Skip to Content

Cybersecurity Knowledge Base

CyberPedia


Your essential guide to cybersecurity threats, attacks, and defenses. Understand the risks. Protect your business.

Kill Chain

Overview

In cybersecurity, the kill chain is a way of breaking down a cyber attack into a series of stages, from the attacker’s first preparation to their final goal (like stealing data or deploying ransomware). The term comes from the military and is used to help defenders understand, detect, and disrupt attacks at each step, not just at the end.

In plain terms: the kill chain is a step‑by‑step map of how an attack happens, so you can figure out where to stop it.

Typical Kill Chain Stages

Different models exist, but a common version (based on the Lockheed Martin Cyber Kill Chain) includes these stages:

  1. Reconnaissance (Research)

    • The attacker gathers information about the target: websites, staff names, technologies in use, email formats, suppliers, and exposed systems.

    • Goal: Find weaknesses and plan how to get in.

  2. Weaponization

    • The attacker creates or chooses the “weapon” for the job: a malicious document, exploit code, phishing kit, or malware package.

    • Goal: Prepare something that will work against the chosen target.

  3. Delivery

    • The attacker gets that weapon to the victim, for example through phishing emails, malicious links, infected USB drives, or compromised websites.

    • Goal: Put the malicious content in front of the user or system.

  4. Exploitation

    • The malicious content is opened or triggered, exploiting a bug or unsafe behavior (like enabling macros) to gain a foothold.

    • Goal: Turn a user’s action or a vulnerability into actual code execution.

  5. Installation

    • The attacker installs malware, backdoors, or tools on the system to maintain access.

    • Goal: Establish a more permanent presence on the device or in the network.

  6. Command and Control (C2)

    • The compromised system connects back to a server controlled by the attacker, allowing remote control.

    • Goal: Let the attacker send instructions and receive data.

  7. Actions on Objectives

    • The attacker carries out their main goal: data theft, encryption (ransomware), disruption, spying, or moving deeper into the network.

    • Goal: Achieve the reason they launched the attack in the first place.

Why the Kill Chain Matters

The kill chain concept helps businesses:

  • Understand attacks as a process, not a single event.

  • Spot opportunities to stop an attack early, before major damage occurs (for example, blocking delivery or noticing unusual C2 traffic).

  • Plan defenses and monitoring around every stage: training, email filters, patching, endpoint protection, network monitoring, and incident response.

Using the Kill Chain in Practice

Security teams use the kill chain model to:

  • Map real incidents

    • After an attack, they reconstruct which steps occurred and where defenses worked or failed.

  • Design layered defenses

    • For example:

      • Recon & delivery: limit public exposure, use email and web filters.

      • Exploitation & installation: patch systems, use endpoint protection, restrict admin rights.

      • C2 & objectives: monitor network traffic, segment networks, detect unusual data movement.

  • Communicate with leadership

    • The step‑by‑step structure makes it easier to explain complex attacks in clear terms and justify investments in specific controls.

Kill Chain vs. Other Models

The classic kill chain focuses mainly on the technical attack flow. Newer models (like the MITRE ATT&CK framework) describe attacker techniques and behaviors in more detail across and beyond these stages. They complement each other:

  • The kill chain is a high‑level timeline.

  • Frameworks like ATT&CK provide a detailed menu of what attackers might do at each step.