Skip to content

What is it?

The attack lifecycle or sequence of phases that malicious hackers use to exploit their targets.

Why is it important?

Cybersecurity professionals can create winning security and readiness programs by understanding the methods of their adversaries.

Why does a business professional need to know this?

Understanding the kill chain helps cybersecurity professionals detect an attacker’s perspective and helps business professionals understand the process that cybersecurity specialists use when investigating a breach.

Understanding each phase of the kill chain and how those phases relate to the IT landscape of your organization can help you develop the policies, controls, and preparations needed to defend against attacks.

The kill chain phases include the following:

  1. Reconnaissance: attackers discover information about their target using a combination of profiles and vulnerabilities.
  2. Infiltration: attackers weaponize the information to break into vulnerable systems, typically through network vulnerabilities or social engineering.
  3. Exploitation: after breaking in, attackers exploit their access and hunt for valuable targets, including email archives, credit card data, and customer records.
  4. Exfiltration: exfiltration is the process attackers use to capture and remove data. This can be done all at once or over a period of time.
  5. Monetization or media release: criminals motivated by money typically sell data on the dark web to the highest bidder; those motivated for political reasons are more likely to deliver data directly to the media or WikiLeaks.

A good defensive practice is to map the kill chain to high-risk targets (for example an email archive), evaluate out how an attacker would go about stealing the archive, and then put controls and policies in place to block a cybercriminal at each phase, effectively breaking the kill chain(Sager 2014).

References

About Simon Puleo

Photo of Simon Puleo

Simon Puleo, Certified Ethical Hacker (CEH), is an educator/trainer by day and a security researcher at night. As a global enablement manager at Micro Focus, he helps employees and customers implement identity-powered security with an emphasis on access control, including multi-factor authentication and identity governance. Previously, he worked for Hewlett Packard Enterprise Security, focusing on application security, encryption key management, and security information and event management (SIEM). Simon is a thought leader actively engaged in researching the cyber-threat landscape and sharing his perspectives in seminars and articles.

Term: Kill Chain

Email: Simon.Puleo@gmail.com

Twitter: @simon_puleo

LinkedIn: linkedin.com/in/simonpuleo

What is it?

Authorized testing of a computer system or network with the intention of finding vulnerabilities. Also called pen testing.

Why is it important?

A cyberattack can harm not only your organization, but also customers, partners, employees, and vendors. Penetration testing can reveal vulnerabilities, suggest improvements to your systems, and reduce risk for your organization. In addition, penetration testing is encouraged and even required by certain industry standards.

...continue reading "Term of the Week: Penetration Testing"

What is it?

A test for security vulnerabilities that looks at the source code or binary of an application without running it.

Why is it important?

Static Application Security Testing (SAST) can be used before an application is executable, enabling early and regular tests for security vulnerabilities. SAST allows developers to fix problems during the development phase of an application and at a much lower cost than when the code is in quality assurance (QA) or production.

...continue reading "Term of the Week: Static Application Security Testing"

What is it?

A formal method to identify, characterize, and prioritize risks and threats, typically with the goal of reducing them, also known as threat analysis or risk analysis.

Why is it important?

Most software is riddled with vulnerabilities, and software is pervasive in devices such as phones, cars, voting machines, etc. Threat modeling is one of the most effective ways to avoid and find vulnerabilities.

...continue reading "Term of the Week: Threat Modeling"

What is it?

A systematic investigation of network and system activities and events.

Why is it important?

Auditing evaluates the who, what, where, and when of events on a network, which helps managers identify critical events that may have an impact on their organization.

...continue reading "Term of the Week: Audit"

What is it?

A quantifiable measurement used to help organizations evaluate performance.

Why is it important?

Metrics provide a standard for measuring the performance of governance programs and controls established to protect an organization’s assets, interests, and resources.

...continue reading "Term of the Week: Metrics"

What is it?

A tool to capture and quantify information about the risks associated with a project or activity, including the potential impact, likelihood of occurrence, mitigation measures, responses, and response triggers.

Why is it important?

A risk register increases the chances of successful execution of a project or activity by helping managers identify and evaluate risks, assess their potential impact, and create contingency plans.

...continue reading "Term of the Week: Risk Register"

What is it?

Chief Information Security Officer. The most senior individual responsible for protecting an organization’s information assets.

Why is it important?

The CISO has overall responsibility for the information security program for an organization. The CISO works closely with executive management and business stakeholders to protect information assets.

...continue reading "Term of the Week: CISO"

What is it?

A comprehensive, step-by-step series of actions to be followed by an organization’s computer security incident response team (CSIRT) and business operations personnel following a verified cybersecurity incident to reduce the overall impact of the incident.

Why is it important?

When properly implemented, an incident response plan can help ensure an effective response to security incidents and help mitigate the effects of a potentially serious event. The presence of a well-rehearsed plan has proven to reduce the financial impact of security incidents.

...continue reading "Term of the Week: Incident Response Plan"

What is it?

A plan that allows an organization to remain operational at acceptable, predefined levels of operation despite disruptions resulting from human, technical, or natural causes.

Why is it important?

With more and more companies becoming heavily reliant on data to drive decisions, any loss of that data -- even short-term -- can bring business to a halt and have dire effects on the bottom line.

...continue reading "Term of the Week: Business Continuity Plan"