Kill Chain (Cyber Kill Chain)

Home  / Glossary Index  / Alphabet K
Most security teams respond to attacks after they succeed. The Cyber Kill Chain changes this dynamic. It maps every stage of an attack from reconnaissance to data theft. Defenders can intervene at any point. Break the chain at stage one, and the attack never progresses. The framework transforms reactive security into proactive defense.

What Is the Cyber Kill Chain?

The Cyber Kill Chain is a framework developed by Lockheed Martin that identifies the stages of a cyber attack from initial reconnaissance to actions on objectives. The model helps organizations understand, detect, and prevent intrusions by breaking attacks into manageable phases. Stopping an attack earlier in the chain causes less damage. The theory is the closer to the beginning of the kill chain an attack can be stopped, the better.

The 7 Stages of the Cyber Kill Chain

Stage 1: Reconnaissance

The attacker researches the target. They harvest email addresses from social media and public records. They identify employees, partners, and systems. They scan for open ports and vulnerable services. At this stage, the attacker has not yet attempted access.
Defender Actions: Collect and review website logs. Build detections for reconnaissance behaviors. Set up defenses around targeted people or systems.

Stage 2: Weaponization

The attacker creates a malicious payload. They combine malware with an exploit into a deliverable package. They select decoy documents, backdoor implants, and command-and-control infrastructure. The weapon sits ready for delivery.

Defender Actions: Analyze malware artifacts when discovered. Build detection for weaponization tools. Collect samples for future analysis.

Stage 3: Delivery

The attacker transmits the weapon to the target. Methods include phishing emails with malicious attachments, USB drops, compromised websites, and social media messages. This is often the first opportunity to block the attack.
Defender Actions: Block known malicious attachments. Filter suspicious emails. Disable macros by default. Deploy web filtering.

Stage 4: Exploitation

The payload triggers on the target system. The attacker exploits a software vulnerability or tricks the user into enabling macros. Code execution begins. The attacker gains a foothold.
Defender Actions: Patch known vulnerabilities promptly. Deploy exploit mitigation techniques. Use application allowlisting.

Stage 5: Installation

The attacker installs persistent access. Malware installs itself for long-term presence. Backdoors open communication channels. The attacker ensures access survives reboots and security scans.
Defender Actions: Deploy endpoint detection and response (EDR). Monitor for unauthorized software installation. Use integrity monitoring.

Stage 6: Command and Control (C2)

The infected system calls home to the attacker’s control server. The attacker issues commands, uploads tools, and directs the compromised system. Two-way communication enables remote control.
Defender Actions: Monitor outbound connections. Block known C2 domains. Use network traffic analysis to detect beaconing patterns.

Stage 7: Actions on Objectives

The attacker achieves their goal. Data exfiltration steals sensitive information. Ransomware encrypts critical systems. Sabotage destroys operations. The attack completes. Damage occurs.
Defender Actions: Monitor for large data transfers. Deploy data loss prevention (DLP). Implement least privilege to limit damage.

Applying the Kill Chain to Your Defense

Detect Early, Respond Faster

Reconnaissance and weaponization happen outside your network. You cannot directly block these stages. But you can detect delivery attempts. Email filtering blocks phishing. Web filtering stops malicious downloads. Exploitation prevention stops code execution. Each stage offers detection and response opportunities.

Measure Your Effectiveness

Track which stages your controls address. A phishing filter blocks delivery. Endpoint protection stops exploitation. DLP limits actions on objectives. Identify gaps where you have no coverage. Prioritize controls for uncovered stages.

Limitations of the Cyber Kill Chain

Assumes External Attackers

The original kill chain assumes an attacker outside your network. It does not address insider threats. A malicious employee starts at stage 7 (actions on objectives). The kill chain provides less value for insider detection.

Limited Cloud Coverage

Traditional kill chain focuses on network perimeters and endpoints. Cloud environments and SaaS applications require modified frameworks. MITRE ATT&CK provides better cloud coverage.

Not All Attacks Follow the Sequence

Some attacks skip stages or repeat stages. Ransomware may deliver directly without reconnaissance. Advanced attacks may complete multiple cycles. The kill chain is a model, not a guarantee.

MITRE ATT&CK vs Cyber Kill Chain

MITRE ATT&CK complements the kill chain with detailed adversary tactics, techniques, and procedures (TTPs). The kill chain provides the high-level stages. MITRE ATT&CK provides the specific methods used at each stage. Use both. The kill chain for strategy. MITRE ATT&CK for implementation.

The Cyber Kill Chain remains one of the most influential security frameworks ever developed. It changed how defenders think about attacks. Do not just detect breaches. Detect the precursor activities. Intervene earlier. Break the chain before damage occurs.

Scroll to Top