Skip to content

Cyber Kill Chain

Cyber Kill Chain

Lockheed Martin Cyber Kill Chain — a stage-by-stage attack detection and blocking framework

1. Overview: A Cyber Defense Strategy That Structures Attacks Into 7 Stages for Stage-by-Stage Detection and Blocking

    flowchart LR
    A["Post-breach response focus<br/>after an incident occurs<br/>Limited damage reduction"] --"Pre-structured<br/>7-stage attack flow"--> B["Design detection/blocking<br/>points at each stage"] --"Early intervention<br/>breaks the attack chain"--> C["Minimized damage<br/>strengthened defense capability"]

    style A fill:#FFEBEE,stroke:#D32F2F,color:#000
    style B fill:#E3F2FD,stroke:#1976D2,color:#000
    style C fill:#E8F5E9,stroke:#388E3C,color:#000
  

Definition: A framework in which Lockheed Martin applied the military kill-chain concept to cybersecurity. It defines the 7-stage attack procedure an APT (Advanced Persistent Threat) actor goes through to achieve its objective, and is a defense strategy model that detects and blocks the attack at each stage to sever the attack chain early.

Characteristics: (Chain concept) The attacker must complete every stage in sequence to reach the objective — blocking at any single stage causes the attack to fail. (Active defense) Forms the basis for building an Active Cyber Defense strategy from the defender’s perspective. (Complements ATT&CK) Used complementarily with the MITRE ATT&CK framework — ATT&CK provides more granular tactics and techniques.


2. Core Structure of the Cyber Kill Chain

A. The 7-Stage Attack Chain Structure

    flowchart LR
    C1["1. Reconnaissance<br/>Reconnaissance<br/>Gathering target information<br/>OSINT / network scanning"]
    C2["2. Weaponization<br/>Weaponization<br/>Bundling the exploit<br/>Crafting a malicious payload"]
    C3["3. Delivery<br/>Delivery<br/>Delivering the attack vector<br/>Phishing / USB / web"]
    C4["4. Exploitation<br/>Exploitation<br/>Triggering the vulnerability<br/>Code execution begins"]
    C5["5. Installation<br/>Installation<br/>Installing a backdoor/RAT<br/>Establishing persistence"]
    C6["6. C2 Communication<br/>Command & Control<br/>Remote control channel<br/>Receiving attacker commands"]
    C7["7. Actions on Objectives<br/>Actions on Objectives<br/>Data exfiltration/destruction<br/>Ransomware / lateral movement"]

    C1 --> C2 --> C3 --> C4 --> C5 --> C6 --> C7

    style C1 fill:#E8F5E9,stroke:#388E3C,color:#000
    style C2 fill:#E3F2FD,stroke:#1976D2,color:#000
    style C3 fill:#FFF3E0,stroke:#F57C00,color:#000
    style C4 fill:#F3E5F5,stroke:#7B1FA2,color:#000
    style C5 fill:#FFEBEE,stroke:#D32F2F,color:#000
    style C6 fill:#B71C1C,stroke:#B71C1C,color:#fff
    style C7 fill:#1E3A5F,stroke:#1E3A5F,color:#fff
  
StageAttacker ActivityTools/Techniques Used
1. ReconnaissanceGather information on the target organization, systems, and personnelLinkedIn, Shodan, WHOIS, social engineering
2. WeaponizationCraft a malicious payload bundled with an exploit based on gathered informationMetasploit, Cobalt Strike, custom malware
3. DeliveryDeliver the weaponized file/link to the targetSpear phishing, malicious attachments, drive-by download
4. ExploitationTrigger a vulnerability to begin executing malicious codeZero-day vulnerabilities, macros, PDF exploits
5. InstallationEstablish persistence by installing a backdoor, RAT, or web shellRegistry changes, scheduled tasks, DLL hijacking
6. C2 CommunicationEstablish a remote control channel to receive attacker commandsHTTP/DNS tunneling, encrypted C2 servers
7. Actions on ObjectivesData exfiltration, system destruction, lateral movementRansomware, data staging, APT lateral movement

B. Stage-by-Stage Detection and Response Strategy

    flowchart TD
    subgraph R1[" "]
        direction LR
        D1["Response to reconnaissance/weaponization<br/>Minimize attack surface<br/>Use threat intelligence<br/>OSINT monitoring"]
        D2["Response to delivery/exploitation<br/>Email security (SPF/DKIM)<br/>EDR / patch management<br/>Web filtering / URL analysis"]
    end
    subgraph R2[" "]
        direction LR
        D3["Response to installation/C2<br/>EDR / behavior-based detection<br/>DNS sinkholing / network isolation<br/>Anomalous traffic detection"]
        D4["Response to actions on objectives<br/>DLP / data encryption<br/>SIEM anomaly detection<br/>Forensics / incident response"]
    end

    style D1 fill:#E8F5E9,stroke:#388E3C,color:#000
    style D2 fill:#E3F2FD,stroke:#1976D2,color:#000
    style D3 fill:#FFF3E0,stroke:#F57C00,color:#000
    style D4 fill:#FFEBEE,stroke:#D32F2F,color:#000
    style R1 fill:none,stroke:none
    style R2 fill:none,stroke:none
  

Stage-by-Stage Defensive Measures (Courses of Action Matrix)

StageDetection MethodBlocking/Mitigation Measures
1. ReconnaissanceThreat intelligence, dark web monitoringMinimize attack surface, restrict disclosure of sensitive information
2. WeaponizationMalware sample collection/analysis (YARA rules)Threat intelligence sharing, patch prioritization
3. DeliveryEmail gateway, URL reputation checksSPF, DKIM, DMARC, malicious attachment sandboxing
4. ExploitationEDR/HIDS anomalous process detectionVulnerability patching, micro-segmentation, Zero Trust
5. InstallationRegistry/file system change detectionApplication whitelisting, EDR blocking
6. C2 CommunicationDNS/HTTP anomalous traffic, beacon pattern detectionDNS sinkholing, outbound filtering, network isolation
7. Actions on ObjectivesDLP/UEBA anomalous behavior detectionData classification, encryption, backups, executing the IR playbook

3. Expected Benefits and Practical Application of the Cyber Kill Chain

CategoryKey Expected BenefitApplication & Practical Use
Proactive defenseMinimize damage by detecting/blocking early-stage attacksBuild a threat intelligence collection/analysis system for the reconnaissance stage
Defense prioritizationClarify defensive investment priorities by stageMap SIEM detection rules to Kill Chain stages and operate them accordingly
APT responseUnderstand and respond to advanced persistent threat (APT) attack patternsApply full Kill Chain stage scenarios in red team penetration exercises
MITRE integrationDetailed threat analysis combined with ATT&CK tactics/techniquesMeasure detection coverage by mapping Kill Chain stages to ATT&CK tactics