Attack Lifecycle and Kill Chain

Sophisticated attacks don't happen instantaneously—they progress through phases, from initial reconnaissance to objective completion. Understanding this progression reveals defensive opportunities at each stage. Earlier detection means more options for response.

The Lockheed Martin Cyber Kill Chain

In 2011, Lockheed Martin published the Cyber Kill Chain, adapting military targeting doctrine to cyber defense. The model identifies seven phases characterizing advanced persistent threats:

Reconnaissance begins every targeted attack. Adversaries research the organization, its technology, and its people. Passive reconnaissance gathers publicly available information—websites, social media, job postings. Active reconnaissance probes systems directly—scanning, fingerprinting, enumerating services.

Weaponization prepares the attack payload. Based on reconnaissance, attackers select or develop exploits and malware suitable for the target. This phase occurs in attacker infrastructure, invisible to defenders.

Delivery transmits the weapon to the target. Phishing emails remain dominant, but watering hole attacks (compromising sites the target visits), supply chain compromises, and physical access also deliver payloads.

Exploitation executes the initial attack, typically exploiting a vulnerability to gain code execution. This might exploit software bugs, abuse document macros, or trick users into running malware.

Installation establishes persistent access. Attackers drop backdoors, create accounts, schedule tasks, or modify startup processes so they survive reboots and maintain access even if the initial vector is discovered.

Command and Control (C2) connects the implant to attacker infrastructure. This channel enables attackers to issue commands, receive data, and update their tools.

Actions on Objectives accomplish the attack's purpose—data theft, ransomware deployment, sabotage, or whatever the adversary sought.

Defensive Opportunities

The kill chain model reveals that defense is not all-or-nothing. Each phase is an opportunity. Attackers must succeed at every phase; defenders only need to stop one.

At reconnaissance, limit information exposure. Review what's publicly available about your organization. Train employees on social engineering awareness. Monitor for your organization on dark web forums.

At delivery, email security filters detect malicious attachments and URLs. Web proxies block known-bad sites. DNS filtering prevents resolution of malicious domains.

At exploitation, patching closes vulnerabilities. Application hardening limits exploitation techniques. Endpoint detection catches exploitation attempts.

At installation, EDR monitors for persistence mechanism creation. Host-based detection alerts on suspicious file and registry modifications.

At C2, network monitoring detects beaconing patterns, unusual data transfers, or connections to known-bad infrastructure.

Even late phases offer opportunities. Data loss prevention might catch exfiltration attempts. Segmentation limits what an attacker can reach.

Applying Kill Chain Thinking

For detection engineering, map your detections to kill chain phases. Where do you have coverage? Where are gaps? Ideally, you can detect attacks at multiple phases, creating redundancy if any single detection fails.

For incident response, the kill chain provides a framework for investigation. Once you identify the initial alert, trace backward and forward—how did the attacker get here? What have they done since? Answering these questions covers the full attack story.