Connect with us

Hi, what are you looking for?


Incident Response

Cyber Situational Awareness and the Kill Chain

Cyber Kill Chain

Cyber Kill Chain

The concept of the cyber kill chain has done a lot to advance the general understanding of how attacks unfold and how to combat them. The steps – reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on objectives – each have implications for how, as security professionals, we can strengthen our defenses. Initially these defenses concentrated on the network, and specifically the perimeter. But today, as attacks have increased in sophistication and frequency, it takes more to be a kill chain “killjoy.”

Recent ESG research (“Threat Intelligence as part of Cyber Situational Awareness”) indicates that in response to growing threats, many organizations are investing in threat intelligence programs in order to track “in-the-wild” hacker activities and malware threats. The report encourages CISOs to strive for cyber situational awareness for a better understanding of their entire digital footprint as well as the tactics, techniques, and procedures (TTPs) used by cyber-adversaries. In fact, cyber situational awareness can become a kill chain killjoy, serving as a valuable tool to gather intelligence about adversaries’ actions and our vulnerabilities and to thwart attacks.

Cyber Threat Kill Chain Diagram

Take for example, the first step in the kill chain – reconnaissance. An adversary surveys the target and seeks out weaknesses, potential vectors, and other information to assist with an attack. Organizations traditionally address this step in a number of ways, including firewall or proxy logs, honeypots and network-based intrusion detection systems (NIDS). But, unfortunately, these only aim to detect threats that directly target the perimeter network and fail to address other important threats, such as data that already found a way outside the organization through many different means, including:

• Stolen credentials available on sites, such as Pastebin

• Sensitive documents being openly shared on the web due to misconfigured, consumer-grade storage devices or public folders in cloud storage sites like Dropbox that might reveal sensitive internal information

• Proprietary source code and admin passwords that somehow find their way on code sharing sites, such as GitHub

• Social media platforms that can potentially provide a gold mine of information that threat actors could use to craft a spear phishing campaign

In conjunction with the increased attack surface, there is also the threat landscape to consider and the range of actors who are potentially discussing plans regarding attacks against an organization. Hacktivists often do this publically, but criminals and nation states are much more covert. Being able to understand who is being attacked and why can be valuable for an organization, as it assists with appreciating the wider threat and taking a more strategic outlook to their security. These are all insights which cyber situational awareness can provide.

Advertisement. Scroll to continue reading.

Reconnaissance is followed by weaponization. Depending on the type of threat you are dealing with, this can be anything from an easily available and simple to use exploit, up to the crafting and deployment of a zero-day vulnerability. Honeypots, sandboxes and NIDS all help to this end but, again, they only attempt to deal with the threats as they hit directly the organization, sometimes too little too late. Cyber situation awareness helps to discover the TTPs being used across the threat landscape, or discussed and traded online, in order to prepare for and provide mitigations.

Once the attack is launched and inside the network – the delivery, exploitation, installation, command and control, and actions on objectives stages – there are many effective security controls that help. But these can and should be supplemented with information from outside the organization to assess their effectiveness. For example, in the case of a Data Loss Prevention (DLP) solution, proxy or firewall, you need to be able to look outside of the organization to determine if the data these tools are trying to protect has been breached. This practice can provide indications that sensitive data is being sold on criminal forums or leaked on paste sites. Similarly, it can offer assessments on the credibility of the actors making claims of responsibility.

From an attacker’s perspective, this is where the kill chain ends, but not for defenders. The kill chain can, and should, flow into a cycle, where an organization can learn lessons from an attack and ensure that future attempts at reconnaissance cannot use the same information, thereby reducing the attack surface.

Cyber situational awareness can truly be a kill chain killjoy. By viewing the kill chain through that lens, organizations can have the confidence that they understand their attack surface, they know which TTPs could be used against them and, should data find its way online, they can quickly discover it and mitigate the risks.

Related Reading: Breaking the Cyber Kill Chain

Written By

Alastair Paterson is the CEO and co-founder of Harmonic Security, enabling companies to adopt Generative AI without risk to their sensitive data. Prior to this he co-founded and was CEO of the cyber security company Digital Shadows from its inception in 2011 until its acquisition by ReliaQuest/KKR for $160m in July 2022. Alastair led the company to become an international, industry-recognised leader in threat intelligence and digital risk protection.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

Merlin Ventures has appointed cybersecurity executive Andrew Smeaton as the firm’s CISO-in-Residence.

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

More People On The Move

Expert Insights