Cyber Kill Chain

7 phases of a cyberattack

Identify and stop hostile activities

To be able to detect and combat external attacks for your company at an early stage, you need to know how cyberattacks are targeting you. This is the only way how you can initiate appropriate countermeasures.

What companies need to know: The 7 phases of Lockheed’s Cyber Kill Chain describe the states that an attacker must pass through in sequence when carrying out their attack.

To defend against an attack, the company has the option of interrupting the cybercriminal’s entire attack at one level and thus blocking it.

Companies should build up their defenses in several stages to prevent attackers from re-invading via one of the previous phases.

7 phases of Lockheed's Cyber Kill Chain

How attackers work in cyberattacks

  1. Reconaissance: Identification and reconnaissance of the target. The attacker researches specific information about the target (e.g. data, email addresses, IT structure, etc.) and creates a detailed profile of the selected target.
  2. Weaponization: Preparation of the attack. The attacker determines which means/tools he will use to carry out his attack. The choice depends on the attacker’s approach and objective.
  3. Delivery: First steps to carry out the attack using the Cyber Kill Chain. Based on the previously collected information, the cybercriminal selects a medium for the attack (e.g. e-mail, phishing websites, etc.)
  4. Exploitation: The attacker specifically exploits security vulnerabilities in the system in order to technically compromise these vulnerabilities (e.g. CEO fraud if employees are not sensitized)
  5. Installation: Setting up a backdoor for unnoticed system access; malware is installed on the systems without the knowledge of the affected person (e.g. Trojans)
  6. Command Control: Remote control of the affected systems. The attacker takes undetected control of the infiltrated system (e.g. via remote desktop protocol)
  7. Action Objectives: Achieving objectives. After gaining access to the system, the attacker can carry out his plans at will and infiltrate the system more deeply – typical motives range from espionage and sabotage to data theft and blackmail.

Options for companies to defend themselves against cyberattacks

  1. The publication of company data on the Internet should be significantly restricted. A detailed analysis of possible forms of attack is also recommended. These include, for example, DDoS attacks on web or mail servers. However, other forms of attack are also conceivable. In general, it is important to detect deviations promptly.
  2. Special analysis engines enable to identify any attacks directly and examine them in detail. Among other things, the general possible effects of the malware are also identified.
  3. Specifically, the attack vectors aresubjected to constant monitoring. With an IT security service such as Hornetsecurity Advanced Threat Protection (ATP), the cyberattack originating from the perpetrator and the specific impact on the system or company network can be investigated on the basis of the individual analysis engines. The focus lies on uncovering the intention of the cyberattack. Understanding the perpetrator’s approach is the primary goal here.
  4. Companies should focus primarily on open attack vectors. These can originate either in technology or in the personal area. The security gaps are anchored in the periphery or in the area of conventional or system-relevant programs and services. Penetration tests uncover possible vulnerabilities. In addition, people themselves continue to represent a blatant security risk.
  5. The defense against attacks consists of preventing possible measures taken by a perpetrator. Companies can do this by issuing appropriate certificates, defining individual guidelines and checking standard virus scanners for up-to-date signatures.
  6. By analyzing the attack vectors used by the malware, appropriate recommendations for action can be derived for companies . The primary goal is to uncover any existing security gaps. This means, for example, open ports that are potentially risky and through which the perpetrator can gain access to systems. This applies equally at client and server level.
  7. In the worst-case scenario, it must be clearly defined which individual action steps are to be taken. Responsibilities must be clearly defined in advance. This applies to personal responsibilities within the company as well as to technical processes, such as analyses to be carried out. This is the only way to prevent far-reaching damage.
Our services