What's the Cyber Kill Chain?

The cyber kill chain is a description of the methods attackers use when attempting to perform a data breach. Lockheed Martin detailed 7 stages of a cyber attack, but more simply, the kill chain can be grouped into three primary phases: Infiltration, lateral movement, and exfiltration.


The Phases of the Kill Chain

An attack is only truly successful if all three phases of the kill chain are complete.  This means security teams must consider how to stop attackers at each phase:


Stopping attackers before they make their way into an environment is often the primary focus of security teams, and many security technologies and controls. Infiltration can be accomplished by directly breaching a network, or by infecting a host, which is then joined to a private network.

Infiltration attacks can be grouped into two basic categories: Machine-based attacks, and human-based attacks.

Machine-based attacks
Enterprise environments are extremely complex, and attempting to build a perfect defensive perimeter around today’s businesses is impossible. Attackers look for known vulnerabilities on internet-facing systems, as well as any misconfiguration of network perimeter controls, exposed applications, or other oversights that allow for an initial entryway into a corporate environment.

Human-based attacks
Even when security is built well enough to thwart machine-based attack techniques, human beings can still provide attackers everything they need to infiltrate a business.  Social engineering, or tricking humans by taking advantage of their trusting nature, is often at the root of initial compromise.  Phishing emails, or “vishing” voice calls, are ways attackers can trick users into accidentally giving away user credentials, or installing malware used for subsequent attack methods.  

Lateral Movement

Once successfully within a network, attackers have to find their way to valuable data. The lateral movement phase describes the steps taken once inside a network.  Whether using brute force or pass-the-hash techniques to steal credentials for sensitive servers, or moving across network segments in search for valuable data, attackers often spend months within environments before they’re found.  

This phase often takes weeks or even months, as attackers not only search for new sources of sensitive data, but also look for key points to establish new infiltration pathways.  Investigation into many headline-level breaches have found multiple points of compromise within networks, requiring multiple attempts at remediation.


Data exfiltration is the most critical part of most modern attacks. While some attackers still just want to bring down sites or services, the theft and resale of exfiltrated data is a multi-billion dollar industry, and requires careful exfiltration to avoid detection or alerts.  Common methods of data exfiltration take advantage of “always available” types of network traffic, like DNS.  By “Stuffing” data into the headers of traffic types that are always able to leave a network, attackers can trickle data slowly over allowed protocols to avoid detection.

Breaking the Kill Chain

Many security tools, products, and processes focus on the infiltration phase alone, in an attempt to simply keep all attackers out. Stopping attacks early make sense, as it prevents the subsequent phases as well. However, it’s extremely rare that any security measures will protect against 100% of the potential attacks in a given phase.  

Good security teams know that when security controls are in effect across the kill chain, they have a better chance of thwarting an attack.  Rather than relying on a single line of defense, (which if broken, results in total failure), it’s typically more effective to have many layers of security, often called “defense in depth.”  If an attacker manages to break into a network, but then can’t move laterally to servers with sensitive data, the kill chain is still broken, and the attack is still stopped.  Likewise if attackers have no way of exfiltrating sensitive data, the kill chain is broken, and risk is decreased.


The Kill Chain, and Breach and Attack Simulation

To be truly effective in identifying weaknesses and minimizing exposure, breach and attack simulation must follow the same techniques used by actual attackers.  That means that attacks must be simulated across every phase of the kill chain.  

By simulating infiltration, lateral movement, and exfiltration techniques—across cloud, network, and endpoints—only SafeBreach can visualize where attackers will be successful, and where security controls effectively block attacks.  This comprehensive validation helps security teams prioritize and remediate effectively, to stop attacks by breaking the kill chain.  

Security teams are often inundated by alerts and “findings” that indicate potential risk.  Investigating each of these alerts to identify the true business impact of each of them is an insurmountable task.  SafeBreach changes this paradigm by providing simple, actionable tools to prioritize remediation appropriately.  Whether it’s a kill chain visualization that shows where the least effort can bring the most effect, or whether it’s simple filters based on data leak rate, attacker sophistication, or kill chain phase, SafeBreach provides data-driven security recommendations to break the cyber kill chain, and stay ahead of attacks.