Introduction : Deciphering Seven Stages of Cyber Kill Chain

Companies are affected by cyber attacks and millions of users are impacted by these incidents. Recent attacks on POS system are reminders to recheck the company’s network for security controls and assess its security posture.

Some questions to consider include – Are there sufficient staff to monitor your network 24 by 7? Do you have the latest version of software? Do you have the visibility of what is sent to the network? Understanding the phases in a cyber attack helps to prepare, detect and respond to suspicious activity in the network.


The Cyber Kill Chain model was developed by Lockheed Martin in 2011 for detection of cyber intrusions in the network. It describes various stages in a cyber attack from defining target, organizing reconnaissance, deployment, intrusion and data exfiltration.


Referencing Target’s security breach in December 2013 helps to better understand the stages of cyber kill chain.


Stage Description Example
Target Definition In this initial planning phase, the intruder picks a person or company.  Looking for a suitable target in any industry – retail, finance, hospitality, hi-tech etc, attacker chooses and identifies a target to launch a reconnaissance campaign. Hackers assess targets in terms of easiest methods of attack and returns on investment of their resources.


In December 2013, Target announced that it was breached and 70 million customer information including credit card details were stolen. Based on publicly available sources, Target had financial damages of more than $ 148 million.



Reconnaissance Hackers learn about your company from outside, through social engineering. They try to understand the target network,identify vulnerabilities and build a profile.

To implement a security control, this phase is hard and tricky to control. Understanding and detecting reconnaissance phase is important.

Using regular external scanners (Internet scanning, external penetration testing) help to understand network component and highlight what hackers would find if the organization’s network would be a target.


In case of Target, it is not known how attackers performed reconnaissance but a simple internet search provides list of Target’s supplier portal, how they interact with the company and a list of HVAC and refrigeration companies.

Weaponization With the information gathered, hackers now devise a tool such as a worm or virus that gains remote access to the company network. Hackers installed Citadel malware in Target’s HVAC vendor through using a phishing email. They prepared a web based backdoor, a malicious script that allowed them to upload files and execute commands. This method of attack by uploading a file and using web application as a door for penetrating into an organization is a popular one.
Delivery The weapon is delivered to target network through emails, file transfer through USB devices, bad websites. Detect early if an intruder is poking around your network.


Some of defensive mechanisms include Email Filtering, web filtering, disable auto play for files from USB devices, scanning USB devices for malware/virus.

The stolen credentials of the vendor enabled access to Target’s web applications.
Exploitation Malware code is executed on victim’s network to exploit vulnerable applications or systems. Detect unauthorized access to your network and prevent important information disclosure. Make sure the software is up-to-date in all the boxes.


Gaining more visibility through SIEM solutions, Endpoint protection and using secure passwords are some of the methods for security controls.

On Target’s web application for vendors, hackers exploited the web application vulnerability. Hackers were able to upload a PHP file leveraging the vulnerability.
Installation The malware creates a backdoor into the network allowing persistence access. Through lateral movement in the network, hackers have now installed malware on the assets.


Log Monitoring through hardware and virtual sensors to monitor logs and sense malicious activity in log information, sensors send alarms to Hacknowledge engineers to investigate.

After running the malicious code, hackers were able to identify specific target in the company’s internal network – The server that contains all the data on active members. Attackers interested to pull data on credit cards, retrieved data on all services including SQL servers and POS systems.
Command & Control


If the threat has come to this phase, then it will be contacting the botmaster in a command and control channel. Outside server communicates with the weapons access to inside network. Attackers sought to gain Domain Admin privileges and once they did, created a new admin account
Exfiltration To achieve their goal of data theft or encryption for ransom, hackers take necessary actions. Hackers sent credit cards data from POS machine to central repository within Target’s network. The malware then copied its local file to a remote share and sent stolen data via FTP.



Security is a matter of trust and honesty, partnering with Hacknowledge simplifies the complexity of cybersecurity threat detection and response . Vision Cyber Management™ is a Hacknowledge Cutting-Edge solution to monitor your network 24×7, detect and respond to threats. Key features and benefits of the solution:

  • Monitor: Cost of security monitoring and sensing technology is significantly less than that of in-house staff or third party solutions.
  • Detect: Reduced false positive events and detection of only a few high probability events.
  • Respond: Immediate alert notification when threats are detected and confirmed.

Professional advice on remediation intrusion.