Skip to main content


How the Cyber Kill Chain Can Help You Protect Against Attacks

If you’ve been involved in cybersecurity for any period of time, you’ve likely heard of the concept of defense in depth security strategies. The general idea behind defense in depth is that there is no ‘silver bullet’ security measure that can fully protect our networks, so we seek to deploy a series of administrative, technical, and physical security controls that work in concert to make our security posture acceptable.

Since we know that you cannot mitigate 100% of risk (not just in terms of cybersecurity, but for anything), defense in depth strategies focus on a layered approach to security. If you put numerous layers of security in place at different points in the flow of data, you stand a better chance to prevent, disrupt, or mitigate an attack.

Think of the defense in depth approach as building a medieval castle. The concept of securing a castle takes an inside-out approach. The most important things (royal family, crown jewels, etc.) are located in the center of the castle, surrounded by layers of security – including rooms, walls, gates, guards, towers, the moat, and a drawbridge – all designed to keep out the people that shouldn’t be in and to keep safe those that should be there.



Defense in Depth Model

Figure 1 – Defense-in-Depth Model from ISACA and David Eduardo Acosta



But what mechanisms do we have that tell us we’ve developed a strong layered-security approach to security at our organization? Can our risk assessments provide this type of information? Perhaps.

The controls in your IT Risk Assessment likely have control mappings to various security standards that point to what type of control they represent (i.e., technical, physical, or administrative), though useful reporting on how those controls provide holistic protection may be limited.

If you’re using the FFIEC’s Cybersecurity Assessment Tool, the sub-domains under Domain 3: Cybersecurity Controls include controls identified as preventative, detective, corrective. But does that go far enough to help you understand if you’ve truly got appropriate layered security?

Perhaps you’re using NIST’s Cybersecurity Framework (CSF). This framework expands beyond the FFIEC CAT and perhaps provides the best look at layered security using it’s five functions: identify, detect, protect, respond, recover. But most financial institutions aren’t using NIST CSF for lack of automation, not to mention it isn’t mapped to the FFIEC guidance to which financial institutions are regulated.

So what do you do? Do you enhance an existing assessment you’re already doing in an effort to provide additional analysis on defense in depth strategies? Sure, that’s a possibility, but it’s going to be more work, and effectiveness will depend on the maturity and measurement of your risk management processes.

But what if there’s an easier way?



Enter, the Cyber Kill Chain

The Cyber Kill Chain, developed by Lockheed Martin, is designed to assist organizations in developing defense in depth strategies to combat the Advanced Persistent Threat by mapping controls to the steps an attacker must go through to successfully execute a cyber attack. Lockheed Martin provides the following seven steps and general definitions:

  1. Reconnaissance: Harvesting email addresses, selecting targets, gathering information, OSINT, etc.
  2. Weaponization: Coupling exploitation of vulnerabilities with remote-access malware into a deliverable payload
  3. Delivery: Sending a weaponized bundle to the victim via email, web, USB, etc.
  4. Exploitation: Once delivered, exploiting a vulnerability to execute code on a victim’s system
  5. Installation: Installing remote-access malware on the target asset (workstation, server, website, etc.)
  6. Command & Control: External command channel for remote access and manipulation of the victim asset(s)
  7. Actions on Objectives: Once remote access has been achieved and an attacker is inside the target network, the true objective can be accomplished (data exfiltration, destruction, intrusion of another target, etc.)

For our purposes, we’ll also add one more layer:

  1. Exfiltration: Removing data from the victim’s assets



Phases of the Intrusion Kill Chain

Figure 2: Original Lockheed Martin Cyber (Intrusion) Kill Chain



To apply the Cyber Kill Chain, Lockheed Martin provides the following layers of control implementation:

  • Detect: Determine when and how an attacker is performing recon against your organization or network
  • Deny: Stop the attack from occurring by preventing information disclosure or unauthorized access
  • Disrupt: Change or stop the flow of information or exfiltration of data to the attacker
  • Degrade: Limit the effectiveness or efficiency of an attack
  • Deceive: Interfere with an attack using misdirection or misinformation

For our purposes, we’ll add one more layer:

  • Contain: Limit the scope of an attack to particular segments of your network or organization



Cyber Kill Chain Controls Matrix

The below illustrated Cyber Kill Chain Controls Matrix is designed to identify the controls that your organization has implemented at different phases of an attack, as well as how the control will help to disrupt the flow of, halt, or eradicate a cyberattack.

Please note: the list of controls in this Cyber Kill Chain Controls Matrix is intended to be a template for application purposes. Each institution will want to place their own controls in each respective category to fit their individual needs.


Kill Chain Matrix

Figure 3: Cyber Kill Chain Controls Matrix


There you have it; it’s that simple!  The identified controls should already be present in your IT Risk Assessment. The Cyber Kill Chain simply provides a visual representation of your defense in depth strategy development and assists in enhancing said strategy. If you identify an area in which you’re lacking – detection, for example – you can concentrate on making sure you have controls in place to tell if an attacker is targeting your organization in the first place.

Some areas will contain more controls than others, especially in less mature organizations that don’t have the ability to deceive an attacker, for example. If you don’t have the capabilities to set up and manage a honeypot or DNS Redirect, that’s ok. But understanding those additional controls or simply talking with your MSP or MSSP and asking how they can help you become more mature in areas you’re lacking can be very beneficial.

HINT: The Cyber Kill Chain Controls Matrix also fits extraordinarily well into your Incident Response Plan.



Measuring the Cyber Kill Chain

As you mature your Cyber Kill Chain controls, the next step is to measure the effectiveness of these controls. How do you measure the Cyber Kill Chain? Testing, of course!

The example below from Lockheed Martin highlights a handful of different campaigns (tests) simulating real-world attacks, and whether or not the controls identified to detect, deny, disrupt, deceive, degrade, or contain were effective. Be sure to not the “Future Proposed” columns on the right, which highlight controls you might be putting into place in the future to help close any known gaps.


Cyber Kill Chain Controls Scorecard

Figure 4: Lockheed Martin – Measuring Cyber Kill Chain Effectiveness Scorecard



If Someone Was In Your Network, Would You Know?

The #1 question to ask yourself (or your organization) regarding information or cybersecurity is this: “If someone was in your network, would you know?”

If you can’t answer that question without breaking out into a cold sweat, it’s time to take action! The Cyber Kill Chain is one of a great many tools that can help your organization sleep better at night and make it significantly more difficult for an attacker to access your network or data.


Written by: Cody Delzer
VP, IS Consultant 
- SBS CyberSecurity, LLC


SBS Resources:

  • {Solution} Cyber-RISK: Automate your FFIEC cybersecurity assessment with Cyber-RISK™. This web-based software is based directly on FFIEC recommendations but goes beyond a simple spreadsheet. Cyber-RISK is offered free of charge to any financial institution looking to efficiently complete their cybersecurity assessment.
  • {Solution} TRAC: An integrated cybersecurity risk management solution that automates and centralizes the tedious risk assessment process, providing relevant and quantifiable results. Trust your results with a proven, time-tested risk assessment model that has led organizations through thousands of successful exams. TRAC modules include


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Security Technology Professional

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Friday, August 23, 2019
Categories: Blog