Kill Chain — Structured Model of the Cyber Attack Lifecycle
The Kill Chain is a structured model that describes the sequential stages of a cyber attack, from reconnaissance to impact. This SECMONS glossary entry explains the Lockheed Martin Cyber Kill Chain, its relevance in modern defense strategy, and how it complements MITRE ATT&CK.
What Is the Kill Chain? 🧠
The Kill Chain is a structured model that outlines the sequential stages of a cyber attack, from initial reconnaissance to final impact.
Originally developed as the Lockheed Martin Cyber Kill Chain, the model provides a high-level framework for understanding how intrusions unfold and where defensive controls can interrupt adversary activity.
It transforms isolated events into a coherent operational sequence.
The Seven Phases of the Cyber Kill Chain 🎯
The traditional Cyber Kill Chain consists of seven stages:
| Phase | Description |
|---|---|
| Reconnaissance | Attacker gathers information about target |
| Weaponization | Creation of malicious payload |
| Delivery | Transmission of payload to victim |
| Exploitation | Triggering vulnerability or executing payload |
| Installation | Establishing persistence |
| Command & Control | Remote communication with attacker |
| Actions on Objectives | Data theft, disruption, or impact |
Each phase represents an opportunity for detection or disruption.
Mapping Kill Chain to Modern Concepts 🔄
The Kill Chain overlaps with concepts documented across SECMONS:
- Delivery often occurs via /glossary/phishing/
- Exploitation targets weaknesses tracked under /vulnerabilities/
- Installation may involve a /glossary/remote-access-trojan/ or /glossary/web-shell/
- Command & Control aligns with /glossary/command-and-control/
- Actions on Objectives may culminate in /glossary/ransomware/ or /glossary/data-breach/
The model provides structure, while frameworks like MITRE ATT&CK provide granular technique mapping.
Kill Chain vs MITRE ATT&CK 🔬
| Model | Focus |
|---|---|
| Kill Chain | Sequential attack stages |
| MITRE ATT&CK | Detailed adversary techniques and tactics |
| Campaign Analysis | Operational context over time |
| Threat Intelligence | Interpretation and correlation |
The Kill Chain emphasizes progression.
MITRE ATT&CK emphasizes behavioral detail.
Both are complementary.
Why the Kill Chain Matters Defensively 🛡️
The model reinforces a critical principle:
Disrupting any single stage can break the chain.
Examples:
- Strong email filtering blocks delivery.
- Patch management prevents exploitation.
- Network segmentation limits lateral movement.
- Monitoring reduces dwell time during command and control.
- Zero Trust architecture reduces blast radius.
The earlier a phase is disrupted, the lower the operational impact.
Kill Chain in Modern Threat Campaigns 🔎
Although modern attacks may blur phases or execute them rapidly, structured campaigns described under /glossary/campaign/ still follow recognizable progression patterns.
Even advanced persistent threats adhere to lifecycle stages, though they may:
- Loop back to reconnaissance
- Maintain long-term persistence
- Operate in parallel across victims
Understanding this sequence improves incident response prioritization.
Strategic Value for Security Leaders 📌
The Kill Chain enables:
- Clear executive reporting
- Structured incident analysis
- Defensive gap assessment
- Risk modeling aligned with real-world adversary behavior
- Improved communication between SOC, IR, and leadership
It bridges technical activity and strategic defense planning.
Why SECMONS Includes the Kill Chain Model 📎
SECMONS connects vulnerabilities, campaigns, and impact.
The Kill Chain provides a foundational framework for interpreting how individual techniques fit into larger adversary operations.
It supports structured intelligence analysis rather than isolated event tracking.
Authoritative References 📎
- Lockheed Martin Cyber Kill Chain Whitepaper
- MITRE ATT&CK Framework Documentation