Cyber Kill Chain
Cyber Kill Chain
Lockheed Martin Cyber Kill Chain — a stage-by-stage attack detection and blocking framework
1. Overview: A Cyber Defense Strategy That Structures Attacks Into 7 Stages for Stage-by-Stage Detection and Blocking
flowchart LR
A["Post-breach response focus<br/>after an incident occurs<br/>Limited damage reduction"] --"Pre-structured<br/>7-stage attack flow"--> B["Design detection/blocking<br/>points at each stage"] --"Early intervention<br/>breaks the attack chain"--> C["Minimized damage<br/>strengthened defense capability"]
style A fill:#FFEBEE,stroke:#D32F2F,color:#000
style B fill:#E3F2FD,stroke:#1976D2,color:#000
style C fill:#E8F5E9,stroke:#388E3C,color:#000
Definition: A framework in which Lockheed Martin applied the military kill-chain concept to cybersecurity. It defines the 7-stage attack procedure an APT (Advanced Persistent Threat) actor goes through to achieve its objective, and is a defense strategy model that detects and blocks the attack at each stage to sever the attack chain early.
Characteristics: (Chain concept) The attacker must complete every stage in sequence to reach the objective — blocking at any single stage causes the attack to fail. (Active defense) Forms the basis for building an Active Cyber Defense strategy from the defender’s perspective. (Complements ATT&CK) Used complementarily with the MITRE ATT&CK framework — ATT&CK provides more granular tactics and techniques.
2. Core Structure of the Cyber Kill Chain
A. The 7-Stage Attack Chain Structure
flowchart LR
C1["1. Reconnaissance<br/>Reconnaissance<br/>Gathering target information<br/>OSINT / network scanning"]
C2["2. Weaponization<br/>Weaponization<br/>Bundling the exploit<br/>Crafting a malicious payload"]
C3["3. Delivery<br/>Delivery<br/>Delivering the attack vector<br/>Phishing / USB / web"]
C4["4. Exploitation<br/>Exploitation<br/>Triggering the vulnerability<br/>Code execution begins"]
C5["5. Installation<br/>Installation<br/>Installing a backdoor/RAT<br/>Establishing persistence"]
C6["6. C2 Communication<br/>Command & Control<br/>Remote control channel<br/>Receiving attacker commands"]
C7["7. Actions on Objectives<br/>Actions on Objectives<br/>Data exfiltration/destruction<br/>Ransomware / lateral movement"]
C1 --> C2 --> C3 --> C4 --> C5 --> C6 --> C7
style C1 fill:#E8F5E9,stroke:#388E3C,color:#000
style C2 fill:#E3F2FD,stroke:#1976D2,color:#000
style C3 fill:#FFF3E0,stroke:#F57C00,color:#000
style C4 fill:#F3E5F5,stroke:#7B1FA2,color:#000
style C5 fill:#FFEBEE,stroke:#D32F2F,color:#000
style C6 fill:#B71C1C,stroke:#B71C1C,color:#fff
style C7 fill:#1E3A5F,stroke:#1E3A5F,color:#fff
| Stage | Attacker Activity | Tools/Techniques Used |
|---|---|---|
| 1. Reconnaissance | Gather information on the target organization, systems, and personnel | LinkedIn, Shodan, WHOIS, social engineering |
| 2. Weaponization | Craft a malicious payload bundled with an exploit based on gathered information | Metasploit, Cobalt Strike, custom malware |
| 3. Delivery | Deliver the weaponized file/link to the target | Spear phishing, malicious attachments, drive-by download |
| 4. Exploitation | Trigger a vulnerability to begin executing malicious code | Zero-day vulnerabilities, macros, PDF exploits |
| 5. Installation | Establish persistence by installing a backdoor, RAT, or web shell | Registry changes, scheduled tasks, DLL hijacking |
| 6. C2 Communication | Establish a remote control channel to receive attacker commands | HTTP/DNS tunneling, encrypted C2 servers |
| 7. Actions on Objectives | Data exfiltration, system destruction, lateral movement | Ransomware, data staging, APT lateral movement |
B. Stage-by-Stage Detection and Response Strategy
flowchart TD
subgraph R1[" "]
direction LR
D1["Response to reconnaissance/weaponization<br/>Minimize attack surface<br/>Use threat intelligence<br/>OSINT monitoring"]
D2["Response to delivery/exploitation<br/>Email security (SPF/DKIM)<br/>EDR / patch management<br/>Web filtering / URL analysis"]
end
subgraph R2[" "]
direction LR
D3["Response to installation/C2<br/>EDR / behavior-based detection<br/>DNS sinkholing / network isolation<br/>Anomalous traffic detection"]
D4["Response to actions on objectives<br/>DLP / data encryption<br/>SIEM anomaly detection<br/>Forensics / incident response"]
end
style D1 fill:#E8F5E9,stroke:#388E3C,color:#000
style D2 fill:#E3F2FD,stroke:#1976D2,color:#000
style D3 fill:#FFF3E0,stroke:#F57C00,color:#000
style D4 fill:#FFEBEE,stroke:#D32F2F,color:#000
style R1 fill:none,stroke:none
style R2 fill:none,stroke:none
Stage-by-Stage Defensive Measures (Courses of Action Matrix)
| Stage | Detection Method | Blocking/Mitigation Measures |
|---|---|---|
| 1. Reconnaissance | Threat intelligence, dark web monitoring | Minimize attack surface, restrict disclosure of sensitive information |
| 2. Weaponization | Malware sample collection/analysis (YARA rules) | Threat intelligence sharing, patch prioritization |
| 3. Delivery | Email gateway, URL reputation checks | SPF, DKIM, DMARC, malicious attachment sandboxing |
| 4. Exploitation | EDR/HIDS anomalous process detection | Vulnerability patching, micro-segmentation, Zero Trust |
| 5. Installation | Registry/file system change detection | Application whitelisting, EDR blocking |
| 6. C2 Communication | DNS/HTTP anomalous traffic, beacon pattern detection | DNS sinkholing, outbound filtering, network isolation |
| 7. Actions on Objectives | DLP/UEBA anomalous behavior detection | Data classification, encryption, backups, executing the IR playbook |
3. Expected Benefits and Practical Application of the Cyber Kill Chain
| Category | Key Expected Benefit | Application & Practical Use |
|---|---|---|
| Proactive defense | Minimize damage by detecting/blocking early-stage attacks | Build a threat intelligence collection/analysis system for the reconnaissance stage |
| Defense prioritization | Clarify defensive investment priorities by stage | Map SIEM detection rules to Kill Chain stages and operate them accordingly |
| APT response | Understand and respond to advanced persistent threat (APT) attack patterns | Apply full Kill Chain stage scenarios in red team penetration exercises |
| MITRE integration | Detailed threat analysis combined with ATT&CK tactics/techniques | Measure detection coverage by mapping Kill Chain stages to ATT&CK tactics |