The Kill Chain is one of the most widely recognized frameworks in cybersecurity. Originally developed by Lockheed Martin in 2011, it describes the phases an adversary must complete to achieve their objective. Understanding the Kill Chain gives defenders a structured way to analyze attacks, identify defensive gaps, and disrupt adversary operations at the earliest possible stage.
Learning Objectives
- Describe the seven phases of the Lockheed Martin Cyber Kill Chain and what occurs in each
- Apply the courses of action matrix to identify defensive options at each phase
- Understand the defender's advantage — why breaking any link in the chain stops the attack
- Evaluate criticisms of the Kill Chain and how complementary models address its limitations
- Recognize the Unified Kill Chain as an extended model for modern attacks
Origin of the Cyber Kill Chain
The Cyber Kill Chain was introduced in a 2011 paper titled Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains by Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin of Lockheed Martin. The paper was presented at the 6th International Conference on Information Warfare and Security.
The concept was adapted from the military kill chain — a systematic process for targeting and engaging an adversary. The authors recognized that cyber intrusions follow a similarly structured sequence, and that understanding this sequence gives defenders the ability to detect and disrupt attacks before they achieve their objectives.
Key Insight: The fundamental principle of the Kill Chain is that an adversary must successfully complete every phase to succeed. A defender only needs to break one link to stop the attack.
The Seven Phases
Phase 1: Reconnaissance
The adversary researches, identifies, and selects targets. This phase involves gathering information that will inform subsequent phases.
- Passive reconnaissance: Harvesting email addresses from websites, reviewing social media profiles, reading organizational press releases, analyzing job postings for technology clues
- Active reconnaissance: Scanning internet-facing infrastructure, probing for open ports and services, identifying web application technologies
This phase often occurs outside the defender's visibility, making it the hardest to detect but not impossible — web server logs, DNS query monitoring, and honeypots can reveal reconnaissance activity.
Phase 2: Weaponization
The adversary creates a deliverable payload by coupling a remote access tool (RAT) or other malware with an exploit. Common examples include:
- Embedding a malicious macro in a Microsoft Office document
- Creating a trojanized PDF with an exploit for a known vulnerability
- Building a weaponized link that delivers malware through a browser exploit
- Packaging malware with a legitimate software installer
Weaponization typically happens entirely on adversary infrastructure. Defenders rarely observe this phase directly but can prepare by understanding which exploits are being actively weaponized through threat intelligence.
Phase 3: Delivery
The adversary transmits the weaponized payload to the victim environment. The three most common delivery vectors identified in the original paper are:
| Delivery Vector | Description | Example |
|---|---|---|
| Email attachments | Weaponized files sent via spear-phishing | Malicious DOCX sent to HR staff |
| Malicious websites | Drive-by downloads or watering hole attacks | Compromised industry news site |
| USB/removable media | Physical delivery of weaponized media | Dropped USB drives in parking lots |
This is the first phase where defenders have significant visibility. Email gateways, web proxies, endpoint protection, and user awareness training all provide defensive opportunities at the delivery phase.
Phase 4: Exploitation
The weaponized payload triggers, exploiting a vulnerability to execute code on the victim system. Exploitation targets include:
- Software vulnerabilities (buffer overflows, use-after-free, deserialization flaws)
- Operating system vulnerabilities (privilege escalation, kernel exploits)
- Human vulnerabilities (social engineering the user to enable macros, click a link, or enter credentials)
- Configuration weaknesses (default credentials, misconfigured services)
Defensive measures include patching, application whitelisting, endpoint detection and response (EDR), and disabling unnecessary features (such as Office macros).
Phase 5: Installation
The adversary installs a persistent backdoor or remote access tool on the victim system to maintain access beyond the initial exploitation. Common installation techniques include:
- Dropping executables to disk
- Modifying registry run keys for persistence
- Creating scheduled tasks or services
- DLL side-loading into legitimate applications
- Installing web shells on internet-facing servers
This phase is where many endpoint detection tools excel. File integrity monitoring, behavioral detection, and logging of process creation events (Windows Event ID 4688 or Sysmon Event ID 1) provide visibility into installation activity.
Phase 6: Command and Control (C2)
The installed malware establishes a communication channel back to adversary-controlled infrastructure. The adversary now has remote, interactive access to the victim environment. C2 techniques include:
- HTTP/HTTPS beaconing to web servers (blends with normal traffic)
- DNS tunneling (encodes data in DNS queries and responses)
- Social media or cloud service-based C2 (using legitimate platforms as intermediaries)
- Custom protocols on non-standard ports
Network monitoring, DNS analysis, proxy log review, and network flow data are key defensive tools for detecting C2 communications. Behavioral indicators such as regular beaconing intervals or unusual data volumes to rare domains can reveal C2 activity.
Phase 7: Actions on Objectives
With persistent access and C2 established, the adversary pursues their actual goal. This varies by adversary motivation:
- Data exfiltration: Stealing intellectual property, PII, classified information
- Data destruction: Wiping systems, deploying ransomware
- Espionage: Long-term monitoring and collection
- Disruption: Taking systems offline, manipulating operational technology
- Lateral movement: Expanding access to additional systems to reach the ultimate target
This phase is where the actual damage occurs. Data loss prevention (DLP), network segmentation, privileged access management, and robust logging are critical defenses.
The Courses of Action Matrix
The original paper introduced a courses of action (CoA) matrix that maps six defensive actions against each Kill Chain phase:
| Phase | Detect | Deny | Disrupt | Degrade | Deceive | Destroy |
|---|---|---|---|---|---|---|
| Reconnaissance | Web analytics, OSINT monitoring | Firewall ACLs, information minimization | — | — | Honeypots, fake content | — |
| Weaponization | Threat intelligence, malware analysis | — | — | — | — | — |
| Delivery | Email filtering, IDS/IPS | Proxy filtering, email blocking | Inline AV, sandboxing | Queuing, rate limiting | — | — |
| Exploitation | EDR, host IDS | Patching, app whitelisting | — | — | Honeypots | — |
| Installation | EDR, HIDS, file monitoring | Execution prevention, privilege controls | — | — | Decoy files | — |
| C2 | Network monitoring, DNS analysis | Firewall egress rules, DNS sinkholing | Sinkholing, connection resets | Throttling | DNS redirection | — |
| Actions on Objectives | DLP, audit logging | Network segmentation, encryption | — | — | Honey tokens, honey files | — |
Key Principle: "Detect" should be present at every phase. "Deny" prevents the adversary from completing the phase. "Disrupt" breaks an in-progress attack. "Degrade" reduces the adversary's effectiveness. "Deceive" feeds false information. "Destroy" refers to offensive or active defense measures.
The Defender's Advantage
The Kill Chain framework reveals a fundamental asymmetry that favors defenders:
- The adversary must succeed at every phase
- The defender only needs to succeed at one phase
- Earlier detection is more valuable — stopping an attack at delivery costs far less than responding after actions on objectives
- Each defensive success forces the adversary to develop new capabilities, increasing their cost
This concept of "raising the adversary's cost" is central to intelligence-driven defense. When defenders consistently break the Kill Chain at the same phase, adversaries must invest resources to develop alternatives.
Criticisms and Limitations
The Kill Chain has faced several well-founded criticisms since its introduction:
Perimeter-centric focus: The model assumes an outside-in attack pattern. It does not adequately address insider threats, supply chain compromises, or attacks that begin with valid credentials (such as credential stuffing or purchased access).
Linear assumption: Modern attacks are not always linear. Adversaries may skip phases, repeat phases, or operate in multiple phases simultaneously. An attacker who purchases initial access on a dark web marketplace skips phases 1 through 5.
Emphasis on malware delivery: The original model was designed around malware-based intrusions. Many modern attacks rely on living-off-the-land techniques, valid credentials, and legitimate tools that do not follow the traditional weaponization-delivery-exploitation-installation sequence.
Limited granularity in later phases: The "Actions on Objectives" phase is a single step that encompasses a vast range of adversary behavior. MITRE ATT&CK addresses this by providing detailed technique taxonomies for post-exploitation activity.
No coverage of cloud and identity attacks: Attacks targeting cloud environments, identity providers, or SaaS applications do not map cleanly to the traditional Kill Chain phases.
Complementary Frameworks
MITRE ATT&CK
ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) provides the granularity that the Kill Chain lacks, particularly in post-exploitation phases. ATT&CK catalogs hundreds of specific techniques organized by tactical objectives. Many organizations use the Kill Chain for high-level analysis and ATT&CK for detailed technique-level tracking.
The Unified Kill Chain
Paul Pols developed the Unified Kill Chain (published in 2017, updated subsequently) to address the limitations of the original model. The Unified Kill Chain combines elements of the Lockheed Martin Kill Chain and MITRE ATT&CK into an extended model with 18 phases organized into three major stages:
- Initial Foothold (getting in): Reconnaissance, Weaponization, Social Engineering, Exploitation, Persistence, Defense Evasion, Command and Control
- Network Propagation (spreading through): Discovery, Privilege Escalation, Execution, Credential Access, Lateral Movement
- Actions on Objectives (finishing): Collection, Exfiltration, Impact, Objectives
This model better represents modern attacks that involve significant post-initial-access activity before reaching the ultimate objective.
Key Takeaways
- The Lockheed Martin Cyber Kill Chain describes seven sequential phases of a cyber intrusion, from reconnaissance through actions on objectives
- The defender's advantage is that breaking any single link in the chain stops the attack
- The courses of action matrix provides six defensive strategies (detect, deny, disrupt, degrade, deceive, destroy) applicable at each phase
- Earlier detection and disruption is always preferable — it reduces damage and increases adversary cost
- The Kill Chain has real limitations: it is perimeter-centric, linear, and lacks detail in later phases
- MITRE ATT&CK and the Unified Kill Chain complement and extend the original model for modern threat landscapes
- The Kill Chain remains valuable as a communication and planning tool, even as more detailed frameworks are used for technical analysis
Practical Exercise
Select a published incident report or breach analysis (Mandiant M-Trends, CrowdStrike case studies, or CISA advisories are good sources) and map the attack to the Kill Chain:
- For each of the seven phases, identify what the adversary did (if described in the report)
- Note which phases are not covered in the report — consider why (the activity was not observed? not reported? did not apply?)
- For each phase where activity was identified, fill in the courses of action matrix: what defensive measures could have detected, denied, or disrupted the attack at that phase?
- Identify the earliest phase where the attack could have been stopped and what specific defensive capability would have been required
- Note any adversary activity that does not fit neatly into the seven phases — what does this tell you about the model's limitations?
Further Reading
- Hutchins, E. M., Cloppert, M. J., & Amin, R. M. (2011). Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. Proceedings of the 6th International Conference on Information Warfare and Security.
- Pols, P. (2017). The Unified Kill Chain: Raising Resilience Against Cyber Attacks. https://www.unifiedkillchain.com/
- MITRE ATT&CK: https://attack.mitre.org/
- Lockheed Martin Cyber Kill Chain: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html