The Unified Kill Chain by Paul Pols


Executive Summary
Organizations increasingly rely on Information and Communication Technology (ICT). This reliance
exposes them to growing risks from cyber attacks from a range of threat actors. The term Advanced
Persistent Threats (APTs) is used to refer to particularly capable and persistent threat actors. In this
white paper, a Unified Kill Chain (UKC) model is presented that details the tactics that form the
building blocks of cyber attacks by APTs. The Unified Kill Chain provides insights into the ordered
arrangement of phases in attacks from their beginning to their completion, by uniting and extending
existing models. The Unified Kill Chain can be used to analyze, compare and defend against targeted
and non-targeted cyber attacks.
Research shows that the traditional Cyber Kill Chain® (CKC), as presented by researchers of Lockheed Martin, is perimeter- and malware-focused. As such, the traditional model fails to cover other attack vectors and attacks that occur behind the organizational perimeter. The Unified Kill Chain offers significant improvements over these scope limitations of the CKC and the time-agnostic nature of the tactics in MITRE’s ATT&CK™ model (ATT&CK). Other improvements over these models include: explicating the role of users by modeling social engineering, recognizing the crucial role of choke points in attacks by modeling pivoting, covering the compromise of integrity and availability in addition to confidentiality and elucidating the overarching objectives of threat actors.

The case studies that were performed also falsify a crucial assumption underlying traditional kill chain models, namely that attackers must progress successfully through each phase of a deterministic sequence. The observation that attack phases may be bypassed affects defensive strategies fundamentally, as an attacker may also bypass the security controls that apply to these phases. Instead of focusing on thwarting attacks at the earliest point in time, layered defense strategies that focus
on attack phases that occur with a higher frequency or that are vital for the formation of an attack path are thus expected to be more successful.
These insights support the development (or realignment) of layered defense strategies that adopt the assume breach and defense in depth principles and to optimize the return on investment (ROI) of their security measures.
As the reliance of organizations on ICT continues to grow, and APT attacks continue to rise in number
and in force, the risks for organizations and societies as a whole increase at an accelerating pace. The
Unified Kill Chain attack model can be used in the areas of prevention, detection, response and intelligence to develop and realign defense strategies in an attempt to raise the resilience of
organizations and societies against this dangerous trend.


Leave a Reply

Your email address will not be published. Required fields are marked *