Table of Contents

What is Cyber Kill Chain Framework: Stages & Examples

Reviewed & Written by:

|

Published:

|

Updated:

August 30, 2025
What is Cyber Kill Chain
Table of Contents

What is a Cyber Kill Chain?

The Cyber Kill Chain is a framework that describes the stages of a typical cyber attack, from the initial reconnaissance conducted by the attacker to the ultimate goal of the attack. It was developed by Lockheed Martin, to help organisations understand and defend against cyber threats by breaking down the attack process into distinct phases.

Importance of understanding the Cyber Kill Chain for effective cybersecurity

Cyber threats are evolving and increasing in sophistication, making it essential for organisations to comprehend how cyber attacks unfold. 

  • Understanding the Attacker’s Mindset: The Cyber Kill Chain provides a structured framework that breaks down the stages of a cyber attack, from planning to execution. Understanding each stage of the Kill Chain helps organisations identify vulnerabilities and implement targeted defences to disrupt the attack process at multiple points.
  • Proactive Defense: By adopting the Cyber Kill Chain, businesses can shift from a reactive stance to a more preventive approach to cybersecurity. Proactively addressing threats based on the Kill Chain stages reduces the likelihood and impact of successful cyber attacks, protecting critical assets, reputation, and the bottom line.
  • Targeted Resource Allocation: The Cyber Kill Chain helps organisations prioritise cybersecurity investments by identifying gaps in defences and allocating resources effectively.
  • Efficient Incident Response: Familiarity with the kill chain and adapting it in your business context helps to improve the incident response capability, allowing faster response and minimising the attack impact.

Feel free to watch this video containing a condensed version of the article.

What are the 7 steps of the cyber kill chain?

Stages of Cyber Kill Chain

The term kill chain was first used in the military to describe a series of actions with few words. The kill chain, in simple terms, identifies targets, analyses the target and develops a decision on whether to attack the target. Most importantly, the kill chain dissects the different stages of an APT attack and helps defensive teams against threats. Red teaming operations often include references and different stages in line with the cyber kill chain model well before MITRE release. 

As it became a term in computer science and cybersecurity, Lockheed Martin made some adjustments to the term in 2011 to give a more precise representation of the process. 

Like the military’s kill chain, the cyber kill chain has seven crucial steps to manage, protect, and improve network systems. The steps are as follows:  

1.  Reconnaissance

At this stage of the attack, the criminals gather as much info they can access about their targets. This is where the cyber attack starts. To do this, the criminals might employ a range of spying tools. In most cases, they take advantage of the public information available about their targets and continue from there. 

Examples of this stage of attack include: 

  • Attackers can use automated scanners to find weak points and vulnerabilities that allow penetration. 
  • Attackers also investigate the victim’s security systems, like intrusion detection systems, authentication mechanisms, and firewalls. 

2. Weaponization

At this stage of the attack, the attackers act on the information they have collected about their target and find weaknesses they can exploit. Using the exploit, the attackers will create a malicious payload (using encrypted channels such as HTTPS port 443 over SSL that they will send to their victim. Everything is still on the attacker’s side, and the target has not been exploited or actively attacked yet. 

3. Delivery

At the intrusion stage, the attacker is trying to gain entry into the victim’s security perimeter. To do this, attackers usually inject various forms of malware into the systems of the victim to gain control. The malicious content can be delivered to the target either by social engineering email, social media, compromised systems or accounts, or a security breach like an open port or an insider accomplice. 

Example attacks in the intrusion stage include:

  • Supply chain compromise
  • Spear phishing attachments
  • External/remote services

4. Exploitation

At the exploitation stage, attackers will seek other victim vulnerabilities that they did not know before entering. For instance, an attacker might not have privileged access to an organisation’s database from outside; however, they might spot vulnerabilities in the database that allows them to gain entry after an intrusion.  

Example attacks in the exploitation stage include

  • PowerShell, .Net, C# scripts
  • Local job scheduling
  • Dynamic data exchange

5. Installation

At the privilege escalation stage, the attacker attempts to gain the additional privilege to more accounts and systems. The attacker might decide to use brute force, or on the alternative, he might seek out unprotected repositories containing security credentials or monitor networks without encryption to track the credentials. He might as well consider changing permissions on previously existing compromised accounts.  

When he has the credentials he needs, the attacker then proceeds to other systems to find the most valuable assets of his target. Attackers typically move from one system to the other, seeking access to privileged accounts, sensitive data. This is usually a coordinated attack and usually affects several user accounts and IT systems.  

Example attacks in the privilege escalation and lateral movement stage:

  • Windows remote management
  • Pseudo attack
  • SSH hijacking
  • Shared webroot
  • Process injection
  • Path interception
  • Internal spear phishing
  • Access token manipulation

6. Command and Control

Now that the attacker has gained control of a significant part of the victim’s systems and user accounts and privileged, he will now develop a command control channel to operate and monitor his attack remotely. This stage will involve obfuscation and denial of service. Obfuscation is when the attacker tries to cover his tracks, making it look like nothing has happened. Examples of activities in the obfuscation stage include

  • Binary padding
  • Code signing
  • File deletion
  • Hidden users
  • Process hollowing

After obfuscation, denial of service will then take place, which is the opposite of obfuscation. The attacker who has been keeping a low profile will not decide to cause issues in the systems to announce their presence. This is usually to distract the attention of the security teams so he can perpetuate his fundamental objectives. The following are examples of attacks at the Denial-of-Service stage:

  • System shutdown
  • Service stop
  • Resource hijacking
  • Network denial of service
  • Endpoint denial of service

7. Action on Objectives

Every form of cyber attack has an underlying objective. The attacker usually has some objective in the victim’s network, data exfiltration, data deletion or supply chain attacks. At this stage, he brings together all the activities that will help achieve these goals. This step might involve weeks to months.  

Examples of attacks at this last stage of CKC include:

  • Data Exfiltration over alternative protocol
  • Data Exfiltration over a physical medium
  • Data encrypted
  • Data compressed

Suggested Read: 10 Steps to Cyber Security

Evolution of  Cyber Kill Chain

  • Unified Kill Chain: This expanded model, developed by Paul Pols, incorporates additional steps from the MITRE ATT&CK framework for a more comprehensive view.
  • MITRE ATT&CK: This framework provides a matrix of tactics and techniques used by attackers, complementing the kill chain’s linear approach.

Unified Kill Chain

The new Cyber Kill Chain, also known as the Unified Kill Chain is an expanded version of the original Cyber Kill Chain along with additional steps from the MITRE ATT&CK framework.

The 18 steps of the Unified Kill Chain are:

  1. Reconnaissance: Attackers gather information about the target, such as network architecture, potential vulnerabilities, and employee details.
  2. Weaponization: Attackers create malicious payloads, such as malware or exploits, tailored to the identified vulnerabilities.
  3. Delivery: Attackers deliver the malicious payload to the target through various methods, such as phishing emails or compromised websites.
  4. Social Engineering: Attackers manipulate or trick users into taking actions that compromise security, such as revealing sensitive information or installing malware.
  5. Exploitation: The malicious payload exploits vulnerabilities to gain unauthorized access to the target system.
  6. Persistence: Attackers establish a foothold in the compromised system to maintain access, even if the initial access point is discovered or removed.
  7. Defense Evasion: Attackers use techniques to avoid detection by security tools and systems, such as encrypting communications or using fileless malware.
  8. Command and Control: Attackers establish a communication channel to control the compromised system and receive data from it.
  9. Pivoting: Attackers use the compromised system as a stepping stone to access and attack other systems within the network.
  10. Discovery: Attackers explore the compromised network to gather information about connected systems, users, and data.
  11. Privilege Escalation: Attackers attempt to gain higher levels of access and permissions within the compromised system or network.
  12. Execution: Attackers run malicious code or commands on the compromised system to carry out their objectives.
  13. Credential Access: Attackers steal user credentials, such as passwords or access tokens, to facilitate further access and lateral movement.
  14. Lateral Movement: Attackers move from the initially compromised system to other systems within the network.
  15. Collection: Attackers gather sensitive data from compromised systems, such as intellectual property, financial data, or personal information.
  16. Exfiltration: Attackers transfer the collected data out of the compromised network to their own servers or infrastructure.
  17. Impact: Attackers carry out their ultimate goals, such as disrupting operations, destroying data, or holding systems for ransom.
  18. Objectives: Attackers achieve their desired outcomes, which may include financial gain, espionage, or damaging the target organization’s reputation.

Cyber Kill Chain Vs. MITRE ATT&CK framework

The Cyber Kill Chain provides a linear, high-level view of the attack process, focusing on the attacker’s perspective and the steps they take to execute a successful attack. In contrast, MITRE ATT&CK is a comprehensive matrix of tactics and techniques used by attackers, organised based on their objectives and the stages of an attack. The Cyber Kill Chain is useful for understanding the early stages of an attack and developing prevention strategies, while ATT&CK provides a more granular view of attacker behaviour, making it valuable for threat hunters, incident responders, and red teams.

Your questions about Cyber Kill Chain Answered

What are the limitations of the Cyber Kill Chain addressed in a unified kill chain?

Cloud-Enabled Kill Chain: Addresses the specific challenges of cloud environments, focusing on cloud-based delivery, exploitation, and actions.

Behavioral Analysis: Augments the kill chain by identifying anomalies in user and system behavior to detect insider threats and attacks without traditional payloads.

What is a Cloud-enabled Kill Chain?

The Cloud-Enabled Kill Chain is an adaptation of the traditional Cyber Kill Chain that takes into account the unique characteristics and challenges of cloud computing environments. While the Cyber Kill Chain focuses on the steps attackers take to compromise a traditional network or system, the Cloud-Enabled Kill Chain considers the additional attack vectors and opportunities presented by cloud infrastructure and services.

Is Cyber Kill Chain a threat model?

No, the Cyber Kill Chain is not a threat model. It is an attack model that describes the stages of a typical cyber attack from the attacker’s perspective.

Why is it called a Cyber Kill Chain?

The term “kill chain” originates from the military, referring to the steps an attack must go through to succeed. In the context of cybersecurity, the Cyber Kill Chain adapts this concept to describe the stages of a cyber attack.

What is command and control in the Cyber Kill Chain?

In the Cyber Kill Chain, Command and Control (C2) refers to the stage where attackers establish a communication channel to remotely control compromised systems and receive data from them.

What is the difference between Cyber Kill Chain and Diamond Model?

The Cyber Kill Chain focuses on the sequential steps of an attack from the attacker’s perspective, while the Diamond Model emphasises the relationships between the key elements of an attack. Both frameworks can be used together to gain a more comprehensive understanding of cyber attacks and to develop effective defence strategies.

Good Security Practices Start With the Right Foundations

Explore actionable insights that help businesses map their attack surface and address exploitable risks ranked by real business impact.

Trusted by 150+ UK orgs

Related Reads

Join 1000+ subscribers getting the best tips on cybersecurity, security management, and more!

You may opt-out at any time. Read our privacy policy.

Get in touch

No salesy newsletters. View our privacy policy.

How "Defensible" is your firm compared to UK peers?

Most SMBs and mid-market firms have “silent” gaps in their people, process and tech controls implementation. Take the 90-second maturity audit to see your percentile rank.