Developed by Lockheed Martin, the Cyber Kill Chain was one of the first frameworks to define the stages of a cyber intrusion. It is based on military concepts and remains a vital model for understanding perimeter security.
The 7 Steps of an Attack
For an attack to be successful, the adversary must complete all seven stages. Defenders only need to block one stage to break the chain.
- Reconnaissance: Researching the target (harvesting emails, OSINT).
- Weaponization: Pairing an exploit with a deliverable payload (e.g., creating a malicious PDF).
- Delivery: Sending the weapon to the target (e.g., Phishing email).
- Exploitation: Triggering the weapon's code on the victim's system.
- Installation: Installing malware or a backdoor.
- Command and Control (C2): Establishing a channel to communicate with the compromised host.
- Actions on Objectives: Fulfilling the mission (Data exfiltration, encryption, destruction).
Kill Chain vs. MITRE ATT&CK
While the Kill Chain is excellent for high-level strategy, it is often criticized for being too linear for modern threats.
- Modern attackers often skip steps or move laterally, which is why MITRE ATT&CK is often preferred for detailed operational analysis.
- However, the Kill Chain remains the industry standard for explaining attacks to non-technical management in Strategic Intelligence reports.