Cyber Kill Chain
Overview
Developed by Lockheed Martin, the Cyber Kill Chain describes the 7 stages of a targeted cyberattack. Breaking any link in the chain stops the attack.
The 7 Stages
1. Reconnaissance
Attacker gathers information about the target.
Passive: OSINT, LinkedIn, job postings, WHOIS, Google dorking
Active: Port scanning, banner grabbing, DNS enumeration
Tools: Shodan, Maltego, theHarvester, Recon-ng2. Weaponization
Attacker creates a malicious payload (no target interaction yet).
Examples:
- Embedding malware in a PDF or Office document
- Creating a malicious macro
- Packaging an exploit with a backdoor (RAT)
Tools: Metasploit, msfvenom, custom scripts3. Delivery
Weapon is transmitted to the target.
Vectors:
- Phishing email with malicious attachment
- Drive-by download via compromised website
- USB drop
- Watering hole attack
- Supply chain compromise4. Exploitation
Malicious code executes on the target system.
Exploits:
- Software vulnerabilities (CVEs)
- Zero-day exploits
- Macro execution (user-triggered)
- Browser/plugin vulnerabilities5. Installation
Attacker installs persistent access on the victim system.
Methods:
- Backdoor / RAT installation
- Web shell on a web server
- Scheduled tasks / cron jobs
- Registry run keys
- DLL hijacking6. Command & Control (C2)
Compromised system communicates back to attacker.
Channels:
- HTTP/HTTPS beaconing
- DNS tunneling
- Social media C2
- Encrypted custom protocols
Tools: Cobalt Strike, Metasploit, Empire7. Actions on Objectives
Attacker achieves their goal.
Goals:
- Data exfiltration
- Ransomware deployment
- Lateral movement
- Credential harvesting
- Sabotage / destructionKill Chain Defense Matrix
| Stage | Detect | Deny | Disrupt | Degrade | Deceive | Destroy |
|---|---|---|---|---|---|---|
| Recon | Web analytics | Firewall | ✓ | ✓ | Honeypot | ✓ |
| Weaponize | — | — | — | — | — | — |
| Deliver | Antivirus | Email filter | ✓ | ✓ | — | — |
| Exploit | HIDS | Patch mgmt | ✓ | ✓ | — | — |
| Install | HIPS | ACLs | ✓ | ✓ | — | ✓ |
| C2 | NIDS | Firewall | ✓ | ✓ | DNS sinkhole | ✓ |
| Objectives | Audit logs | Segmentation | ✓ | ✓ | — | — |
Kill Chain vs MITRE ATT&CK
| Kill Chain | ATT&CK Equivalent |
|---|---|
| Reconnaissance | Reconnaissance |
| Weaponization | Resource Development |
| Delivery | Initial Access |
| Exploitation | Execution |
| Installation | Persistence, Privilege Escalation |
| C2 | Command and Control |
| Actions on Objectives | Collection, Exfiltration, Impact |
ATT&CK is more granular — Kill Chain gives a high-level attack narrative.