Basics Of Cyber Kill Chain Model

Cyber Kill Chain Model 

In military strategy, a 'Kill Chain' is a phase model to describe the stages of an attack, which also helps inform ways to prevent attacks

  • Situational Awareness - Ability to identify what is happening in the networks and system landscape
  • Reconnaissance - Identification and selection of the target/s host or network by active scanning
  • Weaponization & delivery - Transmission / Inject of the malicious payload in to the target/s
  • Lateral Movement - Detect, exploit and compromise other vulnerable hosts
  • Data Exfiltration - Steal and exhilarate data
  • Persistency - Establish a foothold in the corporate network

Situational Awareness

  • Outbound protocols
  • Outbound protocols by size
  • Top destination Countries
  • Top destination Countries by size


  • Port scan activity
  • ICMP query

Weaponization & delivery

  • Injection
  • Cross Site Scripting
  • Cross Site Request Forgery
  • Failure to Restrict URL
  • Downloaded binaries
  • Top email subjects
  • Domains mismatching
  • Malicious or anomalous Office/Java/Adobe files
  • Suspicious Web pages (iframe + [pdf|html|js])

Lateral Movement

  • Remove or add account
  • Remote WMI communications
  • Remote Group Policy Editor
  • Remote Session Communications (during outside working hours?)
  • Antivirus terminated

Data Exfiltration

  • Upload on cloud storage domains
  • Suspicious HTTP Methods (Delete, Put)
  • Uploaded images
  • FTP over non standard port
  • IRC communication
  • SSH | ICMP Tunneling


  • Unusual User Agents
  • Outbound SSL VPN
  • Outbound unknown

E-mail me when people leave their comments –

CISO Platform

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)



CISO Breakfast at BlackHat Las Vegas 2024!

  • Description:

    We are thrilled to invite you to the CISO Breakfast at BlackHat 2024. 

    CISOPlatform is a community partner for the event which is co-hosted by Silicon Valley Bank, Stage One, First Rays Venture Partners, Latham & Watkins.


    Event Details: 

    • Date: Thursday, August 8th,…
  • Created by: pritha
  • Tags: blackhat usa, las vegas, ciso breakfast, usa