The term kill chain was originally used as a military concept related to the structure of an attack; consisting of target identification, force dispatch to target, decision and order to attack the target, and finally the destruction of the target. Conversely, the idea of "breaking" an opponent's kill chain is a method of defense or preemptive action. More recently, Lockheed Martin adapted this concept to information security, using it as a method for modeling intrusions on a computer network. This model has seen some adoption in the information security community. However, acceptance is not universal, with critics pointing to what they believe are fundamental flaws in the model.
One military kill chain model is the "F2T2EA", which includes the following phases:
This is an integrated, end-to-end process described as a "chain" because an interruption at any stage can interrupt the entire process.
Computer scientists at Lockheed-Martin corporation described a new "intrusion kill chain" framework or model to defend computer networks in 2011. They wrote that attacks may occur in stages and can be disrupted through controls established at each stage. Since then, the "cyber kill chain" has been adopted by data security organizations to define stages of cyber-attacks.
A cyber kill chain reveals the stages of a cyberattack: from early reconnaissance to the goal of data exfiltration. The kill chain can also be used as a management tool to help continuously improve network defense. Threats must progress through several stages in the model, including:
A U.S. Senate investigation of the 2013 Target Corporation data breach included analysis based on the Lockheed-Martin kill chain framework. It identified several stages where controls did not prevent or detect progression of the attack.
A variation of the kill chain, developed by SecureWorks includes "development" as the second step. To maximize threat detection, all phases of the kill chain are monitored for threat indicators. During the development phase, threat groups may purchase tools, register domains, and purchase hosts among other activities.
The "Four Fs" is a military term used in the United States military, especially during World War II.
Designed to be easy to remember, the "Four Fs" are as follows:
Among the critiques of this model as threat assessment and prevention tool is that many of the steps happen outside the defended network, making it virtually impossible to identify or counter actions at these stages. Similarly, this methodology is accused of focusing on a "perimeter-based" defensive strategy.