Kill Chain Model
The Cyber Kill Chain maps seven sequential attack stages from reconnaissance to objectives, enabling defenders to detect and disrupt adversary operations at each phase.
Continue your mission
The Cyber Kill Chain maps seven sequential attack stages from reconnaissance to objectives, enabling defenders to detect and disrupt adversary operations at each phase.
# Kill Chain Model
PDM Domain(s): TID, VSD, SPH
The Cyber Kill Chain is a framework developed by Lockheed Martin that describes the seven sequential stages of a cyberattack, from initial reconnaissance to achieving the attacker's objective. Originally adapted from military doctrine, it provides defenders with a structured model to understand, detect, and disrupt adversary operations at each stage.
The framework exists because cybersecurity professionals needed a common language to describe attack progression. Before the Kill Chain model, security teams analyzed attacks in isolation, focusing on individual indicators or events rather than the operational sequence that connects them. This led to reactive posture: organizations would detect malware after installation, investigate breaches after data exfiltration, or discover persistence mechanisms after months of lateral movement.
The Kill Chain addresses this gap by mapping attacks as campaigns rather than events. It recognizes that sophisticated adversaries follow predictable operational patterns, even when their tools and targets vary. By understanding these patterns, defenders can position controls to break the attack sequence before critical damage occurs.
Within the cybersecurity ecosystem, the Kill Chain serves as a foundational analytical framework. It bridges strategic threat intelligence and tactical incident response. Leadership uses it to understand attack progression and resource allocation. Analysts use it to map defensive controls and identify coverage gaps. Incident responders use it to determine attack progression and predict adversary next steps.
The model's military heritage is not coincidental. Cyber operations follow the same planning, execution, and assessment cycles as kinetic operations. Attackers conduct reconnaissance, prepare weapons, deliver them to targets, exploit weaknesses, establish foothold, maintain communications, and accomplish objectives. The Kill Chain translates this operational reality into a defensive framework.
The Kill Chain consists of seven sequential phases, each representing a required step in the attack lifecycle. Disrupting any single phase breaks the chain and prevents attack success.
Reconnaissance involves information gathering about the target organization. Adversaries collect employee names from LinkedIn, identify technology stack from job postings, map network ranges through DNS enumeration, and research organizational structure through public records. Advanced persistent threat (APT) groups often spend months in this phase, building detailed target profiles before proceeding. For example, APT1's operations against intellectual property targets included extensive reconnaissance of key personnel, including personal social media accounts and professional associations.
Weaponization pairs an exploit with a payload to create a deliverable weapon. This occurs on attacker infrastructure, not target systems. Common examples include embedding macros in Office documents, creating malicious PDF files that exploit reader vulnerabilities, or developing custom malware based on target environment research. The FIN7 group weaponized legitimate system administration tools like PowerShell and WMI, combining them with custom scripts to create difficult-to-detect attack tools.
Delivery transmits the weapon to the target environment. Phishing emails remain the most common delivery vector, but adversaries also use watering hole attacks (compromising websites frequently visited by targets), USB drops, and supply chain compromises. The 2020 SolarWinds compromise demonstrates sophisticated delivery through software update mechanisms, reaching thousands of organizations through a trusted channel.
Exploitation triggers the vulnerability to execute malicious code. This can involve software vulnerabilities (buffer overflows, SQL injection, remote code execution), configuration weaknesses (default passwords, excessive permissions), or human factors (social engineering, physical access). The WannaCry ransomware exploited CVE-2017-0144, a Windows SMB vulnerability, to spread rapidly across networks without user interaction.
Installation establishes persistence on the target system. Adversaries install backdoors, create scheduled tasks, modify registry entries, or compromise legitimate system processes. Advanced adversaries prefer "living off the land" techniques that abuse existing system capabilities rather than deploying easily detected malware. The APT29 group frequently uses PowerShell scripts stored in WMI repository for persistence, making detection more challenging.
Command and Control (C2) opens communication channels between compromised systems and attacker infrastructure. Modern C2 techniques include DNS tunneling, encrypted HTTPS communications that mimic legitimate traffic, and peer-to-peer networks that eliminate central command servers. The Cobalt Strike framework, originally a legitimate penetration testing tool, has become a common C2 platform for both authorized testing and criminal operations.
Actions on Objectives represents the attacker's end goal. This varies by adversary motivation: ransomware operators encrypt files for payment, espionage groups exfiltrate sensitive data, destructive attacks target system availability, and insider threats often focus on intellectual property theft. The 2014 Sony Pictures attack demonstrated multiple objectives, combining data exfiltration, public disclosure, and destructive disk wiping.
Defensive controls map to each phase. Threat intelligence disrupts reconnaissance by identifying attacker infrastructure and tactics. Email security gateways block delivery of malicious attachments. Endpoint detection and response (EDR) tools prevent exploitation and installation. Network monitoring detects C2 communications through traffic analysis and behavioral baselines. Data loss prevention (DLP) systems limit actions on objectives by controlling information exfiltration.
The sequential nature creates defensive advantages. Early disruption is more effective than late-stage response. Blocking delivery prevents all subsequent phases. Detecting installation enables containment before C2 establishment. Identifying C2 communications reveals the scope of compromise and enables proactive hunting for additional compromised systems.
The Kill Chain model fundamentally changes how organizations approach cybersecurity by shifting focus from reactive incident response to proactive attack disruption. This operational shift has significant business implications.
Traditional security approaches focus on protection and detection after attackers have already gained access. Organizations invest heavily in perimeter defenses, then scramble to respond when those defenses inevitably fail. The Kill Chain reveals that attackers must complete multiple phases to achieve their objectives, creating multiple intervention opportunities. Breaking the chain at any point prevents attack success, even if individual controls fail.
This changes resource allocation decisions. Instead of concentrating defensive spending on perimeter security or incident response, organizations can distribute investments across all seven phases. Intelligence programs disrupt reconnaissance. Security awareness training reduces delivery success rates. Patch management prevents exploitation. Network segmentation limits post-compromise movement. This distributed approach creates defensive depth that forces attackers to succeed at every phase rather than overcome a single control.
The model also transforms incident response effectiveness. When security teams detect suspicious activity, the Kill Chain helps determine attack progression and predict adversary next steps. If analysts identify C2 communications, they know the attacker has completed the first six phases and is likely moving toward actions on objectives. This enables proactive containment rather than reactive damage assessment.
Leadership benefits from improved risk communication. The Kill Chain provides a common language for describing attack progression that non-technical executives can understand. Instead of discussing technical indicators in isolation, security teams can explain where attacks are in the operational sequence and what business impact might occur if the chain completes.
However, the model has limitations that create misconceptions. Real attacks do not always follow linear progression. Adversaries may cycle through phases multiple times, skip phases entirely, or execute multiple chains simultaneously. The seven phases also reflect traditional network intrusion scenarios and may not adequately describe cloud-native attacks, insider threats, or supply chain compromises.
Some organizations treat the Kill Chain as a checklist rather than an analytical framework. They deploy one control per phase and consider themselves protected, ignoring the reality that sophisticated adversaries develop multiple techniques for each phase. Effective defense requires depth within each phase, not just coverage across phases.
The failure consequences of misunderstanding the Kill Chain include false security confidence and ineffective control placement. Organizations may over-invest in early phases while neglecting late-stage controls, or focus on technical controls while ignoring the human factors that enable social engineering and insider threats.
CDA approaches the Kill Chain through Predictive Defense Intelligence (PDI), which transforms the framework from a reactive analysis tool into a proactive operational capability. While most organizations use the Kill Chain to understand attacks after they occur, PDI positions it as a threat hunting and predictive analysis framework that identifies attack progression before completion.
The Kill Chain primarily operates within the Threat Intelligence and Defense (TID) domain, where PDI methodology drives intelligence collection, analysis, and operational application. However, it extends into Vulnerability and Surface Defense (VSD) for exploitation phase coverage and Security Posture and Hygiene (SPH) for installation and persistence analysis.
CDA's approach differs fundamentally from conventional Kill Chain implementation. Most organizations map existing controls to Kill Chain phases retrospectively, then generate reports showing theoretical coverage. This creates a false sense of security based on control inventory rather than operational effectiveness. CDA builds Kill Chain analysis into continuous threat hunting operations that actively search for phase-specific indicators across the environment.
PDI operationalizes the Kill Chain through three mechanisms. First, intelligence-driven hunting uses Kill Chain phases to structure search methodologies. Hunters develop specific hypotheses about adversary progression through each phase, then search for evidence of that progression in network, endpoint, and application telemetry. Second, predictive analysis uses Kill Chain understanding to forecast adversary next steps based on observed indicators. If reconnaissance activity indicates specific target interest, PDI teams can predict likely weaponization approaches and position appropriate detection capabilities. Third, proactive disruption uses Kill Chain knowledge to interfere with adversary operations before they complete.
This creates a dynamic defense that evolves with attack progression rather than relying on static control configurations. When PDI identifies reconnaissance against specific organizational assets, teams can strengthen delivery-phase controls for those targets. When exploitation attempts are detected, installation-phase monitoring increases to catch persistence establishment. When C2 communications are identified, actions-on-objectives controls activate to prevent data exfiltration or system destruction.
CDA's Kill Chain implementation also emphasizes adversary psychology and operational constraints rather than just technical progression. Understanding why attackers choose specific techniques for each phase enables better prediction of their next steps. Advanced persistent threat groups select reconnaissance methods that balance information gathering with operational security. Ransomware operators choose delivery mechanisms that maximize infection rates while minimizing detection. Insider threats often skip early phases entirely, starting with exploitation of legitimate access.
The PDI approach recognizes that effective Kill Chain defense requires understanding adversary decision-making processes, not just their technical capabilities. This intelligence-driven perspective transforms the Kill Chain from a descriptive framework into a predictive operational tool that anticipates threat evolution and positions defenses accordingly.
• The Kill Chain framework maps cyberattacks as operational sequences rather than isolated events, enabling defenders to predict adversary next steps and position disruptive controls at multiple intervention points.
• Breaking any single link in the seven-phase chain prevents attack completion, making distributed defense investments across all phases more effective than concentrated perimeter security.
• The model transforms incident response from reactive damage assessment to proactive threat hunting by providing operational context for detected indicators and suspicious activities.
• Effective Kill Chain defense requires understanding adversary psychology and operational constraints, not just mapping technical controls to framework phases.
• Modern attack scenarios often deviate from linear progression, requiring adaptive implementation that accounts for phase cycling, skipping, and parallel chain execution.
• Predictive Defense Intelligence (PDI): See the Threat First • Advanced Persistent Threat (APT) Analysis Framework • Threat Hunting Methodologies and Techniques • Command and Control (C2) Detection Strategies • Cyber Threat Intelligence Integration
• Hutchins, Eric M., Michael J. Cloppert, and Rohan M. Amin. "Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains." Leading Issues in Information Warfare & Security Research 1, no. 1 (2011): 80-106.
• NIST Cybersecurity Framework Version 1.1. National Institute of Standards and Technology, April 2018. https://doi.org/10.6028/NIST.CSWP.04162018
• MITRE ATT&CK Framework. "Enterprise Tactics and Techniques." MITRE Corporation. https://attack.mitre.org/
• Caltagirone, Sergio, Andrew Pendergast, and Christopher Betz. "The Diamond Model of Intrusion Analysis." Center for Cyber Intelligence Analysis and Threat Research, 2013.
CDA Theater missions that address topics covered in this article.
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Explanation of Certificate Transparency framework, covering log servers, Signed Certificate Timestamps, monitoring capabilities, and detection of fraudulent certificates.
Written by CDA Editorial
Found an issue? Help improve this article.