Skip to main content
  • Cybersecurity

How DNS security works in the cyber kill chain

By Mark Brownlee

The cyber kill chain is a pretty well-known concept in cybersecurity—a concept used by cyber teams to help them conceptualize how cybercriminals may try to attack them. Cyber professionals around the world use the model as a means of preventing and blocking cyber attacks from hitting their network. But how do you apply the cyber kill chain to real life attacks? That is another matter entirely.

What is the cyber kill chain?

The cyber kill chain is broken into seven stages (reconnaissance, weaponization, delivery, exploitation, installation, command and control (C2), actions on objectives) to help show the various techniques cyber attackers will use to complete a successful attack. Since malicious actors thrive on operating in the shadows, organizations often don’t know all the ways they can potentially be targeted.

The cyber kill chain is designed to claw back some of that power and place it in the hands of those charged with keeping their organization secure. And you know what? It’s called a “kill” chain for a reason. The kill chain does more than help visualize the stages of an attackit also presents a framework for protecting against them. If organizations are able to prevent the attack at any of the seven stages, they effectively “kill” it.

The cyber kill chain and DNS security

DNS security is only one part of an organization’s cybersecurity posture. It’s important to remember that you can’t just focus on it in order to protect your organization against cyber attacks. But, focusing on DNS security can help you to stop a decent number of cyber attacks within the kill chain, with two stages that are especially helpful.


Many cyber attacks are delivered through a malicious link or webpage. While an employee might unknowingly click on a phishing link or get drawn in by a scam website they come across while browsing, DNS security uses threat feeds (see more on this below!) to block any sites or other attacks that might be malicious. And by blocking malicious traffic from hitting your network, DNS security can help you kill a huge percentage of attacks at the delivery stage.

Command and control (C2)

DNS security doesn’t just prevent the delivery of malicious cyber attacks. It can also help to stop an attack once it has gained a foothold. That’s because when a hacker successfully delivers malicious code in a network, it’s only the starting point. If a cyber attacker can gain a foothold on only one device, it’s actually not that useful to them. The real goal is to use this one device as an entry point to move horizontally (i.e. to other similar devices in the organization) or vertically (i.e. to other more important devices or accounts within the organization).

To do that, a cyber attacker needs to enable communications with their exploit, using command and control facilities they’ve built in. This is where DNS security comes into play as well. Command and control often rely on DNS to function, so DNS threat lists can block these critical functions. This step can play a crucial role in preventing an attack from becoming a bigger problem.

How you can implement DNS security in the real world

And so, while the cyber kill chain is a great tool to help prevent cyber attacks, protecting your organization requires actually implementing DNS security into your operations.  Protective DNS (or as it’s sometimes known, a DNS firewall) is one of the most important ways this can be done. Protective DNS can help protect your organization by immediately blocking a malicious link that an employee might have accidentally clicked. This means you’ve automatically killed an attack before it even gets started.

Another big benefit of protective DNS? A threat feed. Threat feeds allows you to use cyber intelligence from around the world to benefit your organization. Say an attack has already taken place somewhere else, a threat feed ingests that information and then uses it to block similar attacks across the internet.


The cyber kill chain and DNS security

DNS security has a significant role to play in keeping your organization secure. By focusing on how DNS security can work with the cyber kill chain, you can go a long way towards keeping your organization secure against cyber threats.


Secured By Akamai Logo 02

Looking to get started with protective DNS?

Learn more about CIRA’s protective DNS solution, DNS Firewall, here.

About the author
Mark Brownlee

Mark Brownlee is a Product Marketing Manager with CIRA Cybersecurity Services. His work, which focuses on the CIRA DNS Firewall and Canadian Shield products, is dedicated to helping protect people and organizations in Canada from cyber threats. His background is in marketing strategy, communications planning and advertising best practices.