Back to Details

analyzing-cyber-kill-chain

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Analyzing Cyber Kill Chain

网络杀伤链分析

When to Use

适用场景

Use this skill when:
  • Conducting post-incident analysis to determine how far an adversary progressed through an attack sequence
  • Designing layered defensive controls with the goal of interrupting attacks at the earliest possible phase
  • Producing threat intelligence reports that communicate attack progression to non-technical stakeholders
Do not use this skill as a standalone framework — combine with MITRE ATT&CK for technique-level granularity beyond what the 7-phase kill chain provides.
在以下场景中使用此技能:
  • 开展事后事件分析,确定对手在攻击序列中的进展程度
  • 设计分层防御控制措施,旨在尽可能早的阶段中断攻击
  • 生成威胁情报报告,向非技术利益相关方传达攻击进展情况
请勿将此技能作为独立框架使用——需与MITRE ATT&CK结合,以获得7阶段杀伤链之外的技术层面粒度分析。

Prerequisites

前置条件

  • Complete incident timeline with forensic artifacts mapped to specific adversary actions
  • MITRE ATT&CK Enterprise matrix for technique-level mapping within each kill chain phase
  • Access to threat intelligence on the suspected adversary group's typical kill chain progression
  • Post-incident report or IR timeline from responding team
  • 完整的事件时间线,且取证 artifacts已映射到特定的对手行为
  • MITRE ATT&CK企业矩阵,用于在每个杀伤链阶段内进行技术层面映射
  • 可访问疑似对手组织典型杀伤链进展的威胁情报
  • 响应团队提供的事后事件报告或IR时间线

Workflow

工作流程

Step 1: Map Observed Actions to Kill Chain Phases

步骤1:将观测到的行为映射到杀伤链阶段

The Lockheed Martin Cyber Kill Chain consists of seven phases. Map all observed adversary actions:
Phase 1 - Reconnaissance: Adversary gathers target information before attack.
  • Indicators: DNS queries from adversary IP, LinkedIn scraping, job posting analysis, Shodan scans of organization infrastructure
Phase 2 - Weaponization: Adversary creates attack tool (malware + exploit).
  • Indicators: Malware compilation timestamps, exploit document metadata, builder artifacts in malware samples
Phase 3 - Delivery: Adversary transmits weapon to target.
  • Indicators: Phishing emails, malicious attachments, drive-by downloads, USB drops, supply chain compromise
Phase 4 - Exploitation: Adversary exploits vulnerability to execute code.
  • Indicators: CVE exploitation events in application/OS logs, memory corruption artifacts, shellcode execution
Phase 5 - Installation: Adversary establishes persistence on target.
  • Indicators: New scheduled tasks, registry run keys, service installation, web shells, bootkits
Phase 6 - Command & Control (C2): Adversary communicates with compromised system.
  • Indicators: Beaconing traffic (regular intervals), DNS tunneling, HTTPS to uncommon domains, C2 framework signatures (Cobalt Strike, Sliver)
Phase 7 - Actions on Objectives: Adversary achieves goals.
  • Indicators: Data staging/exfiltration, lateral movement, ransomware execution, destructive activity
洛克希德·马丁网络杀伤链包含7个阶段。将所有观测到的对手行为进行映射:
阶段1 - 侦察(Reconnaissance):对手在攻击前收集目标信息。
  • 指标:来自对手IP的DNS查询、LinkedIn信息爬取、招聘信息分析、针对组织基础设施的Shodan扫描
阶段2 - 武器化(Weaponization):对手创建攻击工具(恶意软件+漏洞利用程序)。
  • 指标:恶意软件编译时间戳、漏洞利用文档元数据、恶意软件样本中的生成器 artifacts
阶段3 - 投递(Delivery):对手将武器传输至目标。
  • 指标:钓鱼邮件、恶意附件、水坑式下载、USB投放、供应链 compromise
阶段4 - 漏洞利用(Exploitation):对手利用漏洞执行代码。
  • 指标:应用/操作系统日志中的CVE漏洞利用事件、内存损坏 artifacts、shellcode执行
阶段5 - 安装(Installation):对手在目标系统上建立持久化访问。
  • 指标:新的计划任务、注册表启动项、服务安装、Webshell、引导区恶意软件
阶段6 - 命令与控制(Command & Control, C2):对手与受 compromise 的系统通信。
  • 指标:beaconing流量(定期间隔)、DNS隧道、向不常见域名发起的HTTPS请求、C2框架特征(Cobalt Strike、Sliver)
阶段7 - 目标行动(Actions on Objectives):对手达成攻击目标。
  • 指标:数据暂存/外泄、横向移动、勒索软件执行、破坏性活动

Step 2: Identify Phase Completion and Detection Points

步骤2:确定阶段完成情况与检测点

Create a phase matrix for the incident:
Phase 1: Recon        → Completed (undetected)
Phase 2: Weaponize    → Completed (undetected — pre-attack)
Phase 3: Delivery     → Completed; phishing email bypassed SEG
Phase 4: Exploit      → Completed; CVE-2023-23397 exploited
Phase 5: Install      → DETECTED: EDR flagged scheduled task creation (attack stalled here)
Phase 6: C2           → Not achieved (installation blocked)
Phase 7: Objectives   → Not achieved
For each phase completed without detection, document the defensive control gap.
为事件创建阶段矩阵:
Phase 1: Recon        → Completed (undetected)
Phase 2: Weaponize    → Completed (undetected — pre-attack)
Phase 3: Delivery     → Completed; phishing email bypassed SEG
Phase 4: Exploit      → Completed; CVE-2023-23397 exploited
Phase 5: Install      → DETECTED: EDR flagged scheduled task creation (attack stalled here)
Phase 6: C2           → Not achieved (installation blocked)
Phase 7: Objectives   → Not achieved
对于每个未被检测到的已完成阶段,记录防御控制缺口。

Step 3: Map to MITRE ATT&CK for Technique Detail

步骤3:映射到MITRE ATT&CK以获取技术细节

Each kill chain phase maps to multiple ATT&CK tactics:
  • Delivery → Initial Access (TA0001)
  • Exploitation → Execution (TA0002)
  • Installation → Persistence (TA0003), Privilege Escalation (TA0004)
  • C2 → Command and Control (TA0011)
  • Actions on Objectives → Exfiltration (TA0010), Impact (TA0040)
Within each phase, enumerate specific ATT&CK techniques observed and map to existing detections.
每个杀伤链阶段对应多个ATT&CK战术:
  • 投递 → 初始访问(TA0001)
  • 漏洞利用 → 执行(TA0002)
  • 安装 → 持久化(TA0003)、权限提升(TA0004)
  • C2 → 命令与控制(TA0011)
  • 目标行动 → 外泄(TA0010)、影响(TA0040)
在每个阶段内,列举观测到的特定ATT&CK技术,并映射到现有检测措施。

Step 4: Identify Courses of Action per Phase

步骤4:确定各阶段的应对方案(Courses of Action)

For each phase, document applicable defensive courses of action (COAs):
  • Detect COA: What detection would alert on adversary activity in this phase?
  • Deny COA: What control would prevent the adversary from completing this phase?
  • Disrupt COA: What control would interrupt the adversary mid-phase?
  • Degrade COA: What control would reduce the adversary's effectiveness in this phase?
  • Deceive COA: What deception (honeypots, canary tokens) would expose activity in this phase?
  • Destroy COA: What active defense capability would neutralize adversary infrastructure?
为每个阶段记录适用的防御应对方案(COA):
  • 检测应对方案(Detect COA):什么检测措施会针对此阶段的对手活动发出警报?
  • 阻止应对方案(Deny COA):什么控制措施会阻止对手完成此阶段?
  • 中断应对方案(Disrupt COA):什么控制措施会在阶段进行中中断对手?
  • 削弱应对方案(Degrade COA):什么控制措施会降低对手在此阶段的效能?
  • 诱骗应对方案(Deceive COA):什么欺骗手段(蜜罐、金丝雀令牌)会暴露此阶段的活动?
  • 摧毁应对方案(Destroy COA):什么主动防御能力会瓦解对手基础设施?

Step 5: Produce Kill Chain Analysis Report

步骤5:生成杀伤链分析报告

Structure findings as:
  1. Attack narrative (timeline of phases)
  2. Phase-by-phase analysis with evidence
  3. Detection point analysis (what worked, what failed)
  4. Defensive recommendation per phase prioritized by cost/effectiveness
  5. Control improvement roadmap
报告结构如下:
  1. 攻击叙事(阶段时间线)
  2. 分阶段分析及证据
  3. 检测点分析(有效措施与失效措施)
  4. 按成本/效益优先级排序的各阶段防御建议
  5. 控制措施改进路线图

Key Concepts

核心概念

TermDefinition
Kill ChainSequential model of adversary intrusion phases; breaking any link theoretically stops the attack
Courses of Action (COA)Defensive responses mapped to each kill chain phase: detect, deny, disrupt, degrade, deceive, destroy
BeaconingRegular, periodic C2 check-in pattern from compromised host to adversary server; detectable by frequency analysis
Phase CompletionAdversary successfully finishes a kill chain phase and progresses to the next; defense-in-depth aims to prevent this
Intelligence Gain/LossAnalysis of whether detecting at Phase 5 (vs. Phase 3) reduced intelligence about adversary capabilities or intent
术语定义
杀伤链(Kill Chain)对手入侵阶段的顺序模型;理论上打破任何环节即可阻止攻击
应对方案(Courses of Action, COA)映射到每个杀伤链阶段的防御响应:检测、阻止、中断、削弱、诱骗、摧毁
Beaconing受compromise主机向对手服务器定期、周期性的C2签到模式;可通过频率分析检测
阶段完成(Phase Completion)对手成功完成一个杀伤链阶段并进入下一阶段;纵深防御旨在阻止此情况发生
情报得失(Intelligence Gain/Loss)分析在阶段5(而非阶段3)检测是否会减少关于对手能力或意图的情报

Tools & Systems

工具与系统

  • MITRE ATT&CK Navigator: Overlay kill chain phases with ATT&CK technique coverage for integrated analysis
  • Elastic Security EQL: Event Query Language for querying multi-phase attack sequences in Elastic SIEM
  • Splunk ES: Timeline visualization and correlation searches for kill chain phase sequencing
  • MISP: Kill chain tagging via galaxy clusters for structured incident event documentation
  • MITRE ATT&CK Navigator:将杀伤链阶段与ATT&CK技术覆盖范围叠加,进行集成分析
  • Elastic Security EQL:事件查询语言,用于在Elastic SIEM中查询多阶段攻击序列
  • Splunk ES:时间线可视化与关联搜索,用于杀伤链阶段排序
  • MISP:通过星系集群进行杀伤链标记,用于结构化事件文档记录

Common Pitfalls

常见误区

  • Linear assumption: Adversaries don't always progress linearly — they may skip phases (weaponization already complete from previous campaign) or loop back (re-establish C2 after detection).
  • Ignoring Phases 1 and 2: Reconnaissance and weaponization occur before the defender has visibility. Intelligence about these phases requires external sources (OSINT, threat intelligence).
  • Missing insider threats: The kill chain was designed for external adversaries. Insider threats may skip directly to Phase 7 without traversing earlier phases.
  • Confusing with ATT&CK tactics: The 7-phase kill chain and 14 ATT&CK tactics are complementary but not directly equivalent. Maintain distinction to prevent analytic confusion.
  • 线性假设:对手并非总是按线性顺序推进——他们可能跳过阶段(武器化已在之前的攻击活动中完成)或回溯(检测后重新建立C2)。
  • 忽略阶段1和阶段2:侦察和武器化发生在防御者可见范围之外。获取这些阶段的情报需要外部来源(OSINT、威胁情报)。
  • 遗漏内部威胁:杀伤链是为外部对手设计的。内部威胁可能直接进入阶段7,无需经过早期阶段。
  • 与ATT&CK战术混淆:7阶段杀伤链和14项ATT&CK战术互为补充,但并非直接对等。需保持区分,避免分析混淆。