What is the Cyber Kill Chain?

How the Cyber Kill Chain Maps Attacks

Reconnaissance

Attackers gather intelligence about their target before taking any action against it. OSINT sources — LinkedIn employee profiles, job postings that reveal technology stack, domain registration records, code repositories, and technical conference presentations — provide the information needed to identify targets, understand the technology environment, and select attack techniques appropriate to the target's defenses.

Weaponization

The attacker creates the delivery mechanism — a phishing email with a malicious attachment, an exploit payload targeting a specific vulnerability, a watering hole site targeting the victim's industry. Weaponization occurs entirely within the attacker's environment and is invisible to defenders.

Delivery

The weaponized attack is transmitted to the target — phishing email delivered to the victim's inbox, exploit directed at an internet-facing service, malicious USB drive left in a parking lot. The delivery phase is the first point at which defenders have visibility into the attack, and the first opportunity to disrupt it.

Exploitation

The delivered weapon exploits a vulnerability to execute attacker-controlled code on the victim's systems. The exploitation may be software vulnerability exploitation, credential theft through phishing, or social engineering that causes an employee to execute a malicious action.

Installation, Command and Control, Actions on Objectives

After exploitation, the attacker installs persistence mechanisms, establishes command and control communication, and pursues their objectives — data theft, ransomware deployment, espionage, sabotage. Each phase requires successful completion of the previous phase, which means defenders who interrupt the kill chain at any phase prevent the attack from achieving its objectives.

Kill Chain-Based Defense

The kill chain model's primary value is organizing defensive investments against the phases where disruption is most cost-effective. Denying Reconnaissance by minimizing public information exposure, monitoring for scanning activity, and protecting employee information reduces attacker intelligence. Denying Delivery through email security, web filtering, and network controls blocks initial access attempts. Denying Exploitation through patch management and vulnerability reduction eliminates the exploitable conditions that exploitation requires. Denying Installation, Command and Control, and Actions through EDR, network monitoring, and anomaly detection catches attackers who succeed in earlier phases.

The kill chain model argues that defenders should focus on early-phase disruption because the cost of disruption increases as attacks progress. Blocking a phishing email at delivery is cheap. Responding to ransomware after domain compromise is expensive. Defense-in-depth aligned to kill chain phases provides multiple opportunities to disrupt an attack, any one of which is sufficient to prevent success.

Kill Chain vs. MITRE ATT&CK

The Cyber Kill Chain and MITRE ATT&CK serve related but different purposes. The kill chain provides a high-level conceptual model of attack progression. ATT&CK provides a detailed taxonomy of specific techniques used at each phase. The kill chain is useful for executive communication and high-level defense planning. ATT&CK is useful for technical teams developing specific detection rules and evaluating specific technique coverage.

Most mature security programs use both: the kill chain model to communicate defense strategy and prioritize control investments, and ATT&CK to translate strategy into specific detection engineering and validation activities.

Real-World Example: APT1 — The Report That Made Kill Chain Famous

Mandiant's 2013 APT1 report documented Chinese military unit 61398's multi-year campaign against US organizations using kill chain analysis as the organizing framework. The report traced attack campaigns from spear phishing delivery through long-term Command and Control operations, demonstrating that the same kill chain phases repeated consistently across hundreds of victim organizations. The report's use of kill chain analysis provided a systematic framework for understanding an attacker who had previously been analyzed as a series of disconnected incidents, and established kill chain methodology as a standard tool for threat intelligence reporting.