By: Owen Dubiel, March 02, 2017 (10:24 AM)

Network Compromise Kill Chain

As a cyber security professional it is imperative that you fully understand the attack kill chain and how to stop it. In the long run it will be beneficial for any security analyst to have a plan of action in place for each step as well as having it memorized. In the event of a possible compromise, time is of the essence. You won’t have time to pull out the old incident response plan and you will need to act diligently in order to stop the attack before it can complete the kill chain.

The cyber kill chain was originated by an American aerospace defense and security company in 1995 called Lockheed Martin. Lockheed developed this kill chain based off of military tactics and directly applied it towards detection network intrusions. Each of the following steps are a vital part of any attackers’ process. One way or another, each step will be hit in order to proceed to the next. There are several other methods, but this model is widely accepted in the cyber security industry. Below you will see a description of the attack stage and an effective way to stop it.


The attacker has many ways to gather information including online public information, social engineering and network scans to look for vulnerable targets.

Ways to limit the amount of information available on your company include scheduled patching to ensure you have the most recent updates as they become available, vulnerability scans performed on external facing servers/applications and keeping an inventory of all resources (applications, servers, network devices, etc.)

Loading the payload (weaponization)

Based on the vulnerable resources the attacker discovers, they will craft a payload that will be able to take advantage of that vulnerability. This is how the attacker will get in the front door. Whether the attacker is going in manually or has a bot created, this stage is really about customizing a payload to compromise your vulnerability.

This is similar to Recon, the attacker will be taking what they have learned and create a payload for your vulnerability. By patching frequently, you can essentially stop this stage if the attacker takes too long to craft a payload and execute it.

Delivering the Payload

This is where the attacker loads the payload to take advantage of the vulnerability discovered. Gaining control of the vulnerable device and establishing a stable connection is the objective here.

For known vulnerabilities, you can monitor your DNS, OS and Firewall logs for potential signs of compromise. For new exploits, you may not discover them in this stage, but understanding normal DNS activity on external resources would help pointing out a potential compromise.

Exploit and Install

Once the attacker is established on the compromised resource, they will look to navigate to additional resources that contain sensitive information they can take.

This navigating through the network (lateral movements) can stick out like a sore thumb. Having alerts and monitoring in place to note any unusual communications between resources that do not usually talk will be your ticket to play.

Command and Control

This is the stage where communications are sent back and forth to the attacker with additional information about other vulnerabilities or password hashes discovered inside the network.

Monitoring your logs for servers communicating to each other, logon attempts to user credentials and any outbound traffic that does not seem normal to business should be analyzed.

Send back the Gold (exfiltration)

The attacker has compromising data and is sending it out of your network. This could be social security numbers, credit card data or even company plans that are considered confidential.

Strictly monitoring outbound transmissions to unknown hosts is strongly recommended. Smart attackers will send out data in slow bursts. Having an inventory or firewall log of what shouldn’t be sending outbound traffic would drastically help in this effort.

Having a good understanding of what each stage of the kill chain looks like in your environment is essential to your companies’ protection. Performing vulnerability scans, penetration tests and keeping an asset inventory of your resources will greatly reduce risk and increase the overall vision of the network.


Owen Dubiel

My name is Owen; IT security analyst by day and content writer by night. I have a strong passion for cyber security and using the internet to get my way. I enjoy video games, sports, weightlifting, movies and jet skiing; not in any particular order.

Notice: The views expressed here are those of the authors and do not necessarily represent or reflect the views of Cursive Security.

Be Informed. Stay One Step Ahead.

Sign up for our newsletter and stay up to date with the latest industry news, trends, and technologies