Askeal Logo

Cyber Kill Chain

The Cyber Kill Chain is a framework that describes the stages of an attack from initial reconnaissance to achieving the attacker’s objectives. It helps defenders identify and stop threats at different points in the lifecycle.

What is the Cyber Kill Chain?How it typically works?Common techniquesImpactFurther reading

What is the Cyber Kill Chain?

The **Cyber Kill Chain** was developed by Lockheed Martin to provide a structured way of analyzing attacks. It breaks down an intrusion into a series of phases that adversaries typically follow. By mapping activity to these stages, defenders can better understand how attacks progress and where they can intervene. The model emphasizes that stopping an adversary at any point in the chain can prevent them from achieving their goals, whether that is stealing data, installing ransomware, or disrupting operations.

How it typically works?

  1. Reconnaissance: adversaries gather information about the target, such as domain names, email addresses, or vulnerable services.
  2. Weaponization: attackers create malicious payloads, such as malware-laced documents or exploit kits.
  3. Delivery: the payload is transmitted to the victim through phishing, malicious websites, or removable media.
  4. Exploitation: vulnerabilities are exploited to execute the malicious code.
  5. Installation: malware establishes persistence on the victim’s system.
  6. Command and Control (C2): the compromised system connects back to the attacker to receive instructions.
  7. Actions on Objectives: adversaries achieve their goals, which can include data theft, system disruption, or lateral movement.

This sequence is not always linear, but it provides a repeatable way to analyze threats.

Common techniques

  • Reconnaissance techniques: scanning IP ranges, social engineering, OSINT collection.
  • Weaponization techniques: embedding exploits in PDF or Word files, creating custom malware.
  • Delivery techniques: spear phishing emails, drive-by downloads, USB drops.
  • Exploitation techniques: exploiting unpatched vulnerabilities, leveraging zero-day flaws.
  • Installation techniques: registry modifications, scheduled tasks, rootkits.
  • Command and Control techniques: HTTP(S) beacons, DNS tunneling, encrypted channels.
  • Actions on Objectives techniques: exfiltrating files, deploying ransomware, destroying backups.

Impact

The Cyber Kill Chain provides defenders with a lens to analyze how adversaries operate. Instead of only responding to alerts, SOC teams can contextualize activity within an attacker lifecycle.

This helps organizations:

  • Identify weak points in their security posture.
  • Implement layered defenses that disrupt attacks at multiple stages.
  • Improve incident response by understanding the likely next move of an attacker.
  • Train analysts with a structured model for analyzing real-world intrusions.

Although newer frameworks such as MITRE ATT&CK provide more granular detail, the Cyber Kill Chain remains valuable for its simplicity and focus on the overall progression of an attack.

Further reading

  • Lockheed Martin: Cyber Kill Chain overview. Read more
  • CISA: Attack lifecycle guidance. Read more
  • SANS Institute: Applying the kill chain in SOC operations. Read more
  • CrowdStrike: Kill chain explained. Read more

Related topics

TTPsMITRE ATT&CKThreat IntelligenceLateral Movement