The cyber kill chain is a concept that was first authored by three researchers at Lockheed Martin (https://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf). The cyber kill chain outlines the stages of a network penetration that an attacker would have to go through to reach their ultimate goal. From here, organizations can extrapolate the various methods and IOCs that the organization may observe using detection capabilities enhanced with threat intelligence.

The cyber kill chain breaks down a network attack into seven steps that the attacker will progress through:

• Reconnaissance: Attackers often spend a considerable amount of time reviewing open source intelligence such as social media, corporate websites, and domain registrations to map the externally facing network of a target organization. Other reconnaissance methods include using network mapping and scanning tools such as Nmap and Netcat to determine open ports or enabled services. Reconnaissance activities are often very difficult to detect as threat actors can conduct such attacks with no direct action or tune scanning so as to hide their efforts behind normal network traffic.
• Weaponization: After conducting their reconnaissance, threat actors will then craft their tools for actual penetration. For example, this can be a multistage malware payload that compromises a system. From an examination of the tools utilized in an attack, specific data points such as how the malware is packed or what exploits are used can be combined to create a mosaic that is unique to the adversary, almost creating a DNA profile to compare against.
• Delivery: Threat actors need a vector to deliver their malware or exploit payload. They may make use of VPN connections or deliver malware attached to a Word document emailed to an employee of the target organization.
• Exploitation: In this stage, a threat actor either leverages a vulnerability within the target network or the functionality of toolsets such as PowerShell.
• Installation: To gain more than a temporary foothold in the target organization, the threat actor will install their exploit or malware. This can even include the modification of settings or other functions on a compromised system.
• C2: To control the system once the installation has been successful, the threat actor has to configure a remote C2 channel back to a central server. From here, they are able to maintain control, load additional exploits or malware, and observe the target organization's actions.
• Actions on the objective: Once the previous six steps have been completed, the threat actor moves onto accomplishing the objective of the penetration. For retail targets, this may mean infecting POS devices with malware and obtaining credit card numbers. In government organizations, it may be acquiring a database of confidential data to sell.

By working through these various steps, an organization can see where individual IOCs and more general TTPs about threat actors can be obtained. One technique that is often utilized is to determine what threats are applicable to an organization, and then map them out at each stage to the individual IOCs that they will need specific threat intelligence to address.

For example, they may have a report about a cybercriminal group that targets POS devices. From here, they realize that they would need to understand what the IOCs would be for the initial tools configured in the weaponization stage. Next, they would examine the TTPs surrounding how the threat actor delivers the exploit or malware. The organization would then need to understand how the threat actor exploits the network either through vulnerabilities or utilizing native utilities. The installation of an exploit or malware will produce IOCs in running memory and the registry settings of a compromised system. Having access to the specific IOCs in those areas would assist the organization with developing additional detective capabilities or the ability to find these IOCs during an incident investigation.