Technical Support: 412-349-6678 | Incident Response

The Cyber Kill Chain Model is Obsolete

Cyber Kill Chain Model - Ideal Integrations

In the early 2000s, Lockheed Martin defined the cyber kill chain framework to identify the stages in which cyber adversaries attack an organization.

Tom Kellermann, chief cybersecurity officer at Carbon Black, now declares that model insufficient.

As covered by Aaron Tan of, the original cyber kill chain model identifies a sequence of attacking stages: Reconnaissance, weaponization, delivery, exploitation, installation, command and control, and action on objectives. However, it does not account for iterative approaches or combinations of tactics, techniques and procedures that now change according to the encountered environment. 

Additionally, the cyber kill chain model does not account for sophisticated methods that attackers now use to attack an environment.

The Cyber Kill Chain Model & A Paradigm Shift

Kellermann proposes a new paradigm of an attack loop with three phases: reconnaissance and illustration; manipulation and maintenance; and execution and exploitation. 

Although these phases are not explained in detail in the article, we can use the basics as a framework for discussion.

In the reconnaissance and illustration phase, attackers are looking for a way into a secure environment.  Sometimes it is through a random attack on vulnerabilities, and sometimes it is a targeted attack for a specific purpose (Ex: attacking a retail chain for access to credit card numbers).

Recent Article: Unexpected Network Exploits

In the manipulation and maintenance phase, attackers have gained access to an environment and are trying to maintain access and expand their reach.

According to the article, cyber attackers make lateral movements 70% of the time, so the odds are good they will attack more than the initial machine. This lateral movement can be to obscure the point of entry, or to simply escalate their access to the victim’s network.

In the execution and exploitation phase, the attackers seek to exploit their access to exfiltrate valuable information or to manipulate the company’s processes. 

While these basic categories maintain the general principles of the cyber kill chain, the new model attempts to emphasize that attackers will switch back and forth between the phases in iterations as they seek to extend their exploit. 

Did they breach a web server?  Done.  Maintain that foothold.  Now search for what else they can access from there. 

Using Advanced Methods

Part of the point is that the kill chain focuses internally on a specific attack. 

However, using advanced methods, the attack you see may not be the source, or even the main focus, of the attacker’s efforts.

The first advanced method mentioned is island-hopping. Island-hopping is a method where attackers breach an environment through an attack on third party systems.

Recent Article: Ransomware – Preparing for an Attack

One example of this is the notorious breach of Target’s point of sale machines in 2013 through the company’s provider of refrigeration and HVAC systems.  In this attack, the malicious actors accessed the vendor and discovered that the it had external access to Target’s internal networks (presumably to monitor energy consumption and temperatures within stores to save on costs). 

The attackers then used that access to gain access to the point of sale machines and plant their malware.

A more modern example of island hopping uses the Watering-hole attack, in which attackers seek to plant malware in a location that more valuable targets may visit.

In 2016, attackers planted malware on the Polish Financial Supervision Authority’s web server.  The attackers knew that the Polish Banks would regularly visit this server, and the malware made its way onto the computers of several Polish commercial banks.

The second advanced method mentioned, that is not accounted for in the cyber kill chain, is counter incident response.   Kellermann notes that many attackers now seek to actively attack back when IT personnel and incident response teams try to shut them down.  

Recent Article: The Benefits of Cloud Computing

While it is not clear why attackers are becoming more aggressive, it’s clear that many attackers now choose to turn cyber breaches into forms of guerrilla warfare.  As the incident response team follows the cyber kill chain model and shuts down the detected method of attack, the attackers seek to establish connections through alternative means to maintain access on the network.

Due to the iterative nature of the modern attack, we can also expect attackers to look for ways to leverage any breach into an attack on other company resources, or to affiliated third parties. 

After all, there’s little to distinguish between intentional and opportunistic island-hopping during an attack.

Mitigating Cyber Attacks

Kellermann makes two suggestions to mitigate attackers in this new environment:

First, Kellermann suggests that it is better to conduct regular cyber threat hunting based upon tactics, techniques and procedures rather than look for indicators of compromise.  His point appears to be that, by the time one encounters indicators of compromise, such as data exfiltration, your environment is already on phase three for the compromised machine. 

The odds are, you have many other machines already at phase one or two, and it puts your response team at a disadvantage to start so late. 

Instead, continuously examine likely vectors of attack and methods to which you may be vulnerable. 

Recent Article: The Vulnerability is the Target

When you hire a Red Team to attack your own system, you remove at least the easy vulnerabilities from your system.  If you hire a firm like Blue Bastion (the Cybersecurity company within Ideal Integrations) that offers both Red Teaming, Incident Response, and Managed Endpoint Security, you can also use their talents to ensure that no one is already on your systems (and to clean them up, if they are).

Second, Kellermann recommends the use of deception technology to uncover techniques and tactics using non-vital resources and honey pots.

In today’s environment, it is not a question of if an environment will be attacked and breached.  Instead, it is a question of what you do about it, and how fast do you detect and respond

Kellermann’s recommendation provides your Detection and Response team more time to analyze the attackers.  Honey pots appear to be valuable resources to distract attackers, and they are also monitored files or systems that send immediate flags to your response team. 

Once accessed, the incident response team can go into action, protect the key assets of the organization, and observe the attacker’s methods of entry and attack. 

Non-vital resources (such as an archive of marketing materials) play the same role as a honey pot, but with actual files from the organization.  If you do it right, there is little damage done to the organization if the assets are accessed, but your Incident Response team gains time to analyze the attack.

Protecting Your Environment from Cyber Attacks

Ideal Integrations can work with you to design an environment that effectively segregates the non-vital assets from the vital assets. 

Our Blue Bastion cybersecurity service will continuously monitor your environment to keep attackers at bay.  Using a combination of our resources will help protect your organization effectively from a wide range of attacks using both passive and active countermeasures. 

Connect with us to secure your managed IT solutions in Pittsburgh, and all around the United States!

Contact us today to see what we can do for you by completing the form below, or calling us at (412) 349-6680.

Get Started With Your IT Solution Today!

  • This field is for validation purposes and should be left unchanged.