Kill Chain Taxonomy: What is it about and how can it help you improve your cybersecurity?

kill chain taxonomy

It’s no secret that cyber-criminals are always looking for new ways to take hold of companies’ most sensitive assets.

Undoubtedly, being in constant innovation even allows them to stay one step ahead of some top-of-the-line cybersecurity measures.

However, although the channels they use may vary, their methodology maintains the same basis. That’s probably one of the few ways we have to anticipate their evil next steps.

In this blog post, we’ll explain to you how by studying the Kill Chain Taxonomy you can prevent future attackers from infringing your organization’s systems.

What is the Kill Chain Taxonomy?

kill chain taxonomy cybersecurityAlso referred to as the Cyber Kill Chain or Kill Chain Framework, the Kill Chain Taxonomy is a group of cybersecurity tactics intended to detect, fight, and prevent cyberattacks such as ransomware, security breaches, and advanced persistent threats (APTs).

The term is based on the idea that attacks occur in phases, which can be turned down through a series of controls established at each phase.

These security measures, on their behalf, have been trusted by several security organizations around the world.

Kill Chain Taxonomy: from military to corporate

The original military concept was originated and performed in the 1990s. Then, Lockheed Martin, a U.S.-based multinational aerospace and military company, improved and spread it in 2007 throughout the information security world.

Lockheed Martin acts as the link between the original idea of the term and its use in modern times.

Formerly, the Kill Chain — as it’s still known sometimes — was a military concept strongly related to the structure of an attack. It aimed to identify, attack, and destroy the target.

Nowadays, the term consists of a method for modeling intrusions on a computer network after Lockheed Martin’s computer scientists introduced it to the information security arena.

As a result, the meaning of the concept is now given by the idea of “breaking” an opponent’s kill chain — let’s say, cybercriminals’ manners — as a method of defense or preemptive action.

Indeed, this methodology has helped out many companies defend their most sensitive networks so far using a step-by-step approach. 

How does the Kill Chain Taxonomy work?

The Kill Chain Taxonomy works through phases, all of which correspond to each of the steps that threats must go through to complete a cyberattack.

Nevertheless, the Kill Chain Taxonomy doesn’t need a real attack to be used. Instead, you can take advantage of this security framework as a management tool. This way, it can help you to continuously improve your company’s network defense.

However, any action taken based on knowledge of the Taxonomy will be in vain if the performer doesn’t get to know the Kill Chain’s proper phases.

1. Reconnaissance

Firstly, the attacker observes and searches for a target and their vulnerabilities. They typically assess the situation from the outside-in and start devising their attack tactics: harvesting email addresses, conference information, among others.

2. Weaponization

Then, they generate the bundle they will use to exploit the vulnerabilities. Remote-access malware is one of the most common, as it can be delivered as a virus or worm.

3. Delivery

Subsequently, the attacker transmits the evil bundle to the target. They usually deliver it through email, web, USB, etc.

4. Exploitation

After that, the criminal gets a better foothold when malicious malware enters the system and starts coding triggers. As a result, the vulnerabilities are exploited.

5. Installation

Later, the malware is installed on the assets targeted, and the attacker gains an access point, e.g “backdoor”. 

6. Command & Control (C2)

At this stage, the malware sets a control channel for the intruder to get persistent access to the target network. This also means he can control the victim remotely. 

7. Actions on Objectives

Lastly, the attacker aims to achieve his goals — such as data exfiltration, data destruction, or encryption for ransom — by taking action.

These are the seven phases or steps which Lockheed Martin recognizes as part of its Cyber Kill Chain. However, there are variations of this step-by-step method.

Exceptions to the Kill Chain Taxonomy’s 7 phases

Now that you got to know the Kill Chain Taxonomy’s seven phases, you should also realize that other security specialists in the industry bring forward different approaches to the framework.

For instance, you’ll surely bump into other Cyber Kill Chain models, which are also valid if you look at the differences more closely.

  • Between the Reconnaissance and Exploitation phases, there’s only one step: Intrusion, wherein the attacker gets into the system by leveraging malware or security vulnerabilities.
  • After the Exploitations stage, Privilege Escalation, Lateral Movement, Obfuscation / Anti-forensics, Denial of Service, and Exfiltration follows.

These last five stages point to the complexity of attacking a system. In other words, the criminal needs to get more privileged access, move laterally to other accounts, cover his tracks, lay false trails, disrupt normal access, etc., to achieve his final purpose.

Therefore, this approach offers a more detailed look at an attacker’s process to get into an organization’s system.

How to defend your information using the Kill Chain Taxonomy?

Meanwhile, you must take advantage of the Kill Chain Taxonomy to break the attacker’s routine. Nonetheless, this isn’t as easy as it seems.

The Kill Chain Taxonomy model receives critics, too. They usually say that it mainly “focus only on perimeter security and malware prevention”.

The truth is that when combined with advanced analytics, the Cyber Kill Chain can reveal the active state of a data breach.

Isn’t this critical to data security? Of course, it is! And if there’s an ideal tool that provides complementing predictive modeling, that has to be AT&T Cybersecurity.

AT&T Cybersecurity: The most trusted threat-hunting software

AT&T Cybersecurity, formerly known as AlienVault, is one of today’s most recognized protective software.

It was born in 2018 following the AlienVault acquisition by AT&T Communications. Months later, AT&T created a new brand to provide open source services to manage cyberattacks.

One of AT&T Cybersecurity’s solutions is closely related to the Kill Chain Taxonomy: AlienVault Unified Security Management (USM)’s Intelligence Threat Management.

Certainly, AT&T Cybersecurity’s USM relies on a Kill Chain Taxonomy to break attacks out into five threat categories, from highest to lowest.

  1. System Compromise shows a possible compromised system.
  2. Exploitation & Installation indicates a successful exploit of a vulnerability on a system.
  3. Delivery & Attack shows an attempted delivery of an exploit.
  4. Reconnaissance & Probing reveals a bad actor attempting to discover information about your network.
  5. Environmental Awareness exhibits policy violations, vulnerable software, or suspicious communications.

hands typing on a keyboardConsequently, the solution provides the detailed contextual threat information you need to help you understand how the attackers are interacting with your network.

This way, you can focus your attention on the most critical threats by knowing the attacking intent and threat severity.

So, if you’re looking for complete software to make threat management and prioritization easy, AT&T Cybersecurity is the right security tool for you — or your business.

How can we help you?

Fighting cyber-criminals today can be a real challenge for companies like yours, we know it. That’s why at GB Advisors we focus on providing sufficient quality support to organizations like yours.

Whenever you require help to reinforce your cybersecurity, contact our expert team to receive privileged attention, as well as top-notch advice and cutting-edge solutions to defend your most sensitive assets from the ever-present hackers.

Scroll to top