Cyber Kill Chain
A 7-phase model that describes a cyberattack from reconnaissance through to achieving its objectives. It enables defenders to detect and thwart attacks early on—the sooner, the less damage is caused.
The Cyber Kill Chain was developed by Lockheed Martin in 2011 and describes the typical progression of a targeted cyberattack in seven phases. The concept originates from military terminology: a "kill chain" is a sequence of actions, each of which can be interrupted to halt the operation.
The 7 Phases
Phase 1: Reconnaissance
The attacker gathers information about the target before a single attack takes place.
Passive reconnaissance (no direct contact):
- OSINT: LinkedIn profiles of IT staff, org chart, email patterns
- WHOIS, Shodan, Censys: Publicly visible infrastructure
- Google Dorks: Accidentally public documents, configuration files
- DNS enumeration: Subdomains, MX records, SPF entries
Active reconnaissance:
- Port scanning (nmap)
- Fingerprinting of services and versions
Defensive measures:
- Minimal information exposure (no technology stack in job ads)
- Shodan monitoring of your own IP ranges
- Do not make email templates public
Phase 2: Weaponization
The attacker combines a vulnerability with an exploit payload.
Typical Weapons:
- Lured Office documents with macro payloads
- Trojanized software installers
- Exploit kits for browser vulnerabilities
- Drive-by downloads via compromised websites
No network contact in this phase—purely offensive preparation.
Phase 3: Delivery
The attacker delivers the weapon to the target.
Most common channels:
- Phishing emails (68% of all attacks start this way)
- Spear-phishing with personalized content
- Watering hole: Compromised industry websites
- USB drops (physically in parking lots or at reception)
- VPN/website exploits (direct network attacks)
Measurable: Delivery is the phase most frequently detectable in logs.
Phase 4: Exploitation
The exploit is executed and takes advantage of a vulnerability.
Exploit Types:
- Software vulnerabilities (unpatched CVEs)
- Zero-day exploits (no patch available)
- Human exploits: User executes macro, opens malicious file
- Browser/plugin exploits
Critical moment: Antivirus solutions often fail here (signature-based).
Phase 5: Installation
The attacker installs a backdoor for persistent access.
Persistence mechanisms:
- Registry Run Keys (Windows startup)
- Scheduled Tasks / cron jobs
- Service installation (runs even after a reboot)
- DLL hijacking / DLL side-loading
- Web shells on compromised web servers
Goal: Maintain access even after a reboot or password change.
Phase 6: Command and Control (C2 / C&C)
The attacker establishes a remote control channel.
C2 Protocols:
- HTTP/HTTPS (difficult to block, appears legitimate)
- DNS Tunneling (data exfiltration via DNS requests)
- ICMP tunneling
- Social media APIs (Twitter, GitHub as C2)
Frameworks: Cobalt Strike, Metasploit, Sliver, Brute Ratel – also used by APTs.
Detection: Anomalies in outbound traffic, DNS queries to unknown domains, beacons (regular connections every X seconds).
Phase 7: Achieving Objectives (Actions on Objectives)
The attacker achieves their actual objective.
Possible objectives:
- Data exfiltration (customer data, IP, credentials)
- Ransomware deployment (encrypt all files)
- Sabotage (disrupt OT/ICS systems)
- Lateral movement to other systems → domain controller
- Persistence for long-term espionage (APT)
MITRE ATT&CK; vs. Kill Chain
The Cyber Kill Chain is a macro model. MITRE ATT&CK; is significantly more granular:
| Aspect | Cyber Kill Chain | MITRE ATT&CK; |
|---|---|---|
| Level | Strategic | Tactical/Technical |
| Phases | 7 phases | 14 tactics, 200+ techniques |
| Use | Understanding attack phases | Detection & simulation |
| Update | Rarely | Quarterly |
In practice: Kill Chain for communication with management, ATT&CK; for technical detection rules in SIEM.
Defense: Interrupt the attack at every phase
Phase 1 (Recon) → Minimal information exposure, OSINT monitoring
Phase 2 (Weapon) → Threat intelligence feeds (known malware hashes)
Phase 3 (Delivery) → Email filtering, anti-phishing, security awareness
Phase 4 (Exploit) → Patch management, EDR, WAF
Phase 5 (Install) → Application whitelisting, privilege management
Phase 6 (C2) → DNS filtering, firewall egress rules, NTA
Phase 7 (Action) → Data Encryption, DLP, Network SegmentationThe earlier a phase is interrupted, the less damage is caused. Most companies only detect attacks in Phases 6–7—often weeks after the initial compromise. The goal is to reduce this to Phases 3–4.
