passive. Passive reconnaissance refers to using search engines and other sources to harvest information about a target. This pertains to emails, conference information, etc. This is a safer way for a hacker to gather information since it is difficult for their target entity to prevent it. They are simply using public sources to extract information.  

Active reconnaissance in when the hacker must touch the target’s network. This involves using tools to scan their networks. When a hacker attempts to do this, it creates plenty of noise, which is quite easy for businesses and corporations to identify and detect.  


Weaponization and Delivery  

Looking out for weaponization will require one to identify phishing campaigns and mass emails as the backdoor, and the payload to be integrated into the email. The concept of Delivery refers to how one is weaponizing one’s exploits and how to get to the target.  

You need to think of the hacker’s exploit as a package and the backdoor as someone’s house. You must get the package to the house, and in terms of cyber-attacks, the delivery system can be varied. Most commonly, the delivery system is an email.  


Exploitation and Installation 

Exploitation refers to a means in which you can get someone to click on something malicious, thus allowing the hacker to harvest credentials. It is about the action. A cyber kill chain is more oriented towards persistent threats that want to exploit large corporations and businesses.  

The next step of the process is installation. Once the hackers have gained access to the target’s system, they usually install more malware into the system so that they can get even more access and information.  


Command and Control 

At this point in the process, the attacker is given an outlet or link back to the victim’s computer and they can remotely do what they want behind the scenes, even while the victim is present at the computer. This is when the victim is in the most danger. They now have a fully compromised machine or system inside of their network. 

If a hacker gets to this stage, they are likely to pick up speed and get things done. The deeper a hacker can go into the cyber kill chain, the less likely they will be caught. The hacker has thus successfully penetrated a system and can continue exploring data and making exploitative changes.  


Actions on Objectives  

The last mile of the hacker’s race, perpetrators go through steps to finish what they started. Whether they are looking for employee information, credit card numbers, or more, this is the place where they would come back repeatedly and pull-out information, very slyly, so that it is not noticeable. This step is exceedingly difficult to detect since one must look for small bits of data being pulled up by a hundred different IP addresses at a time.  


Cyber Security Considerations  

The action of objectives is a stage where the strategic level of considerations for cyber security starts. It sets the foundations for all operational and tactical steps in the kill chain. Examples of some of the strategic objectives can include intelligence gathering, or theft, extortion, and fraud. At the end of the day, hacking is a means to an end, and the cyber kill chain is the path that guides hackers to that end.  

A successful cyber-security solution puts defensive mechanisms at each stage of the cyber-kill chain process. Scanning and analysis tools, threat detection and alerting, email protection, two-factor authentication, disaster recovery planning and even antivirus and backup can all be important components of a defensive position for business IT security. 


Final Thoughts  

To prevent an attack, sometimes one must get into the mind of the attacker, to anticipate their moves and intervene on time. The cyber kill chain is an effective consideration for cyber security companies, as it helps businesses take a more offensive and effective approach toward protection.  


About PulseOne  

Want to learn more about what preventative steps you can take to protect yourself and your business? At PulseOne, we put our insight and experience in IT management solutions to work for you. Receive enterprise-level IT support from a company that passionately works for your success. Start by contacting us here. Annual Security Audit is another important factor in business security see more about annual security audits in our article.

Related Articles

Want To Learn More About PulseOne?