Kill Chain — Structured Model of the Cyber Attack Lifecycle
The Kill Chain is a structured model that describes the sequential stages of a cyber attack, from reconnaissance to impact. This SECMONS glossary entry explains the Lockheed Martin Cyber Kill Chain, its relevance in modern defense strategy, and how it complements MITRE ATT&CK.
What Is the Kill Chain?
The Kill Chain is a structured model that outlines the sequential stages of a cyber attack, from initial reconnaissance to final impact.
Originally developed as the Lockheed Martin Cyber Kill Chain, the model provides a high-level framework for understanding how intrusions unfold and where defensive controls can interrupt adversary activity.
It transforms isolated events into a coherent operational sequence.
The Seven Phases of the Cyber Kill Chain
The traditional Cyber Kill Chain consists of seven stages:
| Phase | Description |
|---|---|
| Reconnaissance | Attacker gathers information about target |
| Weaponization | Creation of malicious payload |
| Delivery | Transmission of payload to victim |
| Exploitation | Triggering vulnerability or executing payload |
| Installation | Establishing persistence |
| Command & Control | Remote communication with attacker |
| Actions on Objectives | Data theft, disruption, or impact |
Each phase represents an opportunity for detection or disruption.
Mapping Kill Chain to Modern Concepts
The Kill Chain overlaps with concepts documented across SECMONS:
- Delivery often occurs via /glossary/phishing/
- Exploitation targets weaknesses tracked under /vulnerabilities/
- Installation may involve a /glossary/remote-access-trojan/ or /glossary/web-shell/
- Command & Control aligns with /glossary/command-and-control/
- Actions on Objectives may culminate in /glossary/ransomware/ or /glossary/data-breach/
The model provides structure, while frameworks like MITRE ATT&CK provide granular technique mapping.
Kill Chain vs MITRE ATT&CK
| Model | Focus |
|---|---|
| Kill Chain | Sequential attack stages |
| MITRE ATT&CK | Detailed adversary techniques and tactics |
| Campaign Analysis | Operational context over time |
| Threat Intelligence | Interpretation and correlation |
The Kill Chain emphasizes progression.
MITRE ATT&CK emphasizes behavioral detail.
Both are complementary.
Why the Kill Chain Matters Defensively ️
The model reinforces a critical principle:
Disrupting any single stage can break the chain.
Examples:
- Strong email filtering blocks delivery.
- Patch management prevents exploitation.
- Network segmentation limits lateral movement.
- Monitoring reduces dwell time during command and control.
- Zero Trust architecture reduces blast radius.
The earlier a phase is disrupted, the lower the operational impact.
Kill Chain in Modern Threat Campaigns
Although modern attacks may blur phases or execute them rapidly, structured campaigns described under /glossary/campaign/ still follow recognizable progression patterns.
Even advanced persistent threats adhere to lifecycle stages, though they may:
- Loop back to reconnaissance
- Maintain long-term persistence
- Operate in parallel across victims
Understanding this sequence improves incident response prioritization.
Strategic Value for Security Leaders
The Kill Chain enables:
- Clear executive reporting
- Structured incident analysis
- Defensive gap assessment
- Risk modeling aligned with real-world adversary behavior
- Improved communication between SOC, IR, and leadership
It bridges technical activity and strategic defense planning.
Why SECMONS Includes the Kill Chain Model
SECMONS connects vulnerabilities, campaigns, and impact.
The Kill Chain provides a foundational framework for interpreting how individual techniques fit into larger adversary operations.
It supports structured intelligence analysis rather than isolated event tracking.
Authoritative References
- Lockheed Martin Cyber Kill Chain Whitepaper
- MITRE ATT&CK Framework Documentation