TryHackMe Cyber Kill Chain

Content by Dan Rearden

The Cyber Kill Chain is a security model designed for identification and prevention of network intrusions. Originally developed by Lockheed Martin, this framework adapts military targeting concepts for cybersecurity applications, helping security professionals understand what adversaries need to do to achieve their goals.

What is the Cyber Kill Chain?

The Cyber Kill Chain breaks down cyber attacks into seven distinct phases. By understanding these phases, defenders can identify attacks at each stage and implement appropriate countermeasures. The key insight is that attacks follow predictable patterns—and disrupting any single phase can stop the entire attack.

The Seven Phases

1. Reconnaissance

The attacker gathers information about the target before launching an attack.

• Harvesting email addresses
• Identifying employees on social media
• Discovering public-facing technologies
• Scanning for open ports and services

Defense: Limit public information exposure, monitor for scanning activity, implement threat intelligence.

2. Weaponization

The attacker creates a deliverable payload, combining an exploit with a backdoor.

• Creating malicious documents
• Developing custom malware
• Packaging exploits with payloads

Defense: This phase happens outside your network, making direct defense difficult. Focus on detecting the results.

3. Delivery

The attacker transmits the weapon to the target environment.

• Phishing emails with attachments
• Malicious websites (watering holes)
• USB drives left in parking lots
• Compromised software updates

Defense: Email filtering, web proxies, user awareness training, USB restrictions.

4. Exploitation

The weapon's code is triggered, exploiting a vulnerability to execute.

• Exploiting software vulnerabilities
• Tricking users into running macros
• Zero-day exploits

Defense: Patch management, endpoint protection, application whitelisting, DEP/ASLR.

5. Installation

The malware installs itself on the victim system, establishing persistence.

• Installing backdoors
• Creating scheduled tasks
• Modifying registry keys
• Installing rootkits

Defense: Endpoint detection and response (EDR), application control, file integrity monitoring.

6. Command and Control (C2)

The compromised system establishes communication with the attacker's infrastructure.

• HTTP/HTTPS beaconing
• DNS tunneling
• Social media as C2 channels
• Encrypted communications

Defense: Network monitoring, DNS analysis, proxy inspection, behavioral analytics.

7. Actions on Objectives

The attacker achieves their goal—data exfiltration, destruction, or other objectives.

• Data theft and exfiltration
• Ransomware deployment
• Privilege escalation
• Lateral movement to other systems

Defense: Data loss prevention, network segmentation, privileged access management.

Using the Kill Chain Defensively

Defense in Depth

Implement controls at multiple phases. If one control fails, others can still stop the attack.

Detection at Every Phase

Deploy detection capabilities that can identify attack indicators at each stage of the kill chain.

Intelligence-Driven Defense

Use threat intelligence to understand attacker TTPs and improve defenses at relevant phases.

Limitations and Evolution

While valuable, the Cyber Kill Chain has limitations:

• Originally designed for external threats, less applicable to insider threats
• Linear model may not reflect modern attack complexity
• Does not address cloud or mobile-specific attack patterns

Modern frameworks like MITRE ATT&CK provide more granular detail and are often used alongside the Kill Chain.

Conclusion

The Cyber Kill Chain remains a foundational framework for understanding and defending against cyber attacks. By mapping defenses to each phase, organizations can build comprehensive security programs that disrupt attacks at multiple points.