What is the Cyber Kill Chain Framework?

The Cyber Kill Chain framework, developed by Lockheed Martin in 2011, helps organizations understand and defend against cyberattacks. It breaks down the stages a threat actor takes to successfully carry out an attack, from the initial research phase to achieving their ultimate goal.

By studying the kill chain, security teams can identify weaknesses in their defenses and take action to stop attackers at each stage.

The Cyber Kill Chain Steps

The Cyber Kill Chain consists of seven steps:

Reconnaissance

The first step for an attacker is gathering data. During reconnaissance, the threat actor identifies targets and collects information that can increase the likelihood of a successful attack. This can include system vulnerabilities, employee details, or even third-party vendor relationships.

Weaponization

Once enough information has been collected, attackers prepare their tools. At this stage, malware or exploits are created or modified to exploit the identified vulnerabilities.

Delivery

The weaponized payload is delivered to the target. This can happen through phishing emails, malicious links, infected USB drives, or other social engineering tactics.

Exploitation

After delivery, attackers exploit vulnerabilities to gain access. This could involve executing malicious code, escalating privileges, or moving laterally through the network to find valuable targets.

Installation

In this phase, malware is installed on the compromised system. This allows attackers to maintain persistence and continue their activities without being immediately detected.

Command and Control (C2)

Attackers establish a communication channel back to their infrastructure, often referred to as Command and Control (C2). This remote access enables them to send commands, exfiltrate data, or deploy additional tools.

Actions on Objectives

With full access established, attackers can achieve their ultimate goal. This could be stealing sensitive data, disrupting business operations, or deploying ransomware to demand payment.

Final Thoughts

The Cyber Kill Chain provides a clear model for understanding how cyberattacks unfold. By breaking attacks into distinct stages, organizations can build defenses that detect and stop attackers early in the process, before they reach their final objective.

To learn more about how layered defenses can stop attackers, check out our post on defense in depth.