When we want to understand complex behaviour, we almost automatically try to create a structure. We break down processes, organise steps and try to recognise patterns. Cyber attacks are no exception: whether it's recreating attacks in pentesting/red teaming or investigating past attacks in IT forensics – structure is what makes events comprehensible and brings order to an initially confusing environment.

The Cyber Kill Chain offers a proven framework for this. The model describes attacks not as isolated individual events or unpredictable chaos, but as a coherent process with clear phases that can be analysed, simulated and interrupted. It thus creates a common basis for thinking across different security-related disciplines.


What is the Cyber Kill Chain?

The Cyber Kill Chain was developed in 2011 by the US defence contractor Lockheed Martin. The term is derived from the military "kill chain", which describes the steps of an attack from target identification to destruction. Translated into the digital world, the model describes how every successful cyber attack must go through a defined chain of seven consecutive phases.

 

The 7 phases of a cyber attack

To make the model and the abstract stages more tangible, each of the seven phases is not only described below, but also supplemented with examples and technical details from practic


1. Reconnaissance

In the reconnaissance phase, the attacker gathers information about the target in order to prepare the attack in a targeted manner (known as "targeting"). The aim is to identify potential vulnerabilities, structures and points of attack. 

Physical world

The burglar observes a residential building, analyses the habits of the residents and identifies possible entry points.

Cyber attack

A fictional attacker ("Megatron") discovers that a sales employee ("Nancy") regularly communicates with an external service provider. This information can be used in the subsequent phases.


In a cyber context, this often means:

  • Use of OSINT (open source intelligence) for passive information gathering from publicly available sources, such as company websites, social media profiles or public databases. 
  • Typical tools include theHarvester and Hunter.io, which automatically collect email addresses, subdomains, and employee profiles (e.g., on LinkedIn).
  • Often, externally accessible (exposed) systems of the target are also actively scanned. Typical tools for this include Nmap, Nessus, and Metasploit. Search engines such as Shodan are also popular, as they can be used to identify publicly accessible systems, open ports, services in use, and known vulnerabilities.

Information gathering takes place predominantly outside the target's own infrastructure and is often carried out using passive methods. Accordingly, it is usually not directly detectable.

Only when active measures are taken – such as scanning publicly accessible systems or brute force attempts – do usable traces emerge. These can be made visible through perimeter-based monitoring, central logging, and signature- or behaviour-based detection. 

Complete prevention is hardly possible; the main goal here is transparency about one's own attack surface.


2. Weaponization

Once vulnerabilities or targets have been identified, the attacker prepares the actual attack tools or customises their tools during the weaponisation phase. The aim is to convert the information obtained previously into a concrete attack method that works technically and is as inconspicuous as possible. 

Physical world

The burglar prepares burglary tools and a suitable disguise in order to gain access to the property inconspicuously.

Cyber attack

Based on the findings from the reconnaissance phase, Megatron creates a deceptively genuine email that appears to come from a well-known external service provider. He attaches a manipulated PDF document that downloads malicious code when opened.


In a cyber context, this often means:

  • Creation or adaptation of malware, e.g. in prepared documents or phishing websites, often tailored to the target based on the information collected.
  • Frameworks such as Metasploit, Cobalt Strike or PowerShell scripts are often used to create malware.

The arming phase takes place entirely outside the target environment and does not generate any technical artefacts within the organisation's own infrastructure.

Detection is therefore not possible. Protective measures are exclusively preventive in nature, such as organisational measures, awareness training or restrictive guidelines for file types and content.

From a defence perspective, this phase remains a black box and only becomes relevant retrospectively in the context of forensic analysis.


3. Delivery

In the delivery phase, the attacker brings their prepared attack tool to the target. The decisive factor here is the choice of a transmission path that appears as credible as possible and circumvents existing protection mechanisms.  

Physical world

The burglar approaches the house under a plausible pretext, such as a tradesman, and hides his burglary tools.

Cyber attack

Megatron sends the prepared email specifically to Nancy. The sender, signature and wording correspond to the service provider's known communication style, so that the message does not arouse suspicion.


In a cyber context, this often means:

  • Phishing or targeted spear phishing, in which the information collected is used to build trust (e.g. a supposed invoice from a known business partner or an internal communication from the IT department). Specialised phishing frameworks such as GoPhish or Evilginx are often used to automate and scale such campaigns. Credibility is further enhanced by compromised or newly registered domains, for example in the context of typosquatting (deliberate imitation of legitimate senders or known partners).
  • Physical attack methods, such as a "USB drop" attack, in which infected USB sticks with company logos are placed in car parks or sent by post as supposed promotional gifts.
  • Watering hole attacks, in which attackers compromise a legitimate website that is regularly visited by the target group. Visitors are infected without noticing, for example via so-called drive-by downloads.

In the delivery phase, the attack first reaches the perimeter of the company. This provides the first opportunities for detection.

Email security mechanisms, web gateways and content filters can detect or block suspicious transmission paths. However, in the case of targeted attacks (spear phishing), the detection rate is limited, especially when legitimate senders or well-known cloud services are misused.

This phase often represents the earliest realistic point of detection.
Email gateways and spam and phishing filters can partially detect attacks at this stage. However, the detection rate is significantly lower for targeted attacks (spear phishing), especially when legitimate sender addresses or cloud services are misused.


4. Exploitation

The exploitation phase is characterised by short-lived, security-critical activities, among other things. The aim of this phase is to gain access to the target object, for example by actively exploiting a vulnerability and circumventing security mechanisms.

Physical world

The burglar uses a security vulnerability, such as a poorly secured window or a front door that is briefly open, to gain access to the building.

Cyber attack

Nancy opens the PDF document. An unpatched vulnerability in the PDF programme is exploited to execute malicious code in the background – without any visible clues for the user.


In a cyber context, this often means:

  • Exploitation of software vulnerabilities or misconfigurations, e.g. in web applications, operating systems or third-party software. Known, unpatched security vulnerabilities or so-called zero-day vulnerabilities can be exploited. Automated exploit frameworks such as Metasploit are often used for exploitation.
  • However, humans themselves are often the weak point: clicking on a link or activating macros in a document triggers the execution of the malicious code.

 

Endpoint Detection & Response (EDR) can detect the exploitation phase through runtime and behaviour monitoring, for example by identifying unusual process starts, atypical memory accesses or deviations from normal application execution behaviour. Unpatched systems or missing protection mechanisms significantly increase the risk. If the attack is not detected, it immediately transitions to an active IT security incident.  


5. Installation

A single access is rarely enough for professional attackers. The goal is to gain permanent or at least multiple access and to anchor themselves in the target object. After successful exploitation, the attacker therefore installs components to ensure persistence. 

Physical world

The burglar makes sure that it will be easier to return later, for example by unlocking a window or hiding a spare key.

Cyber attack

The malicious code from the prepared PDF document installs a new programme on Nancy's computer that loads automatically when the system starts up and disguises itself as a legitimate system process (known as a backdoor).


In the cyber context, this often means that

  • Attackers install backdoors or other malware to maintain permanent access to the system even after reboots or user changes.
  • For example, webshells are often placed on compromised web servers, allowing files to be uploaded, commands to be executed or additional malware to be downloaded.
  • Persistence is also achieved by manipulating system mechanisms, such as entries in the Windows registry (run keys), scheduled tasks, autostart folders or modified system services that ensure the malware starts automatically.
  • Obfuscation techniques such as "timestomping" alter the timestamps of files so that the malware appears to be legitimate system files, making it more difficult for security solutions to detect.
  • Post-exploitation frameworks such as Cobalt Strike or Empire are used, for example, to secure access to compromised systems and execute remote commands.

An endpoint detection and response (EDR) solution can also provide support in this phase, although the focus here is more on detecting persistent system changes. These include new autostart entries, manipulated services, scheduled tasks or permanently running processes that do not correspond to the expected system state.


6. Command & Control

In this phase, the attacker establishes an external communication channel to the compromised target. Commands are received and data is exfiltrated via this channel.

Physical world

The burglar maintains contact with an accomplice who observes the surroundings and warns of disturbances or the return of the residents.

Cyber attack

The backdoor on Nancy's computer regularly connects to a server controlled by Megatron and waits for further instructions. Megatron uses this channel to gather additional information and install further tools, such as a keylogger to capture access data.


In a cyber context, this often means:

  • After a successful infection, an outgoing connection is established from the compromised system to a command-and-control server, which the attacker can use to remotely control the system. Since incoming connections are often blocked by firewalls, communication typically takes place from the inside out.
  • Communication often takes place via encrypted connections using HTTP(S), DNS or common cloud services in order to embed itself in regular network traffic.
  • Techniques such as DNS tunnelling are used to conceal data traffic, whereby commands or data are hidden in DNS queries, which are usually permitted by security mechanisms.
  • Legitimate remote maintenance tools such as TeamViewer or AnyDesk can also be misused to enable inconspicuous remote control of the system.
  • Specialised C2 frameworks such as Cobalt Strike, which use so-called beacons (malware), are often employed. These periodically establish a connection to a server controlled by the attacker in order to retrieve and execute commands.

The command-and-control phase generates regular outgoing network traffic, providing an opportunity to detect the attack.

Network-based monitoring, behaviour-based anomaly detection and threat intelligence-supported analyses can identify unusual communication patterns – such as periodic connections to unknown destination addresses or already known malicious addresses, or atypical DNS queries.

Since communication is often disguised as legitimate web traffic, context-based analysis of network traffic is crucial.

7. Actions on Objectives

In the final phase, the attacker pursues their actual objectives. These can vary depending on their motivation or be combined with each other. The effects of this phase are immediately apparent to those affected.

Physical world

The burglar searches the house specifically for valuables or sensitive documents.

Cyber attack

Using Nancy's access data, Megatron moves further into the company network, accesses sales data and exfiltrates sensitive information about customers and offers. Megatron then uses encryption software and blackmails Nancy's company.


Targets in the cyber context can include:

  • Data theft (exfiltration) of sensitive company data
  • Encryption of data as part of ransomware attacks
  • Lateral movement and privilege escalation, for example from workstations to critical servers
  • Destruction of backups and shadow copies to prevent recovery

The focus in this phase is on detection, damage limitation and investigation.

Unusual access to sensitive systems, data leaks or the escalation of permissions can be detected by central security monitoring. This includes, among other things: Security Information and Event Management (SIEM) systems, which correlate events from different sources and reveal conspicuous patterns, and Data Loss Prevention (DLP) solutions, which monitor sensitive data movements and detect leaks.

For traceability, including in the context of IT forensic investigations, it is crucial to log all security-related events as completely as possible.

In many cases, detection only occurs after damage has already been done – this phase therefore often marks the transition to incident response and IT forensics. The latter serves in particular to reconstruct the cause, course of the attack and its effects in order to assess the consequences, residual risks and appropriate measures.

Limitations and extensions of the cyber kill chain

While the cyber kill chain is an excellent introductory model, it reaches its limits in modern security architecture.

The problem of linearity

The model suggests a strictly linear process. In reality, especially in the case of complex attacks (advanced persistent threats), attackers often jump back and forth between phases or skip steps. In addition, the Cyber Kill Chain focuses heavily on defence at the network perimeter and less on the scenario in which an attacker is already moving within the internal network ("assume breach" mentality).

Modern alternatives: MITRE ATT&CK & Unified Kill Chain

MITRE ATT&CK Framework has therefore established itself as the de facto standard for operational security teams. Unlike the linear kill chain, this is a comprehensive knowledge database in the form of a matrix that describes tactics and techniques in detail based on real attack observations. It is less of a "checklist" and more of a "periodic table" of attack types. Accordingly, the detailed description of the techniques and tactics allows targeted measures for prevention, detection and hardening to be derived at the operational level. Security controls can thus be assigned to specific attack techniques and systematically reviewed.


A hybrid approach is the Unified Kill Chain (UKC). It extends the classic model to 18 steps and recognises that attacks often occur in loops: an attacker breaks in ("In"), spreads ("Through") and then exfiltrates data ("Out").

 

Conclusion

Despite the limitations of the model, the Cyber Kill Chain (according to Lockheed Martin) is an effective tool for management to develop structured security strategies, make informed budget decisions and explain cyber attacks in a comprehensible manner. The model illustrates why investments in email security (phase 3), endpoint detection and response (phases 4 and 5) and network monitoring (phase 6) are equally necessary and should be considered as a coordinated overall concept.

For technical teams, it provides a strategic framework that is operationalised and deepened by more detailed models such as MITRE ATT&CK. While the Cyber Kill Chain answers the "why" and "where", operational models provide the "how".

 

Whether it's strategic security planning, realistic attack simulations (pentesting), or the structured investigation of security incidents as part of incident response and forensic investigations – we support you in understanding, testing, and effectively detecting attacks along the entire Kill Chain.

This article was written by