Cyber Kill Chain

Contents

1 🛡️ Understanding the Cyber Kill Chain
2 🧠 Summary

🛡️ Understanding the Cyber Kill Chain

The Cyber Kill Chain is a security framework developed by Lockheed Martin to help identify and prevent cyber intrusions by breaking down the steps attackers take during a cyberattack. By understanding each phase, cybersecurity professionals can detect, delay, or disrupt threats more effectively.

🔗 1. Reconnaissance

What it is:
The attacker gathers information about the target—such as IP ranges, domain names, staff identities, technologies in use, and security defences.

Why it’s used:
The more information the attacker collects, the easier it is to craft a customised attack.

Defensive Tip:
Implement network monitoring and use deception techniques like honeypots to detect reconnaissance activity early.

💻 2. Weaponisation

What it is:
The attacker creates a malicious payload (e.g. a virus, macro, or exploit) and couples it with a delivery mechanism such as a document or link.

Why it’s used:
Weaponisation tailors the exploit to the target, increasing the likelihood of success.

Defensive Tip:
Use sandboxing to detonate suspicious files safely and analyse their behaviour before they can reach endpoints.

✉️ 3. Delivery

What it is:
The attacker sends the weaponised payload to the target via email, a compromised website, USB drop, or other vectors.

Why it’s used:
It’s the first direct interaction with the victim’s environment—commonly through phishing.

Defensive Tip:
Deploy secure email gateways, web filtering, and user awareness training to block or discourage delivery.

📥 4. Exploitation

What it is:
The malicious payload is executed, exploiting a system or user vulnerability to gain initial access.

Why it’s used:
To bypass standard protections and begin compromising systems.

Defensive Tip:
Keep systems patched, disable macros by default, and use EDR tools to detect exploit behaviour.

🔓 5. Installation

What it is:
The attacker installs malware to maintain persistence (e.g. RATs, backdoors, keyloggers).

Why it’s used:
To establish a foothold and allow remote control or lateral movement.

Defensive Tip:
Use application whitelisting and behavioural analysis to detect unusual installs or binaries.

🔑 6. Command & Control (C2)

What it is:
The compromised system connects to the attacker’s server to receive instructions or exfiltrate data.

Why it’s used:
To allow the attacker to remotely control the system and expand their presence.

Defensive Tip:
Monitor DNS, HTTP, and HTTPS traffic for anomalies or connections to known C2 infrastructure.

🎯 7. Actions on Objectives

What it is:
The attacker achieves their goal—this may be data theft, system destruction, ransomware deployment, or surveillance.

Why it’s used:
This is the attack’s endgame, where impact is realised.

Defensive Tip:
Implement data loss prevention (DLP), strong access controls, and monitor for unauthorised data transfers or privilege escalations.

🧠 Summary

The Cyber Kill Chain model is valuable because it encourages a proactive defence mindset. By mapping an attacker’s steps, organisations can identify security gaps, improve detection at each phase, and mount more effective incident responses.

📌 Remember: Breaking just one link in the kill chain can prevent the entire attack.