Disclosure: Your support helps keep the site running! We earn a referral fee for some of the services we recommend on this page. Learn more

Cybersecurity is a complex topic with many moving parts, so it’s no wonder that it’s treated with an attitude of inaccessibility when depicted in movies and TV shows, ranging from sophisticated to completely ridiculous.

Laughable scenes like this show just how mystifying the topic is to the general public. One character even refers to it as a “video game,” which isn’t too far off.

However, once you learn the fundamentals of cybersecurity and hacking, the veil is pulled back, in a sense, and you see just how vulnerable you are in the simplest ways. Weak passwords, no encryption, networks with no segmentation ― the list goes on and on.

Before you start making radical changes to your security, it’s best to learn the process of a cyberattack. That’s where the cybersecurity kill chain comes in. Discover how hackers seek out targets and the steps they take to get what they want from them.

What Is the Cybersecurity Kill Chain?

The cybersecurity kill chain is a model developed by Lockheed Martin to help security teams understand, locate, and stop cyberattacks when they occur. The model demonstrates the sequence of events that take place during a cyberattack, putting security professionals in the mind of a hacker.

The model was derived from military attack models and adapted to defend networks from intrusion. They’ve even disclosed certain instances in which the model was used to detect and prevent breaches, such as the SecurID attack.

What Are the Seven Steps of the Cybersecurity Kill Chain?

Cybersecurity Kill Chain
Source: Made in Canva

There are seven logical steps that hackers take when attempting to breach a target. In some cases, these attackers may skip steps or repeat them based on the situation at hand, but most attacks include most, if not all, of them.

Here’s how hackers move through the process.

Step 1: Reconnaissance

As in warfare, any successful attack is often based on recon and intelligence. Hacking is no different, and there are all kinds of tools and protocols they use to gather information about your networks and security systems, including:

  • DIG commands
  • Network mapping
  • Inspecting web page elements
  • Port scanning
  • Packet sniffing
  • Trace routing

These methods provide useful information for hackers, including open ports, weak credentials, lack of encryption, application vulnerabilities, website vulnerabilities, unsecured Wi-Fi, and much more.

Step 2: Weaponization

Now that the hacker understands what they have to work with, they’ll choose one or more attack vectors to exploit. An attack vector is a path of vulnerabilities chosen by hackers to exploit, infect, and exfiltrate information, systems, and/or money.

Keep in mind that when hackers choose their attack vectors, they typically follow paths of least resistance. The purpose of all of this reconnaissance is to determine not only where vulnerabilities lie, but also to decide whether the attack is worth the risk of being caught, like any other robbery.

Once they’ve chosen their attack vector, they’ll create a malicious payload or strategy for exploiting the vulnerability, which could include:

  • Viruses
  • Ransomware
  • Worms
  • Trojans
  • Rootkits
  • Keyloggers
  • Logic bombs
  • Adware
  • Spyware
  • Bots

This choice depends on the vulnerability they discover and their perceived assessment of what leads to a successful attack.

Step 3: Delivery

Now that their recon has given the hacker access to your systems, such as networks and applications, they’ll deliver their payload. Depending on the kind of attack they’ve decided on, you’ll either notice the effects immediately or at a later time. Perhaps you may never notice depending on how well they’ve covered their tracks or which attack they’re performing.

In terms of immediate effects, certain attack types like adware or ransomware are obvious since hackers want to get the attention of their victims. In this case, you’ll notice an increase in junk on your display or a screen lock that explains the ransom process ― usually a cryptocurrency payment to an anonymous wallet ― to unlock whatever a hacker has encrypted.

Delayed attacks like logic bombs may be set up to perform the same functions as ransomware and adware but, instead, are triggered by the actions of the victims, such as accessing a system or opening a file. These kinds of attacks are meant to obscure how and when an attacker breached your systems, giving the hacker time to move about your network undetected until it’s too late.

Finally, other hacks are meant to go undetected or facilitate further attacks, like worms, rootkits, spyware, and bots.

Step 4: Exploit

Once the hacker delivers the payload, the exploitation of your systems begins. The effects may be felt either immediately, at a later date, or not at all, depending on the intentions of the attacker.

Step 5: Install

Now that the hacker has delivered their payload ― or perhaps even before it’s delivered ― chances are they’ll set up some sort of backdoor to give them future access to your systems.

This is done just in case the original vulnerability they used is discovered and patched. These backdoors are created using rootkits or exploiting weak credentials and if they go undetected, there’s no telling just how far they might go to steal information or money or wreak havoc on your network.

Step 6: Revisit

Hackers often revisit targets they’ve exploited to move around to different systems via lateral movements and permission escalations. Of course, the more a hacker acts on, the higher likelihood of detection by your security infrastructure.

While it’s good if malicious actions are being detected by your preventative measures, revisits usually mean the hacker already got their hands on what they came for and the damage is done.

Step 7: Persist

The attacks on your network, applications, and/or data persist until the vulnerabilities and malicious payloads are fixed and deleted. There’s little chance a hacker will voluntarily give up the control they’ve seized until they’re forcefully stopped and blocked.

How Does the Cybersecurity Kill Chain Benefit Your Small Business?

Just like understanding the mindset of a hacker, the cybersecurity kill chain is a glimpse into how a hacker thinks and operates. The more you know about your enemies, the better chances you have of preventing attacks or detecting ones in progress.

Additionally, Lockheed Martin also developed a succinct six-step model for fighting attacks that fit their kill chain.

1. Detect

The best-case scenario of a potential breach is to detect attacks as they’re being attempted, giving you the chance to stop them in their tracks. Certain cybersecurity tools are ideal for detection, including:

  • Intrusion detection systems (IDS): Cybersecurity software that monitors network traffic for suspicious activity and issues alerts when such activity is discovered.
  • Packet sniffers: Network traffic analyzers used by security analysts to read traffic data
  • Antivirus/antimalware: Scans endpoints for viruses and malware
  • User/entity behavior analytics: Gathers information on actions and behaviors by users, devices, and networks to detect malicious behavior.

There are many tools out there that combine detection and prevention capabilities to decrease the working load of your security personnel, but it’s still important to get a set of human eyes on the data since systems are still only as strong as their weakest points.

2. Deny

Whether you’re dealing with preemptive measures or looking to stop a hacker in their tracks, the next step in the defensive process is to deny access to unauthorized individuals. This can take the form of an intrusion prevention system (IPS), closing unnecessary network ports, changing authorization levels to certain assets, altering credentials, or a host of other solutions depending on the threat.

The point is that you want to prevent leakage of sensitive information and unauthorized access. This requires that your security team go through all threatened assets and shut off access to anyone not immediately involved in the cleanup process.

3. Disrupt

In terms of network breaches, this is where you stop the flow of outbound network traffic to the hacker. This way, anything they’re looking to exfiltrate from your organization stops in its tracks. Security personnel can accomplish this through similar means of denying access, by shutting off network ports, changing access credentials, or disabling access to certain internet protocol (IP) addresses by the use of access control lists (ACL).

4. Degrade

This is particularly useful when handling distributed denial of service (DDoS) attacks. These attacks entail attackers using botnets to flood targets with loads of garbage traffic, thus overloading their servers and denying service to legitimate traffic.

Degrading the effectiveness of attacks is a good way to either stop or prevent these types of attacks altogether.

This can include allotting yourself more bandwidth than you’d ever hope to use, contacting your internet service protocol (ISP) to black hole your website so all traffic is stopped before it ever reaches your servers, and then redirecting traffic to a program that can “scrub out” malicious packets before they reach you.

5. Deceive

Deception isn’t only a great way to defend your network, but it also gives you the chance to observe your attackers on your own terms. This is usually accomplished using a “honeypot” in your network that looks like a legitimate and valuable source of information but is a sandbox created to allow attacks to take place in a safe environment.

Once hackers breach your honeypot and start tooling around, you’ll be able to observe their behavior and start building a strategy around this kind of attack before you shut them out of your network.

6. Contain

This operates under the same principle of cutting off an infected limb before it kills the rest of the body. Containing attacks by use of segmentation is a great way to quarantine off areas that have been breached.

Even if you haven’t been breached, network segmentation allows you to spread out the valuable aspects of your infrastructure and protect each area with its own perimeter.

This way if anyone were to get inside one area, you can seal it off from the rest of your network, effectively protecting the rest of your organization while you deal with the problem at hand.

Need Help Building Your Defenses?

If you believe you are lacking in any aspects of your cybersecurity architecture then visit our Cybersecurity Resources for Small Businesses page or visit our list of the Best Cybersecurity Companies of 2023.