Cyber Kill Chain Model 

In military strategy, a 'Kill Chain' is a phase model to describe the stages of an attack, which also helps inform ways to prevent attacks

  • Situational Awareness - Ability to identify what is happening in the networks and system landscape
  • Reconnaissance - Identification and selection of the target/s host or network by active scanning
  • Weaponization & delivery - Transmission / Inject of the malicious payload in to the target/s
  • Lateral Movement - Detect, exploit and compromise other vulnerable hosts
  • Data Exfiltration - Steal and exhilarate data
  • Persistency - Establish a foothold in the corporate network

Situational Awareness

  • Outbound protocols
  • Outbound protocols by size
  • Top destination Countries
  • Top destination Countries by size


  • Port scan activity
  • ICMP query

Weaponization & delivery

  • Injection
  • Cross Site Scripting
  • Cross Site Request Forgery
  • Failure to Restrict URL
  • Downloaded binaries
  • Top email subjects
  • Domains mismatching
  • Malicious or anomalous Office/Java/Adobe files
  • Suspicious Web pages (iframe + [pdf|html|js])

Lateral Movement

  • Remove or add account
  • Remote WMI communications
  • Remote Group Policy Editor
  • Remote Session Communications (during outside working hours?)
  • Antivirus terminated

Data Exfiltration

  • Upload on cloud storage domains
  • Suspicious HTTP Methods (Delete, Put)
  • Uploaded images
  • FTP over non standard port
  • IRC communication
  • SSH | ICMP Tunneling


  • Unusual User Agents
  • Outbound SSL VPN
  • Outbound unknown

Views: 679

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform

© 2019   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service