The Cyber Kill Chain

  1. Recon - Reconnaissance
    • The attacker tries to learn as much as possible about the target, such as the types of servers, operating system, IP addresses, names of users, and email addresses, which can help the success of the attack.
    • OSINT falls under this step 1
    • Tools for this step:
  2. Weaponization
    • Preparing a file with a malicious component
  3. Delivery
    • Delivering the “weaponized” file to the target
    • Examples: Phishing or infected USB devices 2
  4. Exploitation
    • Execute the malicious component
  5. Installation:
    • Install the malware on the target system, including backdoor to gain persistence 3
  6. Command & Control (C2)
    • The attacker has the ability to command and control the target system.
    • Most common communication channels: HTTP/s and DNS Tunneling
  7. Actions on Objectives
    • Achieve their objectives, such as data exfiltration

The Cyber Kill Chain was created and last updated in 2011. For a better view, it can be combined with more modern approaches like MITRE ATT&CK and Unified Kill Chain.

References