Back to Vault

Cyber Kill Chain

The Cyber Kill Chain

Lockheed Martin's Framework for Understanding Cyber Attacks

Developed by Lockheed Martin, the Cyber Kill Chain is a military-inspired framework that breaks down cyber attacks into seven distinct phases. Understanding each phase empowers defenders to identify, disrupt, and prevent intrusions at multiple stages of the attack lifecycle.

The Seven Phases

Each phase of the Cyber Kill Chain represents a critical step in a cyber attack. Click on any phase to expand and learn about attack techniques, defensive strategies, and real-world examples.

1

Reconnaissance

Gathering intelligence and identifying potential targets through passive and active information collection.

Click to expand ▼

Attack Techniques

  • Open Source Intelligence (OSINT): Social media, company websites, job postings, DNS records
  • Network Scanning: Port scanning, vulnerability scanning, service enumeration
  • Social Engineering Reconnaissance: LinkedIn profiling, organizational charts, technology stack research
  • Physical Reconnaissance: Dumpster diving, building surveillance, badge cloning
  • Technical Footprinting: WHOIS lookups, subdomain enumeration, email harvesting

Defense Strategies

  • Implement robust information security policies limiting public data exposure
  • Monitor for unusual reconnaissance activities (port scans, enumeration attempts)
  • Employee training on social media operational security (OPSEC)
  • Use web analytics to detect reconnaissance traffic patterns
  • Deploy honeypots and canary tokens to detect attacker interest

Real-World Example

APT1 (Comment Crew): Chinese state-sponsored group extensively researched target organizations through LinkedIn, identifying key employees in IT and security roles. They harvested email addresses, organizational structure, and technology details before launching spear-phishing campaigns.
2

Weaponization

Creating a deliverable malicious payload by coupling exploit code with a backdoor.

Click to expand ▼

Attack Techniques

  • Exploit Development: Creating or acquiring exploits for known vulnerabilities
  • Payload Coupling: Embedding malware in documents (macros, PDFs, Office files)
  • Backdoor Creation: Remote Access Trojans (RATs), web shells, reverse shells
  • Obfuscation: Code obfuscation, encryption, anti-analysis techniques
  • Exploit Kits: Automated frameworks (Angler, RIG, Magnitude)

Defense Strategies

  • Monitor threat intelligence feeds for new exploit techniques
  • Implement advanced malware analysis capabilities (sandboxing)
  • Deploy email security gateways with attachment analysis
  • Keep vulnerability databases updated and prioritize patching
  • Share threat intelligence with industry partners and ISACs

Real-World Example

WannaCry Ransomware (2017): Attackers weaponized the EternalBlue SMB exploit (leaked from NSA) and coupled it with ransomware payload. The weaponized package could self-propagate, leading to a global outbreak affecting 200,000+ systems across 150 countries.
3

Delivery

Transmitting the weaponized payload to the target environment through various attack vectors.

Click to expand ▼

Attack Techniques

  • Email-Based Delivery: Spear-phishing, malicious attachments, embedded links
  • Web-Based Delivery: Watering hole attacks, drive-by downloads, malicious ads
  • USB/Removable Media: Infected USB drives, BadUSB attacks
  • Supply Chain Compromise: Trojanized software updates, compromised vendors
  • Network-Based: Exploitation of internet-facing services, RDP attacks

Defense Strategies

  • Deploy email filtering with attachment sandboxing and link analysis
  • Implement network segmentation and micro-segmentation
  • Use web proxies and URL filtering to block malicious sites
  • Disable USB ports or implement USB device control policies
  • Deploy Intrusion Prevention Systems (IPS) at network boundaries
  • User awareness training on phishing and social engineering

Real-World Example

SolarWinds Supply Chain Attack (2020): Attackers compromised SolarWinds' build system and delivered trojanized updates to 18,000+ customers through legitimate software update mechanisms. The delivery method exploited inherent trust in vendor updates.
4

Exploitation

Triggering the vulnerability to execute malicious code on the target system.

Click to expand ▼

Attack Techniques

  • Software Vulnerabilities: Buffer overflows, SQL injection, command injection
  • Zero-Day Exploits: Previously unknown vulnerabilities
  • Social Engineering: Tricking users into executing malicious code
  • Configuration Exploits: Default credentials, misconfigurations
  • Privilege Escalation: Local exploits to gain elevated access

Defense Strategies

  • Maintain aggressive patch management and vulnerability remediation programs
  • Deploy Endpoint Detection and Response (EDR) solutions
  • Implement application whitelisting and execution controls
  • Use Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR)
  • Monitor for exploitation indicators (process injection, unusual behavior)
  • Implement least privilege principles and minimize attack surface

Real-World Example

Equifax Breach (2017): Attackers exploited CVE-2017-5638, a vulnerability in Apache Struts web framework. Despite a patch being available for months, Equifax failed to update, allowing attackers to exploit the flaw and gain initial access to systems containing 147 million records.
5

Installation

Installing persistent backdoors and malware to maintain access to compromised systems.

Click to expand ▼

Attack Techniques

  • Persistence Mechanisms: Registry keys, scheduled tasks, services
  • Rootkits: Kernel-mode and user-mode rootkits
  • Web Shells: Installing backdoor scripts on web servers
  • DLL Hijacking: Planting malicious libraries in search paths
  • Bootkits: Firmware-level persistence (UEFI/BIOS)

Defense Strategies

  • Deploy Host-based Intrusion Detection Systems (HIDS)
  • Monitor file system changes and registry modifications
  • Implement file integrity monitoring (FIM) solutions
  • Use anti-malware with behavioral analysis capabilities
  • Regular system baseline comparisons and anomaly detection
  • Implement application containment and sandboxing

Real-World Example

NotPetya Attack (2017): After initial exploitation, the malware installed itself with persistence mechanisms including scheduled tasks and credential dumping tools. It also modified the Master Boot Record (MBR) for persistence, masquerading as ransomware while actually being a wiper with destructive intent.
6

Command & Control (C2)

Establishing communication channels between compromised systems and attacker infrastructure.

Click to expand ▼

Attack Techniques

  • HTTP/HTTPS C2: Blending with legitimate web traffic
  • DNS Tunneling: Exfiltrating data through DNS queries
  • Social Media C2: Using Twitter, Reddit, GitHub for command channels
  • Domain Generation Algorithms (DGA): Dynamically generating C2 domains
  • Encrypted Channels: Custom encryption, Tor, VPNs
  • Cloud Services: Abusing legitimate cloud platforms (Dropbox, Google Drive)

Defense Strategies

  • Deploy network traffic analysis and anomaly detection
  • Implement DNS monitoring and filtering solutions
  • Use threat intelligence feeds to block known C2 infrastructure
  • Deploy SSL/TLS inspection for encrypted traffic analysis
  • Monitor for beaconing behavior and unusual outbound connections
  • Implement egress filtering and restrict outbound connections
  • Use Security Information and Event Management (SIEM) for correlation

Real-World Example

APT29 (Cozy Bear): Used sophisticated C2 channels including steganography (hiding commands in image files on public websites), Twitter handles for staging, and multi-tier proxy networks. They employed domain fronting to make C2 traffic appear as legitimate connections to major cloud providers.
7

Actions on Objectives

Achieving the attacker's ultimate goals such as data exfiltration, destruction, or encryption.

Click to expand ▼

Attack Techniques

  • Data Exfiltration: Stealing intellectual property, credentials, customer data
  • Lateral Movement: Spreading through the network to reach target assets
  • Privilege Escalation: Gaining domain admin or root access
  • Ransomware Deployment: Encrypting critical systems and data
  • Destruction: Wiping systems, deleting backups, sabotage
  • Persistence Expansion: Creating multiple backdoors and accounts

Defense Strategies

  • Implement Data Loss Prevention (DLP) solutions
  • Deploy network segmentation to limit lateral movement
  • Monitor for mass data access and unusual transfer patterns
  • Maintain offline, immutable backups for ransomware recovery
  • Use privileged access management (PAM) and just-in-time access
  • Implement comprehensive logging and retention policies
  • Regular incident response drills and playbook testing

Real-World Example

Colonial Pipeline Attack (2021): After gaining access through compromised VPN credentials, DarkSide ransomware group moved laterally through the network, exfiltrated nearly 100GB of data, and deployed ransomware across IT systems. The attack disrupted fuel distribution across the U.S. East Coast and resulted in a $4.4 million ransom payment.

MITRE ATT&CK vs Cyber Kill Chain

While the Cyber Kill Chain provides a linear view of attacks, MITRE ATT&CK offers a more granular, matrix-based framework with specific techniques and sub-techniques.

Aspect Cyber Kill Chain MITRE ATT&CK
Structure 7 sequential phases 14 tactics with 100+ techniques
Focus Perimeter-based attacks Post-compromise behavior
Granularity High-level phases Detailed techniques and sub-techniques
Use Case Understanding attack flow Detection engineering, threat hunting
Attack Model Linear progression Non-linear, iterative
Updates Static framework Continuously updated with new TTPs
Best For Executive communication, strategic defense SOC operations, purple teaming

Integration Strategy

Many organizations use both frameworks complementarily: the Cyber Kill Chain for strategic planning and stakeholder communication, and MITRE ATT&CK for tactical detection and response. The Kill Chain helps identify WHERE in the attack lifecycle you are, while ATT&CK helps understand WHAT specific techniques are being used.

Diamond Model of Intrusion Analysis

The Diamond Model complements the Kill Chain by focusing on the relationships between four core features of any intrusion event.

Adversary
The actor or organization conducting the attack. Can be state-sponsored APT groups, cybercriminal organizations, hacktivists, or insiders. Attribution is often challenging and based on TTPs, infrastructure, and motivations.
Capability
The tools, techniques, and procedures (TTPs) used in the attack. Includes malware, exploits, delivery mechanisms, and operational tradecraft. Understanding capabilities helps predict future attacks and defensive priorities.
Infrastructure
The physical or logical systems controlled by adversaries for C2, staging, and delivery. Includes domains, IP addresses, cloud instances, compromised websites, and bulletproof hosting providers.
Victim
The target organization, individual, or asset. Understanding victim selection patterns helps identify targeting criteria (industry, technology, geography) and predict future potential targets.

Analytical Power

The Diamond Model's true value lies in its pivot capabilities. By understanding one vertex (e.g., infrastructure), you can pivot to discover related vertices (adversaries using that infrastructure, capabilities deployed from it, other victims targeted). This enables proactive threat intelligence and pattern recognition across seemingly unrelated incidents.

Breaking the Kill Chain: Layered Defense

The fundamental principle of Kill Chain defense is that adversaries must successfully complete every phase, but defenders only need to successfully disrupt one phase to break the chain.

Defense in Depth Strategy

  • Early Detection (Recon/Weaponization): Cheapest and most effective. Threat intelligence, deception technology, OSINT monitoring
  • Perimeter Defense (Delivery/Exploitation): Email security, web filtering, network segmentation, patch management
  • Endpoint Protection (Installation): EDR, application whitelisting, HIDS, file integrity monitoring
  • Network Monitoring (C2): Network traffic analysis, DNS monitoring, egress filtering, SIEM correlation
  • Data Protection (Actions on Objectives): DLP, encryption, access controls, backup integrity

Critical Reality

No single defensive measure is 100% effective. Sophisticated adversaries will eventually breach perimeter defenses. The goal is not perfect prevention but rather: (1) Make attacks so costly that adversaries move to easier targets, (2) Detect intrusions early enough to respond before critical damage, and (3) Maintain resilience through backups, segmentation, and incident response capabilities.

Test Your Knowledge

Complete this 10-question assessment to validate your understanding of the Cyber Kill Chain and earn completion credit for this module.

Q1 Which phase of the Cyber Kill Chain involves creating a malicious payload by coupling an exploit with a backdoor?

Q2 What is the primary advantage of disrupting an attack during the Reconnaissance phase?

Q3 Which attack vector was used in the SolarWinds supply chain attack for the Delivery phase?

Q4 What defensive technology is most effective at disrupting the Command & Control (C2) phase?

Q5 How many phases are in the Lockheed Martin Cyber Kill Chain?

Q6 In the Diamond Model of Intrusion Analysis, what are the four core features?

Q7 Which technique is commonly used during the Installation phase to maintain persistent access?

Q8 What is the key difference between the Cyber Kill Chain and MITRE ATT&CK frameworks?

Q9 During which phase would an attacker use Domain Generation Algorithms (DGA)?

Q10 What is the strategic advantage of understanding the Kill Chain for defenders?