Demystifying the Lockheed Martin Kill Chain: A Guide to Strengthening Cybersecurity

Greetings, fellow cloud-dwellers and security enthusiasts! Here at Cloudsec, we continually strive to shed light on complex cybersecurity topics and simplify them for our valued clients and readers. Today, we delve deep into the heart of cyber defense: the Lockheed Martin Kill Chain, its origins, and its application to infamous cybersecurity threats such as the WannaCry ransomware attack, the DNC phishing incident,  and Stuxnet . Let's also explore a memorable mnemonic to help you recall these steps for your upcoming certification exams!

The Origins of the Kill Chain

Originating in military parlance, the 'Kill Chain' described the structure of an attack - from target identification to its ultimate destruction. In the early 2010s, the defense contractor Lockheed Martin adapted this concept into the Cyber Kill Chain, a structured method to identify and prevent cyber intrusion activities. Its effectiveness in providing a step-by-step approach to countermeasures has led to its widespread adoption within the cybersecurity community.

The Steps of the Lockheed Martin Kill Chain

The Lockheed Martin Kill Chain involves seven distinct stages:

1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command & Control (C2)
7. Actions on Objectives

For those preparing for cybersecurity certifications or wanting an easy way to remember this, here's a mnemonic: "Rabbits Will Dance Elegantly In Colorful Costumes Always". Each first letter of the words in this sentence represents a stage in the Kill Chain.

Case Study 1: The WannaCry Ransomware Attack

In the WannaCry ransomware attack, the threat actors targeted mainly Windows 7 and Windows Server 2008 systems. They utilized the EternalBlue exploit to create the ransomware, which was then propagated to vulnerable systems. Upon gaining access, the ransomware encrypted user files, displayed a ransom note, and forced victims to pay a ransom to regain file access. The detailed breakdown of this attack using the Lockheed Martin Kill Chain model provides us with valuable insights into how these attacks can be prevented and mitigated.

• Reconnaissance: Attackers identified systems primarily running Microsoft's Windows 7 and Windows Server 2008 as their targets.
• Weaponization: They then leveraged the EternalBlue exploit, which took advantage of a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol (CVE-2017-0144), to create the WannaCry ransomware.
• Delivery: The ransomware was propagated via phishing emails and malicious downloads.
• Exploitation: Upon gaining access to a system, the EternalBlue exploit was used to compromise the target.
• Installation: The ransomware then encrypted user files, effectively locking them.
• Command & Control: Upon successful installation, the ransomware connected to an external server operated by the attackers to report a new infection and to update its encryption algorithms.
• Actions on Objectives: The software displayed a ransom note, directing victims to send Bitcoin to regain file access. Attackers collected the ransom and, in some cases, decrypted the user files.

Case Study 2: The DNC Phishing Attack

The DNC phishing attack involved identifying key individuals within the DNC and crafting convincing spear-phishing emails to trick them into revealing their email credentials. After successfully gaining access, the attackers extracted sensitive data over several months, which were then leaked on the internet. This case demonstrates the importance of user awareness and the role it plays in preventing such attacks.

• Reconnaissance: The attackers identified key individuals within the DNC who had access to sensitive information.
• Weaponization: Convincing spear-phishing emails were crafted, designed to trick the victims into revealing their email credentials.
• Delivery: These phishing emails were sent to the targeted individuals.
• Exploitation: Upon clicking the link, the user was redirected to a fake Google login page where they would enter their current and new password.
• Installation: After these credentials were entered, the attackers had essentially 'installed' themselves into the DNC's email systems.
• Command & Control: Once the attackers had the user credentials, they were able to directly access and control the compromised email accounts, executing commands like reading emails, extracting attachments, and even sending emails if desired.
• Actions on Objectives: The leaked emails were published on the internet, causing significant disruptions and political fallout.

Case Study 3: The Stuxnet Attack

In the Stuxnet attack, the threat actors developed a sophisticated worm to specifically target Supervisory Control and Data Acquisition (SCADA) systems manufactured by Siemens, primarily used within Iran's nuclear facilities. The worm was spread through infected USB drives and exploited multiple vulnerabilities within the Windows Operating System to gain access to these SCADA systems. The meticulous application of the Lockheed Martin Kill Chain model allows us to dissect this complex attack and understand how it could be detected and prevented.

• Reconnaissance: Attackers identified SCADA systems as their targets, particularly those used in Iran's nuclear facilities.
• Weaponization: They crafted a worm capable of exploiting multiple zero-day vulnerabilities in the Windows operating system and Siemens SCADA systems. Among the exploited vulnerabilities were CVE-2010-2568, CVE-2010-2729, and CVE-2010-2772.
• Delivery: The worm was delivered via infected USB drives and network propagation. When the infected USB drive was inserted into a Windows machine, the autorun feature facilitated the execution of the worm.
• Exploitation: Upon execution, the worm exploited the mentioned vulnerabilities to escalate privileges and gain access to the SCADA system.
• Installation: After gaining access, Stuxnet installed itself within the system and ensured its persistence by using a rootkit to hide its presence.
• Command & Control: After successful installation, Stuxnet periodically connected to two command and control servers to download updates, report its status, and receive commands.
• Actions on Objectives: Stuxnet modified the operation of programmable logic controllers (PLCs) of the SCADA systems to cause centrifuges in Iran's nuclear enrichment facilities to spin at destructive speeds, while displaying normal operating conditions to system monitors.



The Stuxnet attack underscores the importance of securing not only our conventional computer systems but also the embedded systems that manage critical infrastructure. It shows the lengths to which attackers are willing to go to achieve their objectives and highlights the vital need for a robust and comprehensive cybersecurity strategy.

Building Stronger Defenses with Cloudsec

By examining each stage of the Kill Chain in these case studies, we see how early intervention can thwart an attack before it becomes a significant threat. This approach highlights the need for robust vulnerability and patch management – a specialty of Cloudsec.

At Cloudsec, we provide leading-edge vulnerability and patch management services that empower you to identify, classify, prioritize, and mitigate potential weaknesses in your digital infrastructure before they're exploited. We're committed to staying ahead of the curve, ensuring your systems are up-to-date, and reducing the attack surface for would-be intruders. As we part ways today, remember the dancing rabbits – they symbolize not just the stages of an attack but also the power you have to make your operations secure, with Cloudsec by your side. Stay vigilant and keep your cybersecurity game strong. Contact us to learn more about how we can fortify your defenses today!