The cyber kill chain is a concept first authored by three researchers at Lockheed-Martin. (https://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf). The cyber kill chain outlines the stages of a network penetration that an attacker would have to go through to reach their ultimate goal. From here, organizations can extrapolate the various methods and IOCs that the organization may observe using detection capabilities enhanced with threat intelligence.

The cyber kill chain breaks down a network attack into seven steps that the attacker will progress through:

1. Reconnaissance: Attackers often spend a considerable amount of time reviewing open source intelligence such as social media, corporate websites, and domain registration to map the externally facing network of a target organization. Other reconnaissance methods include using network mapping and scanning tools such as NMAP and NETCAT to determine open ports or enabled services. Reconnaissance activities are often very difficult to detect as threat actors can conduct such attacks with no direct action or tune scanning so as to hide their efforts behind normal network traffic.
2. Weaponization: After conducting their reconnaissance, threat actors will then craft their tools for the actual penetration. For example, this can be a multi-stage malware payload that compromises a system. From an examination of the tools utilized in an attack, specific data points such as how the malware is packed or what exploits are used, can be combined to create a mosaic which is unique to the adversary, creating almost a DNA profile to compare against.
3. Delivery: Threat actors need a vector to deliver their malware or exploit payload. They may make use of VPN connections or deliver malware attached to a Word document emailed to an employee of the target organization.
4. Exploitation: In this stage, a threat actor either leverages a vulnerability within the target network or a functionality of tool sets such as PowerShell.

5. Installation: To gain more than a temporary foothold in the target organization, the threat actor will install their exploit or malware. This can even include the modification of settings or other functions on a compromised system.
6. Command and Control (C2): To control the system once installation has been successful, the threat actor has to configure a remote C2 channel back to a central server. From here, they are able to maintain control, load additional exploits or malware, and observe the target organization's actions.
7. Actions on objective: Once the previous six steps have been completed, the threat actor moves onto accomplishing the objective of the penetration. For retail targets, this may mean infecting Point of Sale (POS) devices with malware and obtaining credit card numbers. In government, it may be acquiring a database of confidential data to sell.

By working through these various steps, an organization can see where individual IOCs and more general TTPs about threat actors can be obtained. One technique that is often utilized is to determine what threats are applicable to an organization and map them out at each stage to the individual IOCs that they will need specific threat intelligence to address. For example, they may have a report about a cyber-criminal group that targets POS devices. From here, they realize that they would need to understand what the IOCs would be for the initial tools configured in the weaponization stage. Next, they would examine the TTPs surrounding how the threat actor delivers the exploit or malware. The organization would then need to understand how the threat actor exploits the network either through vulnerabilities or utilizing native utilities. The installation of an exploit or malware will produce IOCs in running memory and the registry settings of a compromised system. Having access to the specific IOCs in those areas would assist the organization with developing additional detective capabilities or the ability to find these IOCs during an incident investigation.