The Unified Kill Chain: Part 1

Sun Tzu, in his Art of War, famously wrote that ‘…if you know your enemies and know yourself, you will not be imperiled in a hundred battles’. Considering he literally wrote the book on war, he presumably knew what he was talking about. Nowadays, the battlefield is digital, and every person and business a potential soldier. As such, it is important that you—the lovely, friendly, non-criminal reader of this article—know your enemies—the dastardly, devious cyber criminals—in order to best them.

In this series of articles we will be looking at the various steps of the Unified Kill Chain, a proposed methodology for understanding how cyber attackers go about attacking their targets. In this first part, we will look at a few past attempts to create such a methodology, and the flaws with them.

In 2011, Lockheed-Martin released the Cyber Kill Chain framework for describing cyber attacker behaviour. Based on the military concept of the ‘kill chain’ as the necessary steps to be taken in the build-up to and immediate moments after an attack, the framework identifies seven distinct steps. In Reconnaissance and Weaponisation, the attacker feels out their target, identifies a vulnerability and prepares an exploit. Following this comes Delivery, Exploitation and Installation, where the exploit is delivered to the victim (perhaps as an email attachment) and executed, installing itself somewhere on the target.

The last two steps are Command & Control, or the establishment of a command channel through which the attacker can control their malware and receive data from it, and Actions on Objectives, in which they do what they came to their victims’ system to do.

Though the framework was initially popular amongst cyber security professionals, it was not without its weaknesses. The first two steps, for example, take place outside of the target’s systems, and so there is a limit to what one can do to protect against them. The chain also stops early, featuring no mention of the post-exploitation cleanup that a savvy attacker will carry out before leaving the compromised system. It has also received some criticism for being overly linear, whereas real attacks are messier and repeat sections of the chain before moving onto the next step.

2013 saw MITRE release their ATT&CK knowledge base. Rather than presenting an ordered list of actions that an attacker will take to compromise and exploit a target, ATT&CK presents eleven elements of a cyber attack, from Initial Access and Persistence to Lateral Movement and Exfiltration. Under these general labels, the framework provides a matrix of specific methods by which an attacker can perform the task in question.

However, this framework also has its issues. As it is intentionally time-agnostic, it does not provide any indication of the process an attacker is likely to take, only the elements of that process. This can impede a defender’s attempts to work out where in the process they are when they detect an attack-in-progress and thus where to direct their efforts in order to stop it.

In the next part of this series, we’ll look at a proposed framework that combines the best bits of the Cyber Kill Chain with the best bits of ATT&CK.

Scroll to Top