The term kill chain is a

military A military, also known collectively as armed forces, is a heavily armed, highly organized force primarily intended for warfare. It is typically authorized and maintained by a sovereign state, with its members identifiable by their distinct ...

concept which identifies the structure of an attack. It consists of: * identification of target * dispatching of forces to target * initiation of attack on target * destruction of target Conversely, the idea of "breaking" an opponent's kill chain is a method of

defense Defense or defence may refer to: Tactical, martial, and political acts or groups * Defense (military), forces primarily intended for warfare * Civil defense, the organizing of civilians to deal with emergencies or enemy attacks * Defense industr ...

or preemptive action.

Military

F2T2EA

One military kill chain model is the "F2T2EA", which includes the following phases: *Find: Identify a target. Find a target within surveillance or reconnaissance data or via intelligence means. *Fix: Fix the target's location. Obtain specific coordinates for the target either from existing data or by collecting additional data. *Track: Monitor the target's movement. Keep track of the target until either a decision is made not to engage the target or the target is successfully engaged. *Target: Select an appropriate weapon or asset to use on the target to create desired effects. Apply

command and control Command and control (abbr. C2) is a "set of organizational and technical attributes and processes ... hatemploys human, physical, and information resources to solve problems and accomplish missions" to achieve the goals of an organization or en ...

capabilities to assess the value of the target and the availability of appropriate weapons to engage it. *Engage: Apply the weapon to the target. *Assess: Evaluate effects of the attack, including any intelligence gathered at the location. This is an integrated, end-to-end process described as a "chain" because an interruption at any stage can interrupt the entire process.Lockheed-Martin Corporation-Hutchins, Cloppert, and Amin-Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains-2011
/ref>

Previous terminology

The "Four Fs" is a military term used in the United States military, especially during World War II. Designed to be easy to remember, the "Four Fs" are as follows: *Find the enemy – Locate the enemy. *Fix the enemy – Pin them down with suppressing fire. *Fight the enemy – Engage the enemy in combat or flank the enemy – Send soldiers to the enemy's sides or rear. *Finish the enemy – Eliminate all enemy combatants.

Proposed terminology

The "Five Fs" is a military term described by Maj. Mike "Pako" Benitez, an F-15E Strike Eagle Weapons Systems Officer who served in the United States Air Force and the United States Marine Corps. Designed to update the Kill Chain to reflect updated, autonomous and semi-autonomous weapon systems, the "Five Fs" are described in "It's About Time: The Pressing Need to Evolve the Kill Chain" as follows: *Find encapsulates the unity of effort of Joint Intelligence Preparation of the Operating Environment, matching collection assets to commander's intent and targeted areas of interest. This inevitably leads to detections, which may be further classified as an emerging target if it meets the intent. *Fix is doctrinally described as "identifying an emerging target as worthy of engagement and determines its position and other data with sufficient fidelity to permit engagement." *Fire involves committing forces or resources (i.e., releasing a munition, payload, or expendable) *Finish involves employment with strike approval authorities (i.e., striking a target/firing directed energy/destructive electronic attack). This is similar to a ground element executing maneuvers to contact but then adhering to prescribed rules of engagement once arriving at the point of friction. *Feedback closes the operational OODA Loop with an evaluative step, in some circumstances referred to as "Bomb Damage Assessment".

North Korean nuclear capability

A new American military contingency plan called "Kill Chain" is reportedly the first step in a new strategy to use satellite imagery to identify North Korean launch sites, nuclear facilities and manufacturing capability and destroy them pre-emptively if a conflict seems imminent. The plan was mentioned in a joint statement by the United States and South Korea.

Cyber

Attack phases and countermeasures

More recently,

Lockheed Martin The Lockheed Martin Corporation is an American aerospace, arms, defense, information security, and technology corporation with worldwide interests. It was formed by the merger of Lockheed Corporation with Martin Marietta in March 1995. It ...

adapted this concept to

information security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...

, using it as a method for modeling intrusions on a

computer network A computer network is a set of computers sharing resources located on or provided by network nodes. The computers use common communication protocols over digital interconnections to communicate with each other. These interconnections are ...

. The cyber kill chain model has seen some adoption in the information security community. However, acceptance is not universal, with critics pointing to what they believe are fundamental flaws in the model. Computer scientists at Lockheed-Martin corporation described a new "intrusion kill chain" framework or model to defend computer networks in 2011. They wrote that attacks may occur in phases and can be disrupted through controls established at each phase. Since then, the "cyber kill chain" has been adopted by data security organizations to define phases of

cyberattack A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricted ...

s. A cyber kill chain reveals the phases of a

: from early reconnaissance to the goal of data exfiltration. The kill chain can also be used as a management tool to help continuously improve network defense. According to Lockheed Martin, threats must progress through several phases in the model, including: #Reconnaissance: Intruder selects target, researches it, and attempts to identify vulnerabilities in the target network. # Weaponization: Intruder creates remote access malware weapon, such as a virus or worm, tailored to one or more vulnerabilities. # Delivery: Intruder transmits weapon to target (e.g., via e-mail attachments, websites or USB drives) # Exploitation: Malware weapon's program code triggers, which takes action on target network to exploit vulnerability. # Installation: Malware weapon installs access point (e.g., "backdoor") usable by intruder. # Command and Control: Malware enables intruder to have "hands on the keyboard" persistent access to target network. # Actions on Objective: Intruder takes action to achieve their goals, such as data exfiltration,

data destruction Data erasure (sometimes referred to as data clearing, data wiping, or data destruction) is a software-based method of overwriting the data that aims to completely destroy all electronic data residing on a hard disk drive or other digital media ...

, or encryption for

ransom Ransom is the practice of holding a prisoner or item to extort money or property to secure their release, or the sum of money involved in such a practice. When ransom means "payment", the word comes via Old French ''rançon'' from Latin ''red ...

. Defensive courses of action can be taken against these phases: # Detect: Determine whether an intruder is present. # Deny: Prevent information disclosure and unauthorized access. # Disrupt: Stop or change outbound traffic (to attacker). # Degrade: Counter-attack command and control. # Deceive: Interfere with command and control. # Contain: Network segmentation changes A U.S. Senate investigation of the 2013 Target Corporation data breach included analysis based on the Lockheed-Martin kill chain framework. It identified several stages where controls did not prevent or detect progression of the attack.

Alternatives

Different organizations have constructed their own kill chains to try to model different threats.

FireEye Trellix (formerly FireEye and McAfee Enterprise) is a privately held cybersecurity company founded in 2022. It has been involved in the detection and prevention of major cyber attacks. It provides hardware, software, and services to investigat ...

proposes a linear model similar to Lockheed-Martin's. In FireEye's kill chain the persistence of threats is emphasized. This model stresses that a threat does not end after one cycle. # Reconnaissance # Initial intrusion into the network # Establish a backdoor into the network. # Obtain user credentials. # Install various utilities. # Privilege escalation/ lateral movement/ data exfiltration # Maintain persistence.

Critiques

Among the critiques of Lockheed Martin's cyber kill chain model as threat assessment and prevention tool is that the first phases happen outside the defended network, making it difficult to identify or defend against actions in these phases. Similarly, this methodology is said to reinforce traditional perimeter-based and malware-prevention based defensive strategies. Others have noted that the traditional cyber kill chain isn't suitable to model the insider threat. This is particularly troublesome given the likelihood of successful attacks that breach the internal network perimeter, which is why organizations "need to develop a strategy for dealing with attackers inside the firewall. They need to think of every attacker as potential insider".

Unified kill chain

The Unified Kill Chain was developed in 2017 by Paul Pols in collaboration with Fox-IT and

Leiden University Leiden University (abbreviated as ''LEI''; nl, Universiteit Leiden) is a Public university, public research university in Leiden, Netherlands. The university was founded as a Protestant university in 1575 by William the Silent, William, Prince o ...

to overcome common critiques against the traditional cyber kill chain, by uniting and extending

's kill chain and

MITRE The mitre (Commonwealth English) (; Greek: μίτρα, "headband" or "turban") or miter (American English; see spelling differences), is a type of headgear now known as the traditional, ceremonial headdress of bishops and certain abbots in ...

's ATT&CK framework. The unified version of the kill chain is an ordered arrangement of 18 unique attack phases that may occur in end-to-end

, which covers activities that occur outside and within the defended network. As such, the unified kill chain improves over the scope limitations of the traditional kill chain and the time-agnostic nature of tactics in MITRE's ATT&CK. The unified model can be used to analyze, compare, and defend against end-to-end cyber attacks by

advanced persistent threat An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may ...

s (APTs). A subsequent whitepaper on the unified kill chain was published in 2021.

References

{{Reflist Crime prevention Data security National security Security