Cyber Kill Chain

Learn how cyber attackers can leverage vulnerabilities in Salesforce and how you can stop them.

Maximizing Protection for Your Salesforce Cloud: How The Cyber Kill Chain Can Help

As more and more companies adopt Salesforce Cloud applications to scale service processes, enhance the customer experience and drive efficiency by enabling better collaboration between teams, they become increasingly critical to the success of organizations across various industries. However, with this increased popularity comes a higher risk of cyber attacks. Cybercriminals are always on the lookout for new ways to access sensitive data and networks, and Salesforce Cloud is no exception.

It’s important to note that while Salesforce does provide infrastructure-level security measures such as replication, backup and disaster recovery, as well as encrypted network services and advanced threat detection,  it’s ultimately the responsibility of each company to ensure the security of their data and access controls. The benefits of using cloud-based applications like Salesforce far outweigh the potential security risks, but it’s crucial to understand these risks and take action to mitigate them.

One way to proactively secure your Salesforce Cloud environment is by understanding the methods used by attackers. These can range from phishing and malicious URLs to social engineering and weaponized content uploads. To help with this, we’ll explore the concept of the Cyber Kill Chain, a framework developed by Lockheed Martin to assist organizations in identifying and defending against cyber attacks.

What is the Cyber Kill Chain?

The Cyber Kill Chain is a methodology for identifying and understanding the various stages of a cyber attack. Developed by Lockheed Martin in 2011, the framework is used to help organizations understand the different stages of an attack and how they can be detected and prevented. It’s made up of seven stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives.

However, from our own experience of researching and combating attacks, we’ve added some additional steps that you may find useful. The WithSecure™ Kill Chain model consists of eight stages:


The attacker gathers information about the target, such as its vulnerabilities and potential entry points. In a Salesforce context, this could mean discovering your Community portals, Web-to-case forms or the email addresses that are used for the email-to-case flow.


Once the attacker has identified a potential target, they will create and deliver the malware or weaponized payload to the target’s systems. This could be done through a phishing email, exploit kits or other means. This may also be done via Salesforce Communities, direct file uploads or URLs shared via Salesforce.


In this stage, the attacker uses the weaponized payload to exploit vulnerabilities in the target’s systems. This allows them to gain access and begin to move laterally within the network. Exploitation can occur in various ways, including abusing the functionality of file formats such as Microsoft Office documents and PDF files.

Command and control

Once the attacker has gained access to the network, they will establish a command and control (C2) infrastructure to maintain control over the compromised systems. This could include creating a backdoor or installing a remote access tool.


The attacker will now focus on maintaining their presence and avoiding detection on the target’s systems, in case they are discovered and removed. This allows the malicious code to remain in place to steal more data or carry out other nefarious actions — which they may achieve by continuing to send malicious code to internal or external users of the Salesforce Cloud environment.

Internal reconnaissance

Once a malicious actor gains access to your system, they may conduct a deeper reconnaissance mission to find out more about the inner workings of your organization and network. In Salesforce, this could mean accessing contact details of partners and customers within your CRM or scavenging for information about other systems connected to Salesforce.

Lateral movement

Internal reconnaissance allows an attacker to locate other parts of your organization’s network that may hold the data they are seeking. Once access is obtained, attackers can use a variety of techniques to gain further entry into targeted systems.


When a malicious actor successfully completes at least part of their objectives, it means that the last stage in the Kill Chain has been reached. This could mean a number of things — such as stealing data (or simply viewing it), manipulating targets or making fraudulent payments — depending on what they are trying to achieve.

One thing to note is that The Cyber Kill Chain is often compared to the Mitre Att&ck framework, which is another popular methodology for understanding and responding to cyber-attacks. Both frameworks have similar threat detection goals, but the Cyber Kill Chain is more focused on the specific stages of an attack, while the Mitre Att&ck framework focuses more deeply on the tactics and techniques used by attackers. 

Data Theft and System Breaches: The Motivations Behind Cybercriminals and Their Tactics

Due to the growing popularity of cloud-based computing, criminals have become aware that large troves of valuable and sensitive data are held in these environments. But many types of malicious actors exist, and each has its own motives for stealing sensitive information. It’s important to understand who these attackers are — and why they target certain organizations. By order from most to least threatening, the most common threat actors include:

  • Nation states: As the most dangerous threat actors, nation states have the ability to use sophisticated techniques and tradecraft. They also have the resources — both financial and human — to invest in research and development of new attack methods. Fortunately, this kind of attack is highly unlikely to happen to most businesses.
  • Serious organized crime groups: These are groups that have the resources and expertise to carry out large-scale attacks and profit from the sale of stolen data. They may target financial institutions, healthcare organizations and other businesses that handle sensitive information.
  • Highly capable criminal groups: Commonly known as hackers-for-hire, criminal groups may also target organizations for financial gain or to disrupt business operations. They may use phishing, malware and other techniques to gain access to sensitive information.
  • Motivated individuals: This category covers people with a specific motivation — a grudge against your company, for example — who will target you because of that anger with the purpose of making a financial gain.
  • Script kiddies: These individuals are often young, tech-savvy and may not have a specific motivation to target organizations. They simply want to explore the concept of hacking and may look for vulnerabilities in websites or networks to exploit. For example, a hacker sends out a mass email or instant-message spam, hoping that at least some recipients will respond by clicking on a malicious link or opening an attachment.

“Security leaders in finance industry state that compliance to industry standards is one of their top 5 security priorities.”

Source: F-Secure 2021 Priorities for European Security Leaders

Unlock the full potential of your business by investing in WithSecure™ Cloud Protection for Salesforce

When it comes to protecting your organization’s Salesforce data, it’s essential to take a proactive approach to ensure that it remains secure at all times. This is where WithSecure™ Cloud Protection for Salesforce comes in — it’s designed to safeguard your cloud environment against advanced cyber threats such as ransomware, zero-day malware, viruses, trojans and phishing links.

With our Cloud Protection, you can run your digital operations on Salesforce without disruption, as each customer interaction is secured in real time. You get constant clarity of your content security status and can see what is happening in your environment. Developed in close collaboration with Salesforce, the solution is ISO 27001 and ISAE 3000 (SOC 2) certified and complements the platform’s native security capabilities seamlessly.

Additionally, WithSecure’s solution scans URLs every time they’re clicked, which helps to combat situations like the email-to-case Kill Chain where attackers leave a waiting period before weaponizing to attempt to fool the information security system.

Designed and created in collaboration with Salesforce, WithSecure’s Cloud Protection is a tailor-made solution recommended by Salesforce. It can be acquired directly from the AppExchange , and its Cloud-to-Cloud architecture means there is no need for middleware. Our click-and-go deployment means instant value with no time-consuming implementation process.

Ready to take your security efforts to the next level?

Our team of experienced security professionals is at the forefront of the cybersecurity world, constantly gaining valuable insights to ensure your security is always ahead of the curve. With over three decades of experience, we have what it takes to keep you protected from the ever-evolving threat landscape.

With offices in Europe, North America and Asia Pacific, as well as over 100,000 corporate customers, our reputation as a trusted security provider is unparalleled. Our corporate security revenue has been consistently growing year-on-year since 2015, and we have serviced over 300 enterprises through our consulting services.

Founded in 1988 and listed on the NASDAQ OMX Helsinki Ltd, trust us to take your cybersecurity efforts to the next level. Don’t just take our word for it, check out our customer success stories  and see how WithSecure™ has made a difference.

Required field.

Invalid field.

Required field.

Invalid field.

Required field.

Invalid field.

Required field.

Invalid field.

Required field.

Invalid field.

We process the personal data you share with us in accordance with our Corporate Business Privacy Policy.