What Is the Cyber Kill Chain?

tball

The cyber kill chain refers to the sequence of steps cybercriminals often take to carry out an attack. Also a framework introduced by Lockheed Martin, the cyber kill chain maps these sequences, helping organisations understand and disrupt cyber attacks in the process.

This model is especially useful for analysing advanced persistent threats (APTs) and sophisticated attacks that combine tactics like malware, ransomware, trojans, spoofing, and social engineering.

The Cyber Kill Chain Framework

Lockheed Martin originally developed the cyber kill chain framework as a way to adapt military “kill chain” thinking to cybersecurity. In military strategy, a kill chain describes the structured steps an adversary takes to identify and engage a target—and the opportunities defenders have to disrupt them. 

Similarly, the cyber kill chain framework breaks down an attack into distinct phases, giving defenders a clear view of where and how to intervene. Security teams now use this model to map threats to specific stages, helping them prioritise defences and spot gaps.

Cyber Kill Chain Steps

The cyber kill chain model identifies seven steps cyber attackers will take:

  1. Reconnaissance: Attackers gather information on the target, such as open ports or employee emails.

  2. Weaponization: They prepare malware payloads, often tying exploits to malicious files or links. 

  3. Delivery: Sending the payload, typically via phishing emails or drive-by downloads. 

  4. Exploitation: The malicious code runs on the target system, exploiting a vulnerability.

  5. Installation: Malware establishes persistence by installing backdoors or trojans.

  6. Command and Control (C2): Attackers communicate with the compromised system to issue commands.

  7. Actions on Objectives: They achieve their goal, whether stealing data, encrypting files, or disrupting services.
Cyber Kill Chain steps

How the Cyber Kill Chain Model Visualises Attacks

This model shows that cyberattacks aren't single events, but a series of interconnected steps. By disrupting even one stage in this chain, security teams can prevent attackers from achieving their goals and reduce the overall impact of a breach.

For example, they might deploy threat intelligence to detect reconnaissance activity, use sandboxing to catch weaponised malware, or monitor network traffic for suspicious C2 connections.

Cyber Kill Chain vs MITRE ATT&CK

The cyber kill chain gives a linear, high-level view of an attack, whereas the MITRE ATT&CK framework provides a detailed matrix of adversary tactics and techniques. Using both together strengthens detection, incident response, and continuous improvement of cyber security.

Unified Cyber Kill Chain & Other Models

The unified cyber kill chain integrates the Lockheed Martin model with MITRE ATT&CK tactics to better capture the complexity of modern attacks, especially advanced persistent threats (APTs). It expands the kill chain beyond initial compromise to include post-exploitation lateral movement and credential theft, offering defenders a more complete roadmap to spot and disrupt intrusions.

Cyber Kill Chain vs. Other Models: Comparison Chart

Framework

Focus

Strengths

Cyber Kill Chain

Linear stages of an attack

Easy to understand, stops attacks early

MITRE ATT&CK

Tactics & techniques matrix

Highly detailed, supports threat hunting

Unified Cyber Kill Chain

Combines both approaches

Captures APT lifecycle, supports full-spectrum defence

How to Disrupt the Cyber Kill Chain Process

Stopping cyber attacks is often about identifying and disrupting one or more stages of the kill chain. This layered approach reduces an attacker’s chance of success and limits the damage if they do breach initial defences.

Cyber Kill Chain Tactics and Prevention

Kill Chain Stage

Common Attacks / Tactics

Typical / Best Prevention

Reconnaissance

OSINT, social media profiling, scanning for exposed assets

Threat intelligence & attack surface management to identify what attackers see, minimise exposure.

Weaponization

Creating malware payloads, malicious macros, exploit kits

Patch & vulnerability management, reduce exploitable gaps; keep endpoint tools updated.

Delivery

Phishing emails, malicious links, watering hole attacks

Email security & web filtering to block malicious emails and sites.

Exploitation

Exploiting software vulnerabilities, credential attacks

Endpoint protection (EPP/EDR) to detect & block malicious actions.

Installation

Malware installs backdoors, ransomware, trojans

Application controls & sandboxing to stop unknown or suspicious installs.

Command & Control (C2)

Remote access tools like Cobalt Strike, suspicious outbound connections

Network intrusion prevention systems (IPS) & anomaly detection to block C2 traffic.

Actions on Objectives

Data theft, encryption for ransomware, sabotage

XDR & SOC monitoring for quick detection, isolation, & response to limit impact.

Real-World Cyber Kill Chain Examples

LockBit & BlackCat (ALPHV) Ransomware

In 2024, LockBit leveraged the QakBot trojan during the delivery and exploitation phases to gain access, then used Cobalt Strike to gain command and control. Ultimately, they encrypted critical systems, demanding millions in ransom payments, demonstrating the cost of skipping detection aimed at early cyber kill chain stages.

Clop Ransomware

Clop is notorious for exploiting secure file transfer applications to gain access. After delivery, they rapidly move to data exfiltration (installation and actions on objectives), combining encryption with public data leaks for double extortion.

Benefits of Using the Cyber Kill Chain in Cybersecurity

  • Reduces Breach Costs: Early detection means stopping attacks before they escalate, saving on recovery and legal costs.

  • Supports Regulatory Compliance: Helps demonstrate proactive measures under GDPR, NIS2, and similar regulations.

  • Improves SOC & IR Readiness: Gives security teams a structured approach to threat hunting and incident response. Learn how this ties into Zero Trust Networking

Strengthen Your Defenses Across the Entire Cyber Kill Chain

Understanding the cyber kill chain helps you anticipate and disrupt each stage of an attack—from initial reconnaissance to data exfiltration. But knowing the tactics isn’t enough without the ability to detect, respond, and adapt in real time.

Trend Vision One™ delivers unified visibility, powerful analytics, and extended detection and response (XDR) across your entire environment. By correlating activity at every phase of the kill chain, you can stop threats earlier, reduce dwell time, and protect critical assets with confidence.

FAQs

Expand all Hide all

What are the seven steps of the cyber kill chain?

add

The cyber kill chain outlines seven steps attackers typically follow: reconnaissance, weaponization, delivery, exploitation, installation, command and control (C2), and actions on objectives. Each step offers defenders a chance to detect and stop the attack.

Who developed the cyber kill chain model?

add

Lockheed Martin introduced the cyber kill chain in 2011. They adapted the concept from traditional military kill chains to help cybersecurity teams understand and disrupt digital threats.

How does the cyber kill chain prevent cyber attacks?

add

By breaking an attack into stages, the kill chain helps security teams identify where to intervene. Stopping an attack early—like blocking a phishing email or patching vulnerabilities—can prevent it from reaching critical systems.

How is the cyber kill chain different from MITRE ATT&CK?

add

The cyber kill chain is a linear model showing the typical progression of an attack. MITRE ATT&CK is a detailed matrix of tactics and techniques attackers use. Many organisations use both together for stronger security.

Is the cyber kill chain still relevant today?

add

Yes. While attacks have evolved, the kill chain remains a useful way to visualise threats and design layered defences. Many teams also combine it with newer models like the MITRE ATT&CK framework.

Can small businesses use the cyber kill chain?

add

Absolutely. Even small companies can apply the kill chain concept by mapping threats, improving employee awareness, and investing in layered security to block attacks at multiple stages.