The idea of the cyber kill chain was first developed by Lockheed Martin more than a decade ago. The basic idea is that attackers perform reconnaissance, find vulnerabilities, get malware into victim systems, connect to a command-and-control (C2) server, move laterally to find juicy targets, and finally exfiltrate the stolen data.
Attackers can be caught at any point in this process and their attacks thwarted, but this framework missed many types of attacks right from the start. Today it is becoming even less relevant. “The cyber kill chain was a great way to break down the classic steps in a breach,” says Michael Salihoglu, cybersecurity managing consultant at Crowe, a public accounting, consulting, and technology firm. It was also a useful tool for defenders to help them come up with strategies to stop the attacks at each point in the chain.
“It does fall short in the modern age,” Salihoglu says, “and it had some failings at its inception.” For example, the cyber kill chain isn’t as good at helping enterprises defend against new single-step breaches like open Amazon S3 buckets, against DDoS attacks, or against attacks on third parties where there was little or no visibility into what the attacker is doing.