The Cyber Kill Chain: How Attacks Actually Work
The step-by-step anatomy of a cyberattack - from reconnaissance to objectives. Understanding the full chain so you know where to defend and where to break it.
On this page
Ground Up: Attacker's Playbook
Part 1 of 6
View all parts
Cyberattacks aren’t random button presses. They follow a process. Whether it’s a teenager with Kali Linux or a state-sponsored APT group, the steps are remarkably similar.
Understanding this process - the “kill chain” - tells you two things: what attackers do at each stage, and where defenders can stop them. Every security tool, every detection rule, every incident response playbook maps to a stage in this chain.
The Models
Two frameworks dominate how the industry talks about attacks.
Lockheed Martin Cyber Kill Chain
The original model (2011). Seven linear stages:
1. Reconnaissance → Research the target
2. Weaponization → Build the attack tool
3. Delivery → Send it to the target
4. Exploitation → Trigger the vulnerability
5. Installation → Establish persistence
6. Command & Control (C2) → Set up remote access
7. Actions on Objectives → Achieve the goalMITRE ATT&CK
A more detailed, modern framework. Instead of seven stages, ATT&CK catalogs hundreds of specific techniques organized into 14 tactics (categories of goals):
| Tactic | Goal |
|---|---|
| Reconnaissance | Gather information |
| Resource Development | Build infrastructure |
| Initial Access | Get in |
| Execution | Run code |
| Persistence | Stay in |
| Privilege Escalation | Get more access |
| Defense Evasion | Avoid detection |
| Credential Access | Steal credentials |
| Discovery | Map the environment |
| Lateral Movement | Spread to other systems |
| Collection | Gather target data |
| Command & Control | Maintain communication |
| Exfiltration | Steal data |
| Impact | Destroy/disrupt |
ATT&CK is what security teams actually use day-to-day. It maps specific techniques (like “T1566 - Phishing”) to tactics, with real-world examples and detection guidance.
For learning, we’ll walk through the kill chain stages. For reference during your career, ATT&CK at attack.mitre.org is the resource.
Stage 1: Reconnaissance
Goal: Learn everything about the target before touching it.
The attacker gathers information without alerting the target. Two types:
Passive reconnaissance (no direct contact):
- Company website, employee LinkedIn profiles
- DNS records, WHOIS data
- Job postings (reveal technology stack)
- Public code repositories (GitHub, GitLab)
- Breach databases (leaked credentials)
- Social media (employee names, email formats, organizational structure)
Active reconnaissance (direct contact):
- Port scanning (nmap)
- Service enumeration
- Web application crawling
- DNS zone transfers (if misconfigured)
- Vulnerability scanning
Active recon is riskier - it generates logs and can be detected. We’ll cover this in depth in the next post.
Defender’s opportunity: Monitor for scanning activity, minimize public information exposure, use honeypots to detect probing.
Stage 2: Weaponization
Goal: Create or acquire the attack tool.
The attacker builds or customizes something to exploit what they found in recon:
- Exploit code for a known vulnerability (often from public sources like Exploit-DB)
- Phishing email with a malicious attachment or link
- Malicious document (Word, Excel, PDF) with embedded macros or exploits
- Custom malware tailored for the target environment
- Trojanized software - legitimate tools with backdoors added
Most attackers don’t write exploits from scratch. They modify existing ones. The barrier to entry is lower than most people think.
Defender’s opportunity: Limited. This happens on the attacker’s side. But threat intelligence (knowing what tools threat actors use) helps predict what’s coming.
Stage 3: Delivery
Goal: Get the weapon to the target.
Common delivery methods:
| Method | Description |
|---|---|
| Phishing email | Most common. Malicious attachment or link sent to employees |
| Spear phishing | Targeted phishing using personal information about the victim |
| Watering hole | Compromise a website the target frequently visits |
| USB drop | Leave infected USB drives where employees will find them |
| Supply chain | Compromise a vendor or software update the target uses |
| Exposed services | Directly exploit an internet-facing vulnerability |
Phishing is the delivery method in the majority of successful attacks. It’s cheap, scalable, and exploits the hardest vulnerability to patch: human judgment.
Defender’s opportunity: Email filtering, web proxies, user awareness training, patch exposed services, supply chain security reviews.
Stage 4: Exploitation
Goal: Execute the attack to gain initial access.
The vulnerability is triggered:
- User opens the malicious document → macro executes
- User clicks the phishing link → enters credentials on fake site
- Exploit hits an unpatched service → code execution achieved
- User plugs in the USB → autorun executes payload
This is the moment the attacker goes from “outside” to “inside.” The vulnerability could be technical (software flaw) or human (phishing).
Defender’s opportunity: Patching, application whitelisting, disabling macros, endpoint detection, sandboxing attachments.
Stage 5: Installation / Persistence
Goal: Maintain access even if the initial entry point is closed.
The attacker establishes ways to get back in:
- Backdoor accounts - Create new admin accounts
- Scheduled tasks / cron jobs - Run malware on a schedule
- Registry run keys (Windows) - Auto-start on boot
- Web shells - PHP/ASP files uploaded to web servers
- Implants - Custom malware that survives reboots
- SSH keys - Add attacker’s public key to
~/.ssh/authorized_keys - DLL hijacking - Replace a legitimate DLL with a malicious one
A good attacker establishes multiple persistence mechanisms. If you find and remove one, the others keep them in.
Defender’s opportunity: Monitor for new accounts, unexpected scheduled tasks, registry changes, file integrity monitoring, hunt for known persistence locations.
Stage 6: Command & Control (C2)
Goal: Establish reliable communication between attacker and compromised system.
The compromised machine needs to call home. The attacker sets up C2 infrastructure:
- HTTP/HTTPS beacons - Blend with normal web traffic
- DNS tunneling - Encode commands in DNS queries
- Custom protocols - Proprietary communication channels
- Cloud services - Use legitimate services (Slack, Discord, cloud storage) as C2 channels
- Reverse shells - Direct interactive access (covered in our reverse shell posts)
C2 frameworks like Cobalt Strike, Sliver, and Mythic automate all of this - managing multiple compromised machines, tasking them remotely, and exfiltrating data.
Defender’s opportunity: Network monitoring, DNS logging, anomaly detection, egress filtering, block known C2 infrastructure.
Stage 7: Actions on Objectives
Goal: Whatever the attacker came for.
This varies by attacker motivation:
| Motivation | Objectives |
|---|---|
| Financial (Ransomware) | Encrypt files, demand payment, threaten data leak |
| Financial (Theft) | Steal payment data, transfer funds |
| Espionage | Exfiltrate intellectual property, government secrets |
| Hacktivism | Deface websites, leak data, disrupt operations |
| Destruction | Wipe systems, destroy data (e.g., NotPetya) |
| Access broker | Sell access to other criminals |
Before reaching objectives, attackers typically:
- Discover - Map the internal network, find high-value targets
- Escalate privileges - Get admin/root access (covered in a later post)
- Move laterally - Spread to other systems (domain controllers, file servers, databases)
- Collect - Gather the data they want
- Exfiltrate - Move data out of the network
Defender’s opportunity: Data loss prevention, network segmentation, database monitoring, backup strategy (for ransomware resilience).
A Real Attack: Step by Step
Let’s trace a realistic ransomware attack through the kill chain:
1. RECON
Attacker finds company email format (first.last@company.com)
from LinkedIn. Identifies the CFO and IT admin names.
2. WEAPONIZE
Creates a phishing email impersonating a vendor invoice.
Attaches a Word document with a malicious macro.
3. DELIVER
Sends email to the CFO's assistant:
"Please review the attached Q4 invoice"
4. EXPLOIT
Assistant opens the document. Clicks "Enable Content"
when prompted. Macro executes PowerShell in the background.
5. INSTALL
PowerShell downloads Cobalt Strike beacon.
Beacon establishes persistence via scheduled task.
Creates a backup backdoor account.
6. C2
Beacon phones home to attacker's server every 60 seconds
over HTTPS (blends with normal web traffic).
7. ACTIONS ON OBJECTIVES
a. Run BloodHound to map Active Directory
b. Find a path to Domain Admin
c. Dump credentials from memory (Mimikatz)
d. Move laterally to Domain Controller
e. Exfiltrate sensitive data to cloud storage
f. Deploy ransomware across all domain-joined machines
g. Leave ransom note demanding $2M in BitcoinTotal time from phishing email to ransomware deployment: sometimes hours, sometimes weeks. Access brokers may compromise a network and sit quietly for months before selling the access.
Breaking the Chain
The kill chain model has a critical insight: the attacker must succeed at every stage; the defender only needs to stop one.
| Stage | Detection/Prevention |
|---|---|
| Reconnaissance | Threat intelligence, attack surface monitoring |
| Weaponization | Threat intel on attacker tooling |
| Delivery | Email security, web filtering, patch management |
| Exploitation | Endpoint protection, application whitelisting, patching |
| Installation | File integrity monitoring, process monitoring |
| C2 | Network monitoring, DNS analysis, egress filtering |
| Objectives | Segmentation, DLP, backups, incident response |
Defense in depth: Don’t rely on stopping the attack at one point. Layer defenses so that if delivery succeeds, exploitation fails. If exploitation succeeds, C2 is detected. If C2 is established, lateral movement is blocked.
Where Each Module Fits
Everything you’ve learned in this series maps to the kill chain:
| Module | Kill Chain Relevance |
|---|---|
| Networking | Understanding what recon sees, how C2 communicates |
| Operating Systems | How installation/persistence works at the OS level |
| Web Security | Exploitation of web applications |
| Cryptography | How C2 encrypts communication, how defenders decrypt |
| Reverse Shells | The C2 mechanism in its simplest form |
What’s Next
Now that you see the full picture, we’ll dive into the first stage. The next post covers reconnaissance - what information is available about a target, how attackers find it, and what defenders can do about it.
References
- MITRE ATT&CK Framework
- Lockheed Martin - Cyber Kill Chain
- MITRE ATT&CK Navigator - Visualize technique coverage
Attacks follow a process. Once you see the process, you stop seeing incidents as random events and start seeing patterns. Every ransomware attack, every data breach, every compromise walks this chain. Break any link and the chain fails.
Related Articles
Authentication Attacks: Passwords, Sessions, and Tokens
How login systems break - brute force, credential stuffing, session hijacking, token flaws, and MFA bypass. The complete beginner's guide to auth attacks.
Cybersecurity Career Paths: Finding Your Direction
Offensive, defensive, GRC, cloud security, AppSec - the major cybersecurity career paths explained. What each role does, what skills you need, and how to choose.
Certifications, Learning Resources, and Next Steps
A practical guide to cybersecurity certifications, free and paid learning resources, communities, and building a plan for your first year in security.