The Internal Cyber Kill Chain Model

Figure A.

In military parlance, a “Kill Chain” is a phase-based model to describe the stages of an attack, which also helps inform ways to prevent such attacks. These stages are referred to as:

  1. Find
  2. Fix
  3. Track
  4. Target
  5. Engage
  6. Assess

Ideally, the further towards the beginning of the Kill Chain an attack can be stopped, the better. The less information an attacker has, for instance, the less likely someone else can use that information to complete the attack at a later date.

The Cyber Kill Chain is a similar idea, which was put forth by Lockheed Martin, where the phases of a targeted attack are described. And likewise, they can be used for protection of an organization’s network. The stages are:

  1. Reconnaissance
  2. Weaponization
  3. Delivery
  4. Exploit
  5. Installation
  6. Command & Control
  7. Actions

In essence, it’s a lot like a stereotypical burglary — the thief will perform reconnaissance on a building before trying to infiltrate it, and then go through several more steps before actually making off with the loot. Using the Cyber Kill Chain to keep attackers from stealthily entering your network requires quite a bit of intelligence and visibility into what’s happening in your network. You need to know when something is there that shouldn’t be, so you can set the alarms to thwart the attack.

Another thing to keep in mind is the closer to the beginning of the chain you can stop an attack, the less costly and time-consuming the cleanup will be. If you don’t stop the attack until it’s already in your network, you’ll have to fix those machines and do a whole lot of forensics work to find out what information they’ve made off with.

Lockheed Martin recently released details of its own success using a kill chain tactic to stop someone who had intruded on its network. It’s not just something that applies to government contractors or giant corporations, though it does take quite a bit of work if you’re not already set up to gather a whole lot of data about your digital resources.

Let’s look at the various stages to determine what questions you should be asking yourself to decide whether it’s feasible for your organization.

Reconnaissance: Viewing Your Network from the Outside

This is the stage where the criminals are trying to decide what are (and are not) good targets. From the outside, they try to find out what they can about your resources and your network to determine whether it is worth the effort. Ideally, they would like a target that is relatively unguarded and with valuable data. What information the criminals can find about your company, and how it might be used, could surprise you.

Companies often have more information available than they realize. Are names and contact details of your employees online? (Are you sure? Think social networks too, not just your own corporate website.) These could be used for social engineering purposes, say, for getting people to divulge usernames or passwords. Are there details about your web servers or physical locations online? These could be used for social engineering too, or to narrow down a list of possible exploits that would be useful to break into your environment.

This is a very tricky layer to try to control, particularly with the popularity of social networking, but it’s also a fairly low-cost layer. Hiding sensitive information tends to be a fairly inexpensive change, though being thorough about finding the information can be time-intensive.

Weaponization, Delivery, Exploit, Installation: Attempting to Enter

These stages are where the criminals craft a tool to attack their chosen target, using the information they have gathered, and put it to malicious use. The more information they can use, the more compelling a social engineering attack can be. They could use spear-phishing to gain access to internal corporate resources with the information they found on your employee’s LinkedIn page. Or they could put a remote access Trojan into a file that appears to have crucial information on an upcoming event in order to entice its recipient into running it. If they know what software your users or servers run, including OS version and type, they can increase the likelihood of being able to exploit and install something within your network.

These layers of defense are where your standard security wonk advice comes in. Is your software up to date? (No really, all of it, on every machine. Most companies have that one box in some back room that is still running Windows 98. If it’s ever connected to the Internet, it’s like having a welcome mat outside your door.)

Do you use email and web filtering? Email filtering can be a good way to stop common document types that are used in attacks. If you require that files be sent in a standard way, such as in a password-protected ZIP archive, this can help your users know when files are being sent intentionally. Web filtering can help keep users from going to known bad sites or domains.

Have you disabled auto-play for USB devices? Giving files the chance to run without approval is seldom a good idea from a security perspective. It’s better to give the user a chance to stop and think about what they’re seeing before it launches. Do you use AV software with more-advanced functionality like IPS? While AV software is not intended to deal with brand-new targeted attacks, sometimes they can catch threats based on known suspicious behavior or known software exploits.

Command & Control: The Threat is Checking In

Once a threat has got into your network, its next task will be to phone home and await instructions. This may be to download additional components, but more likely it will be contacting a bot-master in a Command & Control (C&C) channel. Either way, this requires network traffic, which means there is only one question to ask yourself here: Do you have a firewall that is set to alert on all new programs contacting the network?

If the threat has gotten this far, it’s made changes to the machine and is going to require a lot more work from IT staff. Some companies or industries require that forensics be done on the affected machines to determine what data has been stolen or tampered with. And those affected machines will either need to be cleaned or reimaged — it can be less costly and time-consuming if the data has been backed up and there is a standard corporate image that can be quickly replaced onto the machine.

Actions: Time to Wreak Havoc

What the threats do at this point is entirely up to the attacker. It may steal data, it may spew spam or DDoS traffic, or it may steal CPU cycles for other purposes. If the threat has gotten this far, you can count on having to do all the work from the previous stages, but on a larger scale. It may have gone from one machine within the network to many (or all) of the machines in your network, it may have done a lot more damage or stolen a whole lot more data. If nothing has detected the file at this point, you may be dealing with an “Advanced Persistent Threat,” which is a fancy way of saying that sufficient security measures were not in place to detect the threat.

Reversed Cyber Kill Chain Model

As I was researching and working through the Classic Cyber Kill Chain Model, I was reading an article about a new Cyber Kill Chain Model that predicted activities, in the event that, an attack occurred from the inside out by an internal nefarious actor such as a disgruntled or disloyal employee.

In the article, I read they spoke about an employee who was looking for a new job and exfiltrating data to take with them for the purpose of sharing with a new employer and an employee who was exfiltrating data for the purpose of personal gain by selling the data on the darkweb or to some other purchaser. In both scenarios, the Classic Cyber Kill Chain will not fit the model needed to detect and deter such actions.

In the process of designing a model that may satisfactorily detect or deter such actions, I started by reversing the Classic Cyber Kill Chain Model as a starting point but when I did that the results were less than desirable.

Figure B.

As I was looking at the Classic Model and the Reversal of the Classic Model what I found was that there were only 2 steps out of 7 that we apply to in a scenario where an internal actor is attempting to steal data from a company where they already have physical access and some level of data or network access. The first and the last steps were the only somewhat applicable steps.

I also applied the Classic Kill Chain Model to a scenario where an outside actor (True Hacker) worked with an internal actor (employee) and the Reversed Cyber Kill Chain Model seemed to fit that scenario best simply because instead of the outside actor having to recon the external network they could simply weaponize (the package) and pass the weaponized files to the inside actor for delivery. Once delivery occurs the package could self-exploit, install and reach out via C2 to gather instructions for requested actions to be taken. The internal actor could be available in case there were any glitches or to overcome any internal IT detection and remediation efforts. However, correctly written APT malware is going to propagate in a way as to thwart any IT effort to remediate exploit.

A New Internal Cyber Kill Chain Model

The article talks heavily about the comparison of reactive vs. proactive approaches to network security. The goal is to stop a potential attack in progress before damage is done, which is nearly impossible in the event of most attacks. Most attacks are carried out through Phishing attacks which means that most of the attacks are allowed into the network by an unknowing accomplice. In the article, writer Ryan Stolte breaks down the internal actors by categorizing them as Flight Risks and Persistent Insiders.

“Flight Risks: Employees looking to leave the company elevate the risk of data loss. They tend to be less sophisticated and exhibit less cautious behavior on their way out. The kill chain–style reactive risk model begins with looking for early indicators — for example, if an employee frequently visits job search websites, something he or she typically would not do. However, even if employees are visiting those kinds of websites, that doesn’t necessarily mean they are a threat. They become a potential threat when they move to the next stage when, for example, they upload unusually large encrypted files to cloud storage at odd working hours.

A combination of those two stages — an employee has repeatedly visited job search websites and has uploaded an unusually large file at odd working hours — is a good indication that the person is a flight risk and must be closely monitored. The next stage entails the employee aggressively trying to pull sensitive data off the network. He may attempt to email sensitive data to an outside address, get blocked, and continue to try other methods until he succeeds.

The goal of this kill chain–style risk model is to identify people who are flight risks and approach them before the exfiltration occurs. Or if they do exfiltrate data, identify the activity and stop them before they cause real damage to the company.

Persistent Insiders: Unlike flight risks, these threats are more sophisticated insiders who have no intention of leaving the organization. They repeatedly look for whatever sensitive data they can get their hands on to hurt the organization and/or sell for profit. Organizations won’t see these employees looking at job search websites. Instead, they will visit websites where they can circumvent web proxies. These are websites that allow them to hide and then jump to the Dark Web, for example, to move data and bypass controls.

The next stage of the chain is when they persistently try logging into systems to which they typically do not have access. They quietly “jiggle doors” looking for sensitive data that is outside the scope of their, their peers’, and overall team’s role.

Combining these two stages — visiting suspicious websites and jiggling doors — are good examples that indicate a person may be a persistent threat. The next stage is when the person acts. For example, on a regular basis, s/he may encrypt small amounts of sensitive data and exfiltrate it outside the network. By breaking the data down into small amounts, the person aims to evade detection, and by encrypting it, makes it even more difficult because the company cannot see what’s inside.”

While many Security Experts tend to stick with the Classic Cyber Kill Chain Model regardless of the origination of the attack or the method by which the attack is carried out. I do not subscribe to this thought process. I tend to think and have personally experienced an entirely different process that is taken from an internal actor.

Figure C.

Regardless of whether the internal actor is a “flight risk” or a “persistent actor” the process is the same for an internal attack. The steps listed above in figure C. are used on an as-needed basis, so not every actor will utilize every step of the model.


Reconnaissance is a requirement. Every hacker will tell you that research is an absolute necessity to:

A.     Know where the target is located.

B.     How to gain access to the target.

C.     What data the target offers.

It’s no different with an internal actor. The internal actor must know:

A.     Discover how to gain access to the data they want to exfiltrate?

B.     Must know how they want to exfiltrate the data once they gain access?

C.     What file format the data will be in?

D.     Is it database only, is it a document, excel files, etc..

E.      Should it be compressed, can it be compressed?

F.      Are there encryption keys that are required to open the files in the interface application once the data is exfiltrated?

G.     Can the data be broken down into smaller “chunks” so that it is less noticeable if it is exfiltrated via the internet?

H.     Can the actor reach the exfiltration point from the company’s network without having to create a VPN to bypass proxies?

I.        Can the actor utilize a thumb-drive to exfiltrate the data or does the IT department monitor for thumb-drives being plugged in?


In order, for the actor to carry out the attack, they must gain access to the data they wish to steal if they don’t have access based on their corporate credentials. To this the actor must assess:

A.     What protections are in place from the IT team to prevent them from gaining access to data that they are not allowed permissions too.

B.     Who has access through their corporate credentials to gain access to the data the actor wants to exfiltrate.

C.     Once the user with the appropriate access has been identified, how can the actor gain access to the credentials of the said user?

D.     Is it possible for the actor to request credentials from the IT department? If so, how close are the credentials monitored or audited?


Once the actor has access to the target data they can aggregate the target data and prepare it for exfiltration. This is the point in which the actor must know how to extract the target data from the database systems. It is much easier is the actor is stealing non-database files, however, there are utilities that will assist with exporting database data. Once the target data is aggregated the actor can then prepare the data for assembly and encryption.


This is the step where the actor prepares the data for exfiltration, such as:

A.     Migrating the data to a thumb-drive if exfiltrating via temporary storage.

B.     This step can also be combined with the next step if the actor is encrypting the data before exfiltration.

C.     Preparing the data to be sent across the internet via a secure connection if uploading to an offsite storage location.

D.     Creating and depositing the target data to an FTP site within the on the corporate network if that is an option.


This step is usually used with the previous step “Assembly” but can be used separately if the assembly stage is not necessary.


It is, absolutely, necessary for the actor to cover their tracks as in today’s IT environment.

The actor will most likely utilize credentials that belong to someone else or credentials that are shared amongst several users as this will make it more difficult to trace the attack to the actor versus. Alternative options are to recon the location of the log files so that the actor can delete or manipulate the logs to remove proof of the exfiltration.


The actual act of removing the target data from the premise of the company. Exfiltration can occur in a number of ways. We have covered a majority of them earlier in the article, however, here is a list that is not all-inclusive:

  • Thumb Drive
  • External Hard Drive
  • Personal Computer that is allowed to access the network domain.
  • External Storage such as One Drive, Dropbox or other CDN type storage location.
  • Storage via the Darkweb.
  • Direct to a buyer.
  • DNS Tunneling Data Exfiltration.
  • SSH and SSL Data Exfiltration via a proxy server to a location of the actor’s choosing.
  • FTP & TFTP from an FTP location in the corporate network.
  • Email, SMTP port exfiltration.
  • Data Dump to Cloud Services or Hosting Platform.

A smart actor is going to exfiltrate target data slowly and/or timed to minimize the likelihood of detection by monitoring systems or human detection. The actor should also exfiltrate target data at times when the exfiltration is least likely to show up as something out of the ordinary. For example, exfiltration in the middle of the night may be faster but may draw attention to the exfiltration while doing so during times of moderate traffic will make detection less likely and more difficult to detect via monitoring systems. My opinion, when an actor wants something there is always a way to get it.

In my next article, I will cover how to set up your network to proactively utilize the New Cyber Kill Chain Model to prevent data theft from a corporate network.