The Kill Chain – inside the bad guy’s lair…



What Is The Kill Chain?

The Kill Chain gives cyber-security professionals the attacker’s perspective or a look inside the bad guy’s lair.   You might imagine the operations center of a cyber gang might looking like the ad-hoc hacker house in the latest Jason Bourne film, actually sophisticated cyber criminals use project management best practices learned from the business world – like planning in phases, resource allocation, and managing towards SMART yet evil goals.  Knowledge of each phase and how they relate to the IT landscape of the organization leads to the policies, controls and preparations needed to defend against attacks. The phases include:


Attackers put up their virtual periscope to gather information about their target’s vulnerabilities, they are on the hunt for the weakest IT links and the individuals who hold the keys to the IT infrastructure.

Common Methods:
  • On the IT side, hackers gather publicly available information about domains, servers, applications and email systems. A simple WhoIS combined with a TCP Port Scan can reveal a plethora of useful information including IP addresses, locations, server software and even administrator emails.  Hackers are on the lookout for outdated systems, unpatched systems like in the #WannaCry attack or weak software that can be easily attacked through cross-side-scripting.  They will also look at current job openings in IT to understand the types of software and systems that a company is using.
  • On the social engineering side, they are gathering profiles for financial controllers, IT admins and executives who have LinkedIn or Facebook profiles. Knowing as a much as possible about these individuals will make the next phase of the attack that much easier.


Attackers weaponize the information found in the previous phase to break in to vulnerable systems through IT infrastructure or by social engineering.

Common Methods:
  • On the IT side, hackers break in through open ports, weak applications, and vulnerable applications. Weak passwords are often the first exploit as they are successful 66% of the time reported by an anonymous pen-tester group.
  • On the social engineering side, attackers use known information to convince users to give up passwords and leak information about systems. In the DNC hack, the targeted user was led to a fraudulent website where they gave up their password and username.


After breaking in, attackers exploit their access to systems and hunt for valuable targets in the IT infrastructure. In some cases they will install malware designed specifically to scan networks and find valuable data. They will create command and control centers enabling communication with malware through backdoors and open ports.  Blackhats are on the lookout for valuable targets such as email archives, credit card data, and customer records.

What is worth protecting at your organization?

Can you list the five most important systems, processes or intellectual properties that require the most security? For companies I work with, this is a highly individualized question.  It could be supplier lists, credit card processing, customer records, engineering plans, or executive communications.  This is where the business impact analysis phase of a business continuity planning program can help you out. Survey your organization broadly to understand what and where the crown jewels are.


Exfiltration is the process that attackers use to capture data and remove it from the IT infrastructure. This can be done all at once or over a period of time.

Common Methods
  • Open network ports, FTP, telnet, port knocking and open back doors in servers or applications. Hackers sometimes breakup the payload into multiple packages so they can stealthily remove data. It could even be offline removal with a flash drive as was alleged in the Edward Snowden case.

Monetization and Media Leaks:

Criminals motivated by money can sell your data on the dark web to the highest bidder.

Common Methods
  • Attackers who are motivated by political reasons deliver data like email archives anonymously to the media or wiki-leaks. Forums on the darkweb exist where hackers trade data for bitcoin with little to no traceable records of transitions.

So where do I start?

Knowing the relentless nature of the attackers where does a security professional start? Don’t start with the tech, put on your bad guy hat and maybe cape then start scheming with the below questions.

  • What are the most valuable assets that I could steal from the organization?
  • How much would someone pay me to upload documents and emails to WikiLeaks?
  • How easy would it be to break in?
  • What IT systems are most vulnerable?
  • Who are the key individuals I should target first to gain access?

Next start mapping your findings to the Kill Chain. By doing this you can start to see the potential attack vectors and create a roadmap that will help you develop the right policies and controls.  For example, If your email archives contain sensitive data, start mapping out which accounts have access to the archive, what kind of authentication is required, map where it is on the network, and find out if it and the backups are encrypted.   Finally, look at your current policies and controls to identify and fill security gaps.

This can be both an eye opening and a daunting task to do alone. If you are looking for a partner to help use the Kill Chain to help find vulnerabilities, get in touch with Micro Focus Services. We can assess your situation, recommend solutions, and start breaking the kill chain, leaving you less vulnerable to attack.

Share this post:

Leave a Reply

Your email address will not be published. Required fields are marked *