Cyber Security Kill Chain

In our recent blog post “Multi-Phase Cyber Attacks” we described how cyber attacks are often not a single instance but part of a planned attack that can be sustained over several months, even years. An attack may only become apparent when the cyber attacker makes themselves known through some form of visible attack, a security team stumbles upon it or a vulnerability is discovered.

This is formalised in Cyber Security terms as the Cyber Security Kill Chain.

Cyber Security Kill Chain

The Cyber Security Kill Chan is a series of steps that a cyber attacker can take, described in the following diagram:

Cyber Security Kill Chain

This is described in terms of 6 basic stages:

  • Reconnaissance
  • Intrusion and Privilege Escalation
  • Exploitation & Exfiltration
  • Sustainment
  • Assault
  • Obfuscation.

Not all stages will be executed as this will depend on the objectives of the attacker.


If a cyber attacker is looking to target a specific industry segment, or a specific victim company or individual, they will do their homework. They will use several techniques to learn about you, for example:

  • Physical Reconnaissance
    • Social Engineering
    • Checking up on your Social Media Account (LinkedIn, Facebook)
    • Physical Reconnaissance, stalking out a building, watching individuals
    • Dumpster Diving – checking what you throw away
  • Internal Reconnaissance
    • Network Scanning
    • Password Scanning & Cracking
    • Searching for vulnerabilities and exploits.

What you throw away can be very informative. If you don’t securely destroy physical media (e.g. Hard Drives, CD’s, Paper) it can be recovered and any information on this media can used against you.

What you post online can also be very informative. For example you may post about your interests, what you do for a job, for family. All this information can be used by a cyber attacker to determine your routine, habits and possible passwords (e.g. your dogs name). It is also for this reason that many companies forbid their employees to post on social media anything to do with their work.

Network scanning can be done through wired connections, but more usually through wireless connectivity. Anyone connecting to a public network (e.g. in a coffee shop), is likely connecting to an unencrypted network. Any traffic passing over this network can be intercepted and inspected by anyone with the right tools on any device. If you are connecting to a public network you are advised to use a VPN to fully encrypt traffic over this insecure network.

However, WiFi is broadcasting in all directions. Someone in the carpark could in theory be scanning for open access points to find vulnerabilities in the WiFi infrastructure. Home and Small Business WiFi routers are often left unpatched even when updates are available leaving open doors for a hacker to exploit to get access to your network, and left with default configurations that also leave backdoors open to attackers.

Intrusion and Privilege Escalation

Once an attacker has a foothold in your network (e.g. a valid username/password, a way to connect to your network) the objective is to connect and try to find ways to elevate their access rights to that of an administrator. There are various vulnerabilities that will allow the hacker to break out of the limited account they have access to and elevate their access.

There are some very simple ways to do this, for example if an administrator uses the default admin account and does not secure it with a unique and strong password. Users may also be created with a default administrator access to their local PC, which may then extend to server resources. Most companies will enforce a password policy and force a change from the default password on first access. They may also enforce regular password changes, although the current thinking is that this doesn’t provide much better security since users will find ways to keep the old password (e.g. incrementing a number at the end of their password for each change).

The default action should be that any user is created as a basic user and access to privileged information granted on an as needed basis. This would hinder an attacker, but obviously not totally stop them.

Databases and file stores should also be secured with strong passwords and authentication. So many data breaches are executed against databases that have been inadequately secured. This security should be applied to production databases as well as test and backup databases. Breaching a production database is the prime goal, but breaching a test/backup database could yield (over time) the same degree of information.

Once an attacker is connected to your network, and this intrusion has not been detected, they are free to bide their time to seek out the access they require by moving from account to account, and server to server seeking out the required information (lateral movement/horizontal privilege escalation).

The attacker can also use additional hacking tools (vertical privilege escalation) to elevate their access (e.g. by exploiting vulnerabilities and password cracking). However, while this is often more rewarding, it can expose the attacker to monitoring tools on the network and discovery. The objective of the attacker would be to avoid being detected and may attempt to mask their activity during busy periods or in a remote/low sensitivity area of the network.

Exploitation & Exfiltration

This is often where the main attack occurs. The objectives of the attacker can vary. For exmaple, they may want to:

  • Extract industrial secrets (espionage)
  • Cause disruption (e.g. using ransomware)
  • Destroy infrastructure (see assault below).

This phase may be sidestepped entirely if the objective is not to extract data. However, once in this stage the objective is to extract as much data of the type they are after sometimes as part of a wider attack or just to gain commercial advantage.

A lot of ransomware attacks are using this stage to extract data that they can use to force ransom payment or to have a different revenue stream if the ransom is not paid through selling the data on the dark net.

We are also seeing claims that attackers are hacking into Coronavirus vaccine research organisations in an attempt to get a head start in any vaccine research – Russia is being implicated in this nation state activity.

Industrial espionage may be an objective in its own right and this stage may last for years before it is discovered.


In this stage that attacker is trying to embed themselves in various parts of the compromised network to remain undetected. There is an option to end the attack at the previous stage, but this becoming increasingly apparent that even after the main attack is over, the attackers are remining hidden in the network to continue surveillance well beyond the initial attack.

Someone may notice that something is wrong, e.g. a log file might show an anomaly or someone’s access might have been affected. However, on investigation the IT department might find that a database has been accessed and a large amount of data was extracted and sent to a remote server several weeks ago. The initial attack might have happened months, or even years ago. A recent data breach involving the Marriott hotel chain when they took over the Starwood Hotel Chain was discovered in November 2018. In this case the Starwood booking system was hacked on, or before, September 2018 and the attackers continued to exfiltrate data until they were discovered.

The attacker may use multiple techniques such as deploying malware to monitor activity, deploying backdoors so that even if the initial access is shutdown, they still have a way of accessing the network.


This is often when an attack is most apparent since this is where other attack methods are used. For example:

We have seen several recent reports that Chinese hackers have gained access to the US critical infrastructure (e.g. Electricity generation and distribution, communications) and have implanted malware that could be triggered to disable the infrastructure in a time of war.


Arguably this stage crosses all the other stages since its main purpose is to cover the tracks of the attackers and make it difficult for any forensic analysis to show who actually launched the attack.

Obfuscation can be done in several ways:

  • Removing metadata from files deposited in the network (e.g. removing location information from images)
  • Redirecting where they originated from through attacking from a softer target or through a supply line attack
  • Attacking outdated/unused servers that are often not monitored as regularly as current production servers and then moving from there into more sensitive parts f the network
  • Using unsecure IoT devices (e.g. light bulbs)
  • Dynamic Code obfuscation.

Dynamic Code Obfuscation involves the generation of different malicious malware to attack targets, but prevents detection from signature-based antivirus and firewall programs. The pieces of code can be generated using randomizing functions or by changing some function parameters. Therefore, hackers make it significantly harder for any signature based security tool to protect systems against their malicious code. This also makes it difficult for forensic investigators to identify the attacker.

Combinations of the Cyber Security Kill Chain

Not all steps of the Kill Chain will always be followed.

In some cases an attacker is opportunistic, bypassing the reconnaissance stage and will just cast a wide social engineering attack to infect as many people as possible. However, for more targeted attacks, the reconnaissance stage will be executed.

Intrusion and Privilege Escalation is often executed once the attacker has gained some degree of access. However, if their objective is just to get a quick payday following the intrusion they may skip directly to the assault stage and launch a ransomware attack on resources the penetrated account can access. If that account has unfettered access to other resources, then the objective has already been made.

For attacks on enterprises, the objective is often to keep hidden until they want to launch the assault, or to continue to extract data over a period of time. Their objective might not be to cause damage, but espionage in which case stealth is the objective.

Each stage may take hours to execute or may be sustained over many years depending on the objectives of the hackers. Nation state hackers will often want to keep hidden so that they can launch their assault as part of a cyber warfare attack that may never become necessary. If you think this is limited to foreign governments then think again. In the UK we know that due to to the Edward Snowden disclosures the GCHQ is continually monitoring and likely penetrating foreign networks as is the US NSA.


This blog hopefully has demonstrated that cyber attackers are very sophisticated organisations that work as a team to compromise their targets and reman hidden as long as possible. Cyber attacks on large organisations can be long lived following various meticulously planned stages.

It is important for any organisation to secure their networks with the appropriate technology (e.g. patching, network monitoring, password and authentication policies). It is also important to follow our guidance in “The Human Firewall” and ensure your employees are fully aware of the various forms of cyber attack that can be started though, for example, an innocent social media posting or disclosure of a password.

This is important for companies (from the start-up to multi-nationals), but also for individuals. We have previously posted guidance on Router Vulnerabilities, Social Engineering and Securing your Remote Desktop to name a few. Take a look through our guidance sections for more.

If you think hackers are not interested in you, then think again! Take a look at our blog post “Myths of Cyber Security” for more info.

The flip side of this is managing the Cyber Security Threat Lifecycle which will be the subject of a future blog.

Headline image provided by Travis Saylor from Pexels

Comments are closed.

Create a website or blog at

Up ↑

%d bloggers like this: