What is the cyber
kill chain model
and does it
improve security?

When cyber security professionals want to make sure they have the right defenses in place to prevent a cyber attack, they often refer to the cyber kill chain model. This concept walks organizations through the typical phases of an attack, highlighting areas where they may need to shore up their defenses or prioritize resources to minimize the business impact of an incident.

Security leaders may also find the kill chain model a useful tool for explaining cyber security measures to business executives, so they can secure adequate funding for their cybersecurity programs. With that in mind, here's what the cyber kill chain model is, how it works, and how security leaders can use it to have effective conversations about cybersecurity with stakeholders.

The cyber kill chain model is based on the military concept of a kill chain, which describes the phases of an attack for the purposes of creating proactive defense strategies to prevent it—particularly at the earliest phases, when the least damage has been done. According to the SANS Institute, a security thought leadership cooperative, defense contractor Lockheed Martin originally created the cyber kill chain steps in a 2011 paper that outlines the key phases of a cyber attack.

Security professionals use this methodology to make sure they are considering the entire life cycle of a cyber attack, that they are fully aware of the vulnerabilities that could be exploited in such an attack and that they have sufficient controls in place to ward it off. Evaluating the kill chain is one strategy for increasing cyber security resilience and helping to prevent a damaging data breach.

Today, there are multiple cyber kill chain models, such as MITRE ATT&CK^© and the Unified Kill Chain. Many of these models, including the original, have been updated to include insider threats and social engineering exploits such as phishing. While there are plenty of variations on the Lockheed model, it remains the version that is most commonly referenced.

Typically, there are seven cyber kill chain steps:

1. Reconnaissance. Gather as much information as possible on the target—anything from social media posts to login credentials or even the results of port scans—to determine the best strategy for an attack. Publicly available information on the company may be used against it in this phase.
2. Weaponization. Design the attack based on insights gathered in the first phase. This malicious payload could be anything from a phishing email to malware or a compromised document.
3. Delivery. Transmit the weaponized payload to the target. This payload could take many forms. According to Verizon’s 2021 Data Breach Investigations Report, phishing and ransomware were among the top forms of attacks associated with breaches. Security awareness training can help to prevent this phase of an attack from succeeding. If it does not, the organization can quickly find itself compromised in the following phases.
4. Exploitation. The payload launches and proceeds to exploit a vulnerability on the target's system. It typically begins to execute code.
5. Installation. At this stage, malware is often installed on the target's system.
6. Command and control. The malware opens a communications channel to the attackers. Now, they have the ability to remotely control the target's system.
7. Actions. The malicious actors proceed to execute their desired actions. From this point on, they may try to gain access to other areas of the network or simply exfiltrate data that they can then use, sell or hold ransom. If the attackers have not been detected, they have free rein to cause damage to the company and potentially its employees and customers, as well.

Security leaders may find the kill chain useful when explaining cyber security to business stakeholders. However, they face a few challenges in doing so. For starters, security language can be impenetrable and even off-putting to non-practitioners. Executives also sometimes have difficulty viewing security as a business enabler because the security function must often implement security controls that could be seen as limiting innovation.

With cyber attacks only increasing in frequency and sophistication, it's essential for security leaders to effectively communicate with their colleagues about concepts such as the cyber kill chain and its business impacts. This way, they will have a far better chance of securing the funding that is required for a robust cyber security program.

According to TechTarget, a web-based firm that publishes technology-related resources, there are four effective ways to explain cybersecurity to executives. First, resist the temptation to get into the weeds and explain a complex security concept at the very beginning. Instead, take a storytelling approach in which you present the threats facing your business and explain how your cybersecurity strategy addresses them. Your story should focus first and foremost on existential threats that pose the most serious risks to your company.

Once your stakeholders have developed a comfort level with cybersecurity, it's appropriate to begin examining your organization's existing security controls in detail and determining whether they would stand up to regulatory scrutiny. In all your communications, take special care to link your security measures to business outcomes so that your audience is able to understand the business value of the investments you are proposing. That way, they will begin to see security as a business enabler rather than a cost center.