The Kill Chain

The Kill Chain

Created On 09/25/18 19:22 PM - Last Modified 12/14/19 01:27 AM


What is the Kill Chain?

The Cyber Kill Chain was created by Lockheed Martin to describe the phases of a targeted cyber attack. Below you will find the 7 steps of the kill chain and how Palo Alto Networks can prevent attacks at the different stages of the kill chain with the threat intelligence cloud, the endpoint, and the next-gen firewall.


kill chain david.png



Cyber criminals carefully plan their attacks. They research, identify, and select targets, oftentimes using phishing tactics or extracting public information from an employee’s LinkedIn profile, for example, or corporate websites. These attackers also scan networks for vulnerabilities, services, and applications they can exploit. Attackers may have many different motivations for attack, and it’s not always for profit. Their motives could be data exfiltration, destruction of critical infrastructure, or to deface web property or create fear.



The attacker determines which methods to use. They may choose to embed intruder code within seemingly innocuous files like a PDF or Word document or email message. Or, for highly-targeted attacks, attackers may try to spark specific interests of an individual.

Weaponization is a step in the kill chain that is not directly visible to a target network; however, it is an important topic towards defense.



In order to prevent attacks, it is just as important to understand how they might be delivered. They could be delivered via an email attack, social engineering, a hosted attack, or a direct attack.

  • Email attacks are most often focused on the delivery of malware or carrier files, either as attachments or links to hosted files.
  • Social engineering is the attacker’s preferred method to ensure their malware gets run.
  • Hosted attacks rely on behind-the-scenes exploitation. A user visiting a site hosting malware often isn’t even aware that malicious code was run.
  • Direct attacks are often automated through tools, although hands-on-keyboard versions may be employed for highly targeted efforts.



Once attackers gain access “inside” an organization, they can activate attack code on the victim’s host and ultimately take control of the target machine. There are several methods of classifying exploits.

  • A local exploit requires prior access to the vulnerable system and privileges.
  • A remote exploit leverages network transport to exploit a vulnerable system from afar.

You can also classify an exploit by its actions.

How Palo Alto Networks can defends against exploits:

  • Block known and unknown vulnerability exploits using Traps Advanced Endpoint Protection, which also provides detailed forensics on breaches so WildFire can automatically deliver protections globally to thwart additional follow-on attacks.
  • Block unwanted applications through App-ID and detect unknown malware pervasively throughout the network with WildFire.



Attackers try to establish privileged operations to ensure software is installed.

Palo Alto Networks can prevent installs by:

  • Prevent local exploitation leading to privilege escalation/password theft with Traps, which also prevents malware from accessing OS functions. Traps sends samples of unknown malware it encounters to WildFire to create additional protections.
  • Establish secure zones with strictly enforced user access control with next-generation firewall/GlobalProtect, and provide ongoing monitoring and inspection of all traffic between zones.
  • Granular control of applications to allow only authorized applications on the enterprise, limiting the attackers’ ability to move laterally with unknown tools and scripts.


Command & Control

Attackers establish a command channel back through the Internet to a specific server so they can communicate and pass data back and forth between infected devices and their server.

How Palo Alto Networks breaks this:

  • Block outbound command-and-control communications (through anti-CnC signatures), as well as file and data pattern uploads.
  • Block outbound communication to known malicious URLs through PAN-DB for URL filtering.
  • Block novel attack techniques with App-ID, which is able to identify applications on any port.
  • Re-direct malicious outbound communication to internal honeypots to identify and block compromised hosts.
  • Create a database of malicious domains to ensure global awareness/ prevention through DNS monitoring.



How Palo Alto Networks breaks this:

  • Block outbound command-and-control communications (through anti-CnC signatures), as well as file and data pattern uploads.
  • Block outbound communication to known malicious URLs through PAN-DB for URL filtering.
  • Granular application and user control to enforce file transfer application policies on the enterprise, eliminating known archiving and transfer tactics.

  • Print
  • Copy Link

Choose Language