What is cyber kill chain?
Cyber kill chain is a way to pre-emptively understand, detect and avert cyber attacks.
It describes the processes that an adversary follows to effectively carry out a cyber attack. It helps security experts to pre-emptively plan out counter measures through an industry-trusted method. It is called a chain because any disruption from the sequence can cause interruption in the process.
What are its origins?
The origins of the term kill chain lie in the military where kill chain was used as a tool to understand enemy forces’ attack structure, strategies, processes etc.
It is a systematic way to hunt and make an adversary act in a certain way to stop it and eliminate it. It was coined in 2011 by Lockheed Martin – a leading defense contractor for the US forces.
Why is cyber kill chain essential?
The following are some reasons why cyber kill chain is an essential approach:
- It offers a bird-eye-view of how an attack progresses at various stages.
- Along with indicator lifecycle, it is used to gain a complete picture of adversary tactics, techniques etc.
- It renders assistance to experts plan and focus their efforts in preparing defense based on identification of critical stages/points.
- It assists in proactively detecting and fending off threats at every stage.
- It provides useful information for improving incident response like where the attack can be disrupted and prevented.
What are the stages of a cyber kill chain?
Cyber kill chain is made up by seven stages. These are all the stages that an attacker will go through while engaging in a cyber-attack.

Reconnaissance – Identify
Example:
- Gathering Email Addresses lists
- Extract a public attendees list for an event
- Profile targets based on social media information
Reconnaissance is the first stage, where the attacker gathers as much information as possible about his target.
There are two kinds of reconnaissance, active and passive.
Passive reconnaissance is when an attacker searches for information without interacting with the target. A common example of this is open-source intelligence where the attacker gathers information about their target from public sources without them knowing.
Active reconnaissance is when an attacker searches for information by directly interacting with the target by bypassing their target’s network and gaining direct access to their systems.
Weaponization – Prepare
Example:
- Tailor malware
- Select document that acts as decoy for the victim
- Choose a command and control infrastructure
Once the attacker gathers sufficient information, he begins to stage his attack. He prepares the malicious tools, strategies, and methods required to deliver an attack.
He uses in-house or public/private tools (also known as weaponizers) that integrate malware and an exploit into a malicious payload.
Delivery – Launch
Example:
An attacker delivers the payload via
- phishing email
- malware on a USB stick
- social media interactions
- malicious websites
The attack is launched at this stage. Attackers operationalize all the weaponized tools and deploy all the attack strategies, methods, and sequences, including delivering a malicious payload and links through phishing, social engineering methods on social media, etc.
Exploitation – Break-in
Example:
- Zero-day vulnerability discovered and exploited
- Zero-day vulnerability in a bank server acquired
- Trigger exploits based on user interaction (like opening an attachment)
The attacker gains access by exploiting the vulnerability in software/hardware, lack of awareness, or human error. He develops zero-day exploits from scratch or acquires an existing exploit from dedicated marketplaces that sell malicious tools and exploits on the dark web.
Installation – Persist
Example:
- Installs a web shell on a webserver
- Creates points of persistence through autorun keys, services etc
- Disguising a malware behind a service (like OS install)
At this stage, the attacker tries to maintain persistence with the help of malicious techniques and tools. He creates multiple points of entry and exits that help him gain a long-term foothold in the network.
C2 – Command and Control – Control
Example:
- DNS based, Web protocols, & Email protocols
- Content Injection
- Removal Media based C2
Once the attacker gains a foothold on the network and establishes a backdoor to maintain persistence, he establishes a command-and-control C2 channel, helping them remotely manipulate their target’s systems.
A C2 server can either be owned by the attacker or belong to another victim.
Action on objectives – Destroy
Example:
- Exfiltrate/ collect/ corrupt and modify data
- Destroy endpoints across the network
- Perform an internal reconnaissance
- Engages in lateral movement across network
It is the final stage, where the attacker tries to achieve all the objectives of his mission.
The stage occurs once the attacker has weaponized malware, installed it on his target’s network, and gained control of their systems. The stage varies from attacker to attacker.
MITRE ATT&CK vs Cyber Kill Chain
| Cyber Kill Chain | MITRE ATT&CK model |
| It is a linear sequence. Any interruption in one stage can disrupt the whole process. | It is an accumulation of techniques, processes, and tactics that in no way follow any sequence. |
| Implies that attacks follow a sequence to succeed. | Implies that attacks are dynamic, not necessarily following a linear sequence of TTPs(Tactics, Techniques and Procedures) to succeed. |
| Consists of seven stages from Recon to Actions on Objectives | Adds seven tactics to the cyber kill chain. – Defense evasion – Access to credentials – Data exfiltration – Privilege escalation – Impact – Discovery – Lateral Movement |
| Explains how attackers follow a series of stages to effectively succeed in an attack | Explains Tactics Techniques and Procedures in depth compared to cyber kill chain |
| It offers information on prevention of threats that follow a linear pattern like malware. | It offers a broader and more detailed picture of attack and the TTPs used by attackers |
Both cyber kill chain and MITRE ATT&CK model can be used in combination to design a more effective incident response and management by leveraging their strengths.
To summarize
Cyber kill chain is an effective approach to detect and avert attacks. Through this, experts can understand different stages that an attacker for a successful attack.
It is used as an industry-trusted model to preemptively ready defenses, plan & prepare incident response and secure the most valuable information assets from adversaries.