3.1 Explain concepts related to attack methodology frameworks.
📘CompTIA CySA+ (CS0-003)
Cyber kill chains are a step-by-step model that describes how a cyberattack happens from start to finish. It helps security professionals understand:
- How attackers think
- How attacks progress
- Where to detect and stop attacks
For the exam, you must understand each phase of the kill chain, what happens in that phase, and how defenders can stop it.
What is a Cyber Kill Chain?
A cyber kill chain is a structured framework that breaks down an attack into multiple stages.
The most widely used model comes from Lockheed Martin.
Purpose:
- Identify attacker behavior
- Detect attacks early
- Apply security controls at each stage
- Reduce damage by stopping attacks before completion
Key Idea for the Exam
👉 If you stop an attack early in the kill chain, the damage is much lower.
The 7 Stages of the Cyber Kill Chain
1. Reconnaissance (Information Gathering)
What happens:
The attacker collects information about the target system.
Examples in IT:
- Scanning servers for open ports
- Gathering domain names and IP addresses
- Checking employee emails from public sources
- Identifying software versions used on servers
Attacker goal:
👉 Find weaknesses and entry points
Defensive controls:
- Firewalls
- Intrusion detection systems (IDS)
- Network monitoring
- Limiting public exposure of system details
2. Weaponization
What happens:
The attacker creates a malicious payload (attack tool).
Examples in IT:
- Combining malware with an exploit
- Creating a malicious file (e.g., infected script or executable)
- Preparing a phishing attachment
Attacker goal:
👉 Build a tool that can exploit a vulnerability
Defensive controls:
- Threat intelligence
- Malware analysis tools
- Antivirus signature updates
3. Delivery
What happens:
The attacker sends the malicious payload to the target.
Examples in IT:
- Phishing email with attachment
- Malicious download from a compromised website
- USB device with malware
- Exploiting a network service
Attacker goal:
👉 Get the payload into the system
Defensive controls:
- Email filtering
- Web filtering
- Network firewalls
- Endpoint protection
4. Exploitation
What happens:
The malicious code is executed by exploiting a vulnerability.
Examples in IT:
- Exploiting unpatched server software
- Running a malicious script on a system
- Triggering a buffer overflow in an application
Attacker goal:
👉 Gain access to the system
Defensive controls:
- Patch management
- Vulnerability scanning
- Application security controls
- Intrusion prevention systems (IPS)
5. Installation
What happens:
The attacker installs malware to maintain access.
Examples in IT:
- Installing a backdoor on a server
- Adding unauthorized software
- Creating hidden system services
Attacker goal:
👉 Maintain persistence (stay inside the system)
Defensive controls:
- Endpoint detection and response (EDR)
- File integrity monitoring
- Application whitelisting
6. Command and Control (C2)
What happens:
The compromised system connects to the attacker’s server.
Examples in IT:
- Malware communicating with remote server
- Receiving commands from attacker-controlled infrastructure
- Data being sent to external systems
Attacker goal:
👉 Remotely control the compromised system
Defensive controls:
- Network traffic monitoring
- DNS filtering
- Blocking suspicious outbound connections
7. Actions on Objectives
What happens:
The attacker achieves their final goal.
Examples in IT:
- Data exfiltration (stealing data)
- Privilege escalation
- Lateral movement across servers
- Deleting or modifying data
- Disrupting services
Attacker goal:
👉 Complete the mission (e.g., data theft, system control)
Defensive controls:
- Data loss prevention (DLP)
- Access control (least privilege)
- Security monitoring (SIEM)
- Incident response processes
Visual Summary (Simple Flow)
Recon → Weaponize → Deliver → Exploit → Install → C2 → Actions
Important Concepts for the Exam
1. Defense-in-Depth
Security must exist at every stage of the kill chain.
- Network security → stops delivery
- Patch management → stops exploitation
- Monitoring → detects C2
👉 Multiple layers increase protection
2. Breaking the Kill Chain
The goal of defenders is to:
👉 Stop the attack at any stage
- Early stages = easier to stop
- Later stages = more damage already done
3. Indicators of Compromise (IoCs)
Signs that an attack is happening:
- Unusual network traffic
- Unknown processes running
- Unexpected outbound connections
- Modified system files
These help detect activity in different kill chain stages.
4. Mapping Security Tools to Kill Chain
| Stage | Example Security Tool |
|---|---|
| Reconnaissance | IDS, firewalls |
| Weaponization | Threat intelligence |
| Delivery | Email/web filters |
| Exploitation | Patch management, IPS |
| Installation | EDR, antivirus |
| C2 | Network monitoring, DNS filtering |
| Actions | DLP, SIEM |
5. Limitations of Cyber Kill Chain
For exam awareness:
- Focuses mainly on external attacks
- Less effective for:
- Insider threats
- Modern cloud environments
- Attackers may skip or repeat stages
Exam Tips (Very Important)
- Know all 7 stages in order
- Understand what happens in each stage
- Be able to match:
- Attack activity → correct stage
- Defense → correct stage
- Remember:
👉 Stopping earlier = better security
Quick Revision
- Cyber kill chain = attack lifecycle model
- 7 stages:
Recon → Weaponize → Deliver → Exploit → Install → C2 → Actions - Used for:
- Understanding attacks
- Improving defenses
- Incident response
