| Title | Author | Created | Published | Tags | | ------------------ | ---------- | ------------------ | ------------------ | -------------------------------------------- | | Unified Kill Chain | Jon Marien | September 08, 2025 | September 08, 2025 | [[#soc\|#soc]], [[#arcticwolf\|#arcticwolf]] | # Unified Kill Chain ![[image-944.png]] Understanding the behaviours, objectives and methodologies of a cyber threat is a vital step to establishing a strong cybersecurity defence (known as a cybersecurity posture). In this room, you will be introduced to the **UKC** (Unified Kill Chain) framework that is used to help understand how cyber attacks occur. # Learning Objectives: - Understanding why frameworks such as the UKC are important and helpful in establishing a good cybersecurity posture. - Using the **UKC** to understand an attacker's motivation, methodologies and tactics. - Understanding the various phases of the **UKC**. - Discover that the **UKC** is a framework that is used to complement other frameworks such as **MITRE**. --- ## What is a Kill Chain? Originating from the **military**, a “Kill Chain” is a term used to explain the various stages of an attack. In the realm of cybersecurity, a “Kill Chain” is used to describe the methodology/path attackers such as hackers or APTs use to approach and intrude a target. For example, an attacker scanning, exploiting a web vulnerability, and escalating privileges will be a “Kill Chain”. We will come to explain these stages in much further detail later in this room. The objective is to understand an attacker's “Kill Chain” so that defensive measures can be put in place to either pre-emptively protect a system or disrupt an attacker's attempt. --- ## What is Threat Modeling? Threat modelling, in a cybersecurity context, is a series of steps to ultimately improve the security of a system. Threat modelling is about identifying risk and essentially boils down to: 1. Identifying what systems and applications need to be secured and what function they serve in the environment. For example, is the system critical to normal operations, and is a system holding sensitive information like payment info or addresses? 2. Assessing what vulnerabilities and weaknesses these systems and applications may have and how they could be potentially exploited 3. Creating a plan of action to secure these systems and applications from the vulnerabilities highlighted 4. Putting in policies to prevent these vulnerabilities from occurring again where possible (for example, implementing a software development life cycle (SDLC) for an application or training employees on phishing awareness). Threat modelling is an important procedure in reducing the risk within a system or application, as it creates a high-level overview of an organization's IT **assets** (**an asset in IT is a piece of software or hardware**) and the procedures to resolve vulnerabilities. The **UKC** can encourage threat modelling as the **UKC** framework helps identify potential attack surfaces and how these systems may be exploited. **STRIDE**, **DREAD** and **CVSS** (to name a few) are all frameworks specifically used in threat modelling. --- ## The Unified Kill Chain ![[image-945.png]] Paul Pols' Unified Kill Chain, published in 2017, aims to complement (not compete with) other cybersecurity kill chain frameworks, such as Lockheed Martin’s and MITRE’s ATT&CK. The **UKC** states that there are **18 phases** to an attack: Everything from reconnaissance to data exfiltration and understanding an attacker's motive. Some large benefits of the UKC over traditional cybersecurity kill chain frameworks include the fact that it is modern and extremely detailed (reminder: it has 18 phases officially, whereas other frameworks may have a small handful). | Benefits of the Unified Kill Chain (UKC) Framework | How do Other Frameworks Compare? | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | | Modern (released in 2017, updated in 2022). | Some frameworks, such as MITRE’s were released in 2013, when the cybersecurity landscape was very different. | | The UKC is extremely detailed (18 phases). | Other frameworks often have a small handful of phases. | | The UKC covers an entire attack - from reconnaissance, exploitation, post-exploitation and includes identifying an attacker's motivation. | Other frameworks cover a limited amount of phases. | | The UKC highlights a much more realistic attack scenario. Various stages will often re-occur. For example, after exploiting a machine, an attacker will begin reconnaissance to pivot another system. | Other frameworks do not account for the fact that an attacker will go back and forth between the various phases during an attack. | --- ## Multiple Phase Stages The main focus of this series of phases is for an attacker to gain access to a system or networked environment. An attacker will employ numerous tactics to investigate the system for potential vulnerabilities that can be exploited to gain a foothold in the system. For example, a common tactic is the use of reconnaissance against a system to discover potential attack vectors (such as applications and services). ### Phase: In (Initial Foothold) ![[image-946.png]] Absolutely, Jon! Here’s a natural language rewrite that keeps all the key terms and concepts but is easier to read: *** This set of phases in the Unified Kill Chain (UKC) recognizes that attackers often try to make sure they can get back into a system later (using things like files or running processes for persistence). It also recognizes that attackers will often mix and match different tactics together. Below are overviews of each main phase: **Reconnaissance (MITRE Tactic TA0043):** This is when an attacker gathers information about their target, either quietly (passive) or by directly interacting with the target (active). The details collected in this phase are useful for later steps, like getting the first access. Examples of information collected can include: - Figuring out what systems and services are running, which helps with planning attacks in later phases. - Looking up contact lists or employees who could be impersonated for phishing or social engineering attacks. - Searching for login credentials that could help later (for things like pivoting to other systems or getting initial access). - Mapping out the network and looking for connected systems they could reach later. **Weaponization (MITRE Tactic TA0001):** During weaponization, the attacker sets up the tools and infrastructure they’ll use in the attack. This might mean preparing a command and control server, or getting ready to receive reverse shells and send out malware. **Social Engineering (MITRE Tactic TA0001):** In this phase, the attacker tries to trick or manipulate employees into helping with the attack. Tactics can include: - Getting someone to open a malicious file. - Creating a fake website and stealing login credentials. - Pretending to be someone else, either over the phone or in person, to reset a password or to gain physical access to secure areas (for example, pretending to be a repair person). **Exploitation (MITRE Tactic TA0002):** Here, the attacker takes advantage of weaknesses in the system (vulnerabilities) to execute malicious code. Examples include: - Uploading and running a reverse shell on a web application. - Hijacking a script to run their own code. - Using web application vulnerabilities to run code on the system where the website lives. **Persistence (MITRE Tactic TA0003):** Persistence means making sure the attacker can get back into the system later if needed. This could be done by: - Creating a new service on the victim’s system for repeated access. - Connecting the victim’s system to a command and control server for remote actions at any time. - Leaving behind other backdoors, like a payload that activates when an administrator logs in. **Defence Evasion (MITRE Tactic TA0005):** Here, the attacker works to avoid being detected by security systems. For example, they might try to get around: - Web application firewalls. - Network firewalls. - Antivirus software. - Intrusion detection systems. This phase is especially important for defenders, since knowing how attackers evade security helps improve defenses for the future. **Command & Control (MITRE Tactic TA0011):** This is when the attacker sets up a way to remotely communicate with and control the compromised system. This connection, established earlier during weaponization, allows the attacker to: - Run commands remotely. - Steal data and credentials. - Use the compromised device as a springboard to attack other machines in the network. **Pivoting (MITRE Tactic TA0008):** Pivoting lets the attacker move from the first compromised system to other machines inside the network (which may not be exposed to the internet). For example, after taking control of a public web server, the attacker can hop (“pivot”) to internal systems that weren’t meant to be accessed directly and may hold more valuable or vulnerable data. *** ### Phase: Through (Network Propagation) ![[image-947.png]] This phase follows a successful foothold being established on the target network. An attacker would seek to gain additional access and privileges to systems and data to fulfil their goals. The attacker would set up a base on one of the systems to act as their pivot point and use it to gather information about the internal network. ### Phase: Out (Action on Objectives) This phase wraps up the journey of an adversary’s attack on an environment, where they have critical asset access and can fulfil their attack goals. These goals are usually geared toward compromising the **confidentiality, integrity and availability (CIA) triad**. #### **Collection (MITRE Tactic TA0009):** After working hard to gain access and find valuable resources, the attacker’s next step is to gather all the sensitive data they’re interested in. This could include files from drives, information stored in web browsers, audio and video recordings, or emails. When attackers collect this information, they compromise the confidentiality of the organization’s data and set up for the next stage—exfiltration. #### **Exfiltration (MITRE Tactic TA0010):** Now, the attacker’s goal is to actually steal the data they’ve collected. They often package it up using encryption and compression techniques to avoid being spotted by security systems. The previously established Command and Control (C2) channel and network tunnel will help them secretly transfer this stolen data out of the target environment. #### **Impact (MITRE Tactic TA0040):** At this phase, the attacker focuses on damaging the organization further by compromising the integrity and availability of data and systems. For example, they might: - Tamper with, disrupt, or destroy business data. - Remove user accounts or access. - Wipe hard drives. - Encrypt files (as in a ransomware attack). - Deface websites. - Launch Denial of Service (DoS) attacks to cause outages. ##### **Objectives:** Finally, with full access and control, the attacker acts on their main goal. This could differ by attack type—for example: - If they’re after money, they might use ransomware to encrypt files and demand payment for the decryption key. - If the goal is to harm the company’s reputation, they could leak confidential or sensitive data to the public. ---