Step by step through the 'Phishing Kill Chain'
Step by step through the 'Phishing Kill Chain'

Companies are increasingly being advised to defend against attacks targeting internal data assets. However, when that definition of 'assets' is expanded to include customers – your most important asset – an interesting challenge emerges.

That challenge is: how to protect customer data when phishing emails are a top attack vector for cyber-criminals. Without doubt, phishing has won out as the go-to tool for the cyber-spy in recent years. The 2013 Verizon Data Breach report found that a phishing campaign with more than 10 emails sent is guaranteed to generate at least one click. We only need to look at the Target data breach to know that swapping original URLs for malicious links designed to hijack identity credentials at a third party vendor and launch further attacks in the network is easy for today's hackers.

These incidents are degrading email as a trusted communication channel between businesses and their consumers. Lockheed Martin's ‘Cyber Kill Chain', echoing military parlance, describes each phase of a targeted attack. Each phase in turn helps inform ways to prevent them taking place. I would argue that if a hypothetical Phishing Kill Chain is followed then the risk of that email even reaching the intended recipient is eliminated.

Here's a table that illustrates what the Phishing Kill Chain looks like in context:

Military Kill Chain 

Cyber Kill Chain

Phishing Kill Chain

















Command & Control




So, from top to bottom – from the start of an attack to when they have your money – the criminals have to:

1. Target: decide who they're going to defraud and assemble an email list
2. Deliver: send messages to the people on their target list
3. Deceive: the criminal needs to deceive the user into following their call to action to the next step
4. Click: the customer clicks on the phishing site and attempts to load it in their browser
5. Surrender: the user needs to input their data to the phishing site
6. Extract: the phishing site needs to transmit the stolen credential or other information to the criminal
7. Act: the criminal needs to log on to the account in question and transfer money, use the stolen card number online or in person in order to perpetrate the final fraud

There are a number of solutions that address phishing at various points in the kill chain. Programmes like Google's “Gold Key” for Gmail try and cut the kill chain at Deception by showing the user a visual indicator for trusted messages. Microsoft has a similar programme, a “Green Shield” icon that indicates trust at Hotmail and However, though an important resource for Joe Blogs trying to figure out if the email landed in his inbox is real, website warning messages are not particularly effective.

The likes of Google's Safe Browsing API and Microsoft's “Phishing Filter” address the problem of the Click. If the user was successfully deceived, and clicks, the Chrome, Firefox and Internet Explorer browsers present a warning telling the user to return to safer waters. Unfortunately, the sites have to have been discovered and registered with those services before they're effective. Other options include making the expropriated data useless by cutting the chain at Extraction, or making use of anti-fraud solutions commonly used by financial institutions that attempt to cut the kill chain at Action by detecting suspicious activity. Regardless of the approach chosen, the one thing they have in common is that they're late in the kill chain.

Current doctrine informs us that the further up the kill chain we insert controls, the better the chance of preventing a breach. To that end, choosing a solution that can cut the chain at Delivery is essential. By choosing solutions that use DMARC (Domain-based Message Authentication, Reporting and Conformance), email is removed as a shortcut to criminal success. The development of this technology has fundamentally changed the email security equation. When DMARC is implemented by the brands that send email, a virtual “handshake” of sorts is instantly initiated with the email receivers that deliver email, (the vast majority of whom already support DMARC). If an email arrives from a domain owned by your bank, you can be sure your bank actually sent it. Faked emails are rejected by the email receivers before they even reach the inbox.

Contributed by Patrick Peterson CEO of Agari