cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Op-Ed: The role of endpoint security in a cyber kill chain

Initially coined in military circles, the term ‘kill chain’ is used to describe the various stages of an attack. It covered everything from the initial identification of weaknesses through to destruction of the target.

user iconAnthony Daniel
Thu, 08 Jul 2021
Anthony Daniel
expand image

Back in 2011, security and aerospace company Lockheed Martin issued their definition of a ‘cyber kill chain’ to explain the various steps that occur during a digital attack. According to their definition, a cyber kill chain incorporates:

  • Reconnaissance: The prospective victim’s infrastructure is first reviewed and any weaknesses identified.
  • Weapon selection: The attacking cybercriminal then selects the most appropriate attack method. This could include web application exploitation, off-the-shelf or custom malware, or compound document vulnerabilities.
  • Delivery method: Attention then shifts to the most appropriate means of delivering the weapon. This could be via email, an infected USB key, or by obtaining credentials through social engineering.
  • Exploitation: Once delivered, the weapon then compromises the target IT infrastructure and gains a foothold in the environment.
  • Persistence: This involves establishing a long-term presence within the target infrastructure. This typically involves installing malware such as a trojan or bot client that will continue to run whenever the affected device reboots or turns on.
  • Command and control: This stage sets up a communication mechanism to control the victim devices and exfiltrate data.
  • Taking action: The final phase covers planned malicious actions. These could include stealing password hashes, installing ransomware, key logging or causing disruption.

The role of endpoint defences

For security teams charged with defending core systems and data, understanding the cyber kill chain can help to identify the various layers of defence that need to be put in place. Of these, one of the most important relates to endpoints.


This is because cyber criminals hunt for the weakest point of entry to attack a corporate network, and this is often through endpoint devices such as laptops, tablets and phones, or other IoT and wireless devices.

With large numbers of people continuing to work from home, and therefore outside the traditional perimeter defences most organisations have in place, traditional corporate network security practices are no longer effective. This means that security on endpoints needs to be upgraded as quickly as possible.

Indeed, endpoint protection can detect and prevent many stages of the cyber kill chain, completely preventing most threats or allowing security teams to remediate the most sophisticated ones in later stages.

Endpoint protection must include multiple layers of malware detection, host firewalling and intrusion detection services, exploit detection and prevention capability, endpoint detection and response, web and email security capabilities.

These layers of endpoint security can disrupt the cyber kill chain in a range of ways. These include:

  • Threat delivery: Effective endpoint security combines traditional techniques such as signature-based analysis, heuristics, and contextual detections with more proactive automatic detection techniques like behavioural analysis and classification using big data and machine learning.
  • Exploitation: Anti-exploit technologies can monitor endpoint memory for common exploit techniques that attackers use to trigger and leverage software flaws.
  • Installation: Should malware become present on an endpoint device, the layers of prevention can identify various indicators to prevent full installation. Endpoint detection and response functionality is designed to detect signs of malicious endpoint activity.
  • Command and control: Some endpoint protection tools can monitor network traffic looking for indicators of malicious code. For this reason, these tools can detect and often block command and control communications.
  • Actions on target: Endpoint protection tools can identify when an endpoint does get infected and help remediate it by continuously monitoring activity such as identifying files being run and which data files were accessed.

Effective endpoint protection can have a significant and positive impact on an organisation’s ability to withstand a cyber attack.

Interestingly, the kill chain shows that, while cyber criminals need to progress through all phases for success, security teams just need to stop the chain at any step to break it.

Consider how secure your organisation’s endpoints are in this new work-from-home world. Doing what’s required to improve that security will pay dividends in the months and years ahead.

Anthony Daniel is the regional director – Australia, New Zealand and Pacific Islands, WatchGuard Technologies.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.