Connect with us

Hi, what are you looking for?


Incident Response

Cyber Situational Awareness and the Kill Chain

Cyber Kill Chain

Cyber Kill Chain

The concept of the cyber kill chain has done a lot to advance the general understanding of how attacks unfold and how to combat them. The steps – reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on objectives – each have implications for how, as security professionals, we can strengthen our defenses. Initially these defenses concentrated on the network, and specifically the perimeter. But today, as attacks have increased in sophistication and frequency, it takes more to be a kill chain “killjoy.”

Recent ESG research (“Threat Intelligence as part of Cyber Situational Awareness”) indicates that in response to growing threats, many organizations are investing in threat intelligence programs in order to track “in-the-wild” hacker activities and malware threats. The report encourages CISOs to strive for cyber situational awareness for a better understanding of their entire digital footprint as well as the tactics, techniques, and procedures (TTPs) used by cyber-adversaries. In fact, cyber situational awareness can become a kill chain killjoy, serving as a valuable tool to gather intelligence about adversaries’ actions and our vulnerabilities and to thwart attacks.

Cyber Threat Kill Chain Diagram

Take for example, the first step in the kill chain – reconnaissance. An adversary surveys the target and seeks out weaknesses, potential vectors, and other information to assist with an attack. Organizations traditionally address this step in a number of ways, including firewall or proxy logs, honeypots and network-based intrusion detection systems (NIDS). But, unfortunately, these only aim to detect threats that directly target the perimeter network and fail to address other important threats, such as data that already found a way outside the organization through many different means, including:

• Stolen credentials available on sites, such as Pastebin

• Sensitive documents being openly shared on the web due to misconfigured, consumer-grade storage devices or public folders in cloud storage sites like Dropbox that might reveal sensitive internal information

• Proprietary source code and admin passwords that somehow find their way on code sharing sites, such as GitHub

• Social media platforms that can potentially provide a gold mine of information that threat actors could use to craft a spear phishing campaign

Advertisement. Scroll to continue reading.

In conjunction with the increased attack surface, there is also the threat landscape to consider and the range of actors who are potentially discussing plans regarding attacks against an organization. Hacktivists often do this publically, but criminals and nation states are much more covert. Being able to understand who is being attacked and why can be valuable for an organization, as it assists with appreciating the wider threat and taking a more strategic outlook to their security. These are all insights which cyber situational awareness can provide.

Reconnaissance is followed by weaponization. Depending on the type of threat you are dealing with, this can be anything from an easily available and simple to use exploit, up to the crafting and deployment of a zero-day vulnerability. Honeypots, sandboxes and NIDS all help to this end but, again, they only attempt to deal with the threats as they hit directly the organization, sometimes too little too late. Cyber situation awareness helps to discover the TTPs being used across the threat landscape, or discussed and traded online, in order to prepare for and provide mitigations.

Once the attack is launched and inside the network – the delivery, exploitation, installation, command and control, and actions on objectives stages – there are many effective security controls that help. But these can and should be supplemented with information from outside the organization to assess their effectiveness. For example, in the case of a Data Loss Prevention (DLP) solution, proxy or firewall, you need to be able to look outside of the organization to determine if the data these tools are trying to protect has been breached. This practice can provide indications that sensitive data is being sold on criminal forums or leaked on paste sites. Similarly, it can offer assessments on the credibility of the actors making claims of responsibility.

From an attacker’s perspective, this is where the kill chain ends, but not for defenders. The kill chain can, and should, flow into a cycle, where an organization can learn lessons from an attack and ensure that future attempts at reconnaissance cannot use the same information, thereby reducing the attack surface.

Cyber situational awareness can truly be a kill chain killjoy. By viewing the kill chain through that lens, organizations can have the confidence that they understand their attack surface, they know which TTPs could be used against them and, should data find its way online, they can quickly discover it and mitigate the risks.

Related Reading: Breaking the Cyber Kill Chain

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Artificial Intelligence

Two new surveys stress the need for automation and AI – but one survey raises the additional specter of the growing use of bring...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...