1. Home
  2. Training Library
  3. 1. Understanding Cyber Security

The Cyber Kill Chain

Developed with


Cyber Primer Online Learning

The course is part of this learning path

Cyber Primer
course-steps 5 description 1
The Cyber Kill Chain
star star star star star


This module will introduce some of the core themes of cyber security. They are followed by two software simulations, showing how to install a hypervisor so that a Kali Linux virtual machine can be run. Kali Linux is a Linux operating system used by penetration testers.  

  • Cyber Security  
  • Prevent, Detect, Respond 
  • The CIA Triad  
  • ISMS: Information Security Management Systems 
  • Threat Actors  
  • The Cyber-Kill Chain  
  • Attack Surfaces 
  • Installing Virtualbox 
  • Installing Kali Linux 

Intended Audience  

Although perceived as an IT issue, cyber security is, in fact, a subject relevant to all business units. Cyber Primer is aimed at anyone with an interest in cyber security, whether they are looking to pursue a career as a penetration tester, or just want to get a feel for the world of cyber security.  


There are no prerequisites for this course, however, participants are expected to have a basic understanding of computers and the internet. 


We welcome all feedback and suggestions - please contact us at qa.elearningadmin@qa.com to let us know what you think. 


 The first video looked at the core tenants of ISMS and briefly covered the different types of threat actors and their motivations. In this video you'll look more in depth at the methods of a threat actor. You'll cover the three primary elements that comprise the attack surface and elements of the cyber kill chain. Threat actors will attempt to find an attack vector on their target. This will be done by mapping what is called the attack surface. If a threat actor is planning an attack on an organization, they will need to look at the organization as a whole and determine all of the possible ways in. This will include looking at the physical premises, technological devices and human personnel as attack surfaces. Compromises can be found across any and all of these three. Taking a closer look at these three areas can allow understanding of where an attacker might attempt to compromise the ISMS. First let's take a look at the physical attack surface. This is the physical location. This includes areas like the building an organization is based in and looks at any reception areas, delivery bays and emergency exits that are a part of those buildings. Other physical locations of interest include partner organizations' buildings, data centers, employee home addresses and even locations where employees like to relax outside of work are all of interest to a threat actor. They will try to understand who is allowed on the premises and how they are identified and authenticated, if on-site passes can be forged, if there is a delivery entrance, how visitors are identified and authenticated, what the procedure is for employees that lose their pass, if the wifi access can be reached from outside and how the organization reacts in case of a fire. For the technological attack surface the attacker wants to know what systems the organization is running internally and externally. This includes any service that house data, the organization's network, personal computers and mobile phones as examples. The external systems can be mapped and data retrieved from them using network and vulnerability scanners. This process is known as enumeration. The attacker will want to know what are the internal and external IP ranges, what software is listening on open ports, what software is requesting information on the client, what web applications can be accessed, what inputs do those applications have, what logic is applied to those inputs, how is the infrastructure composed, what firewall rules are employed and what level of filtering is applied, stateless, stateful application, how are the subnets, VLANs and VPNs set up, what access control rules are set up. The human attack surface represents the actual personnel that are affiliated to the target. A large scale organization will not only have on-site employees, but might also have contractors that are frequently in and out or regular goods delivery services. All are surfaces to be used to gain access to the target. The attacker will discover most of the information they need from open source intelligence which is freely available online. Social media sites are a boon for this sort of information. Once an attacker can link individuals to a company, the attack surface greatly expands. Now the attack surface is not limited to just the infrastructure the company owns. The threat actor could now target key personnel within the organization, IT admins, senior executives, developers. Personal interests. Knowing a target's interests provides the foundations to gain access to them for some form of manipulation. This is the grounds for what is known as social engineering. Friends. It might be that an individual has secured their online presence, but have their friends? Facebook's privacy model for instance allows us to see online interactions with public entities such as events, photos or videos. Locations. Do key personalities maintain predictable patterns of life? Are they at a certain place regularly? These three different attack surfaces can be targeted individually or all three can be used for a larger scale campaign. Next we'll look at how a threat actor will combine all of these together to use what is called the cyber kill chain. Every cyber attack is different, but all of them conform in whole or in part to the cyber kill chain, a framework developed by Lockheed Martin. This framework outlines the eight stages that an attacker goes through when targeting an organization. Each of these stages if understood offer defenders the opportunity to identify ways they can prevent, detect and respond to the activities at each stage in order to prevent a breach. The stages are as follows. The first stage, reconnaissance, is where the attacker seeks to discover all they can about their target via the attack surfaces, the physical, technological and human. The second stage, intrusion, is where the information gathered in the recon stage is weaponized. The attack vector is found and used to gain access to the target. The third stage is exploitation. Here malicious software and/or code is delivered into the system. The fourth stage, privilege escalation, is when an attacker changes their access rights on the system, often to an administrator to gain access to secured data and permissions. The fifth stage is lateral movement. Attackers often need to move between systems and accounts to gain further access to gain access to more systems. Stage six is the obfuscation stage. This is when threat actors will attempt to hide their tracks. This is done by wiping files, overwriting data with false timestamps, time stomping, and laying false trails. The seventh stage, denial of service, is when service for normal users is disrupted. This is to stop the threat actors from being tracked, monitored or blocked. The eighth and final stage is exfiltration. This is the entire purpose of the attack, getting the data out of the compromised system. Let's follow an example of this framework in action. An employee opens an email from their manager labeled recruitment plan. It's got a spreadsheet attached with data on the team's plans to increase its operational capacity. This is the reconnaissance stage. The spreadsheet itself is actually an attack vector. When opened it launches a piece of malware into a video player that is installed on the web browser. The malware grants access to a zero-day bug, a bug that hasn't been discovered yet in the video player. This is the intrusion stage. The malware allows the threat actor to gain access to the web browser remotely. After a few days and multiple logins from the employee, the threat actor has now managed to log multiple passwords to a variety of access points in the system. This is the exploitation stage. The threat actor now accesses the system using the retrieved passwords. They gain access to different users across the system, each user having privileges to different bits of sensitive data. This is the lateral movement stage. The threat actor then begins sending the compromised data to a hacked machine at a remote host and then retrieves the files from that host. This makes it all but impossible to trace. This is the exfiltration stage. This isn't a made up scenario. It's how the information security firm, RSA Security, was hacked in 2011. The stolen data could have potentially compromised the security of up to 40 million businesses that use RSA's security products. Understanding the cyber kill chain can help inform how to defend, detect and respond to threat actors looking to attack an organization. In this module we've covered the idea of the three areas of an organization's attack surface, physical, technological and human. The eight stages of the cyber kill chain, reconnaissance, intrusion, exploitation, privilege escalation, lateral movement, obfuscation, denial of service and exfiltration. Next we'll begin our work as a hacker by looking at how we can perform reconnaissance on a target.

About the Author

Learning paths1

Originating from a systems administration/network architecture career, a solid part of his career building networks for educational institutes. With security being a mainstay his implementation he grew a strong passion for everything cyber orientated especially social engineering. The educational experience led to him mentoring young women in IT, helping them to begin a cyber career. He is a recipient of the Cisco global cyber security scholarship. A CCNA Cyber Ops holder and elected for the CCNP Cyber Ops program.