What Is the Cybersecurity Kill Chain and How Do You Use It?

June 6, 2024 • Zachary Amos


Good cybersecurity is proactive. Security pros must learn how cybercriminals operate to predict their behavior and build necessary protections to stop it. Frameworks like the cybersecurity kill chain help them do just that.

What Is the Cybersecurity Kill Chain?

The cybersecurity kill chain is a model that breaks the typical cyberattack timeline into distinct stages. The concept comes from a 2011 white paper by Lockheed Martin, the famous aerospace and defense company. As you might expect from a manufacturer of military equipment, the paper applied a military attack framework to cybersecurity.

In its original context, a kill chain describes how enemy forces must move through specific steps in order to successfully attack someone. By understanding these steps, armed forces can learn where their defenses must improve and get better at spotting attacks before they cause much damage.

The cyber kill chain applies the same concept to digital attacks. It assumes that just as enemy armies must follow steps in order, cybercriminals typically follow a pattern to pull off a successful hack. The whole plan will likely fall apart if one of those stages fails, and the earlier in the process you can stop it, the better.

The 7 Steps of the Cyber Kill Chain

The concept of the cybersecurity kill chain has grown and evolved in the years since its inception. Because of that, you’ll find that many security companies include varying amounts of stages or define these phases differently, but the general idea remains the same. According to the original Lockheed Martin model, the kill chain follows seven steps, which we’ll dive into now.

1. Reconnaissance

The first stage of the cyber kill chain is reconnaissance — “recon” for short. This is where the attacker gathers information to find a target and learn more about them. That research can include everything from a simple web search to more complex work like network mapping or port scanning.

2. Weaponization

The next step is weaponization or intrusion. In this stage, cybercriminals use what they learned in the previous one to get into your network or system. Phishing is the most common method — a staggering 95% of security incidents start with someone clicking a malicious link — but some attacks use stolen passwords or more technical methods.

3. Delivery

Once inside, the attacker delivers their payload. Often, that means installing malware on a computer, whether they use ransomware, Trojans or another type of malicious code. Whatever the specifics, this stage opens the door for the rest of the cybersecurity kill chain to do real damage.

4. Exploitation

The exploitation phase is where the payload from the last step starts working. Sometimes, this happens immediately after delivery. In others, the malware lies in wait until users perform a certain action or the code has spread to enough endpoints. In either case, this is where the damage occurs. 

5. Installation

Now that the attack is fully underway, cybercriminals install additional malware to ramp things up. They could implement a backdoor to let them perform similar attacks in the future. Alternatively, they could install remote access tools.

6. Command and Control

The next stage in the cybersecurity kill chain is command and control (C2), where the attacker takes over. In the over 300 million ransomware attempts that happen each year, this is when attackers finish stealing or encrypting their target data. In other cases, they take control of a computer over from the authorized user. The attack usually becomes noticeable at this point if you haven’t already detected it.

7. Actions on Objectives

After C2, attackers do what Lockheed Martin calls “actions on objectives.” That’s a fancy way of saying they do what they came here to do. In ransomware cases, that means demanding a ransom. In more general data theft, they flee the system with all the data they stole. In all cases, once cybercriminals finish this stage, the attack is successful.

How Do Security Professionals Use the Cyber Kill Chain?

The cybersecurity kill chain is important for more than just illustrating cyberattacks. Security professionals can use it to spot attacks and determine the appropriate response.

The kill chain is particularly important for automated threat-hunting tools. These systems detect unknown threats by recognizing patterns they’ve learned from known ones. That may mean identifying the signs of someone moving through the kill chain, which lets the system know something is wrong, even if they don’t know what.

Recognizing the order of the steps in the kill chain matters because each stage may require a different response. Signs of an attack in the reconnaissance stage, for example, may only suggest that you should beef up your defenses and monitor things more closely for an incoming attack. By contrast, discovering an attack in the exploitation stage requires containment and assessment to uncover and stop the damage.

The cybersecurity kill chain also makes it easier to identify security gaps. You know you need to adjust your security posture if you’re not sure you can effectively recognize or handle a threat at any of these seven stages.

Problems With the Kill Chain Model

As helpful as the cyber kill chain can be, it’s not a perfect framework. Keep in mind that it is more than a decade old at this point. As such, it may not accurately describe every attack you’ll encounter, especially considering how quickly cybercrime evolves.

More specifically, the kill chain model only addresses perimeter security. It doesn’t necessarily apply to insider threats, which caused $15.4 million in damage in 2022 alone. It also focuses on malware-based attacks, so it does little to stop social engineering or other, more nuanced cyberattack methods.

These issues don’t mean this framework isn’t useful, but they do mean it’s not a complete solution. Organizations should use it to inform parts of their cybersecurity strategy, but they must also pair it with measures like employee training and advanced risk assessment.

Get Inside the Mind of a Cybercriminal

“Know thy enemy” remains useful advice, even in today’s digital world. The cybersecurity kill chain lets security pros understand the threats they face to inform more effective defenses.

While this method isn’t perfect, it can be a huge help in threat hunting. Integrating it into your security solution can help you identify and respond to attacks faster and more effectively.