securion.ai
    General 9 min read

    The Cyber Kill Chain: How Attacks Actually Unfold (and Where to Stop Them)

    The seven stages every meaningful intrusion goes through — and the controls that interrupt each one. A foundational mental model for thinking about defense.

    The Cyber Kill Chain: How Attacks Actually Unfold (and Where to Stop Them)

    Why Attack Models Matter

    Attacks aren't lightning strikes. They're processes — multi-step campaigns that take days, weeks, or months. Understanding the steps lets you build controls at each stage, so you don't have to catch the attacker on their first move (you usually won't).

    The original Lockheed Martin Cyber Kill Chain has been around since 2011. It's been supplemented by MITRE ATT&CK (much more detailed) and the Diamond Model (more analytical), but the kill chain remains the cleanest mental model for explaining "how a breach works" to a non-specialist audience.

    Stages 1–2: Reconnaissance & Weaponization

    Reconnaissance. The attacker researches the target — LinkedIn profiles, exposed services, leaked credentials, GitHub repos. What helps defenders here: attack-surface monitoring, removing unnecessary public services, restricting employee oversharing.

    Weaponization. The attacker builds the payload — a phishing lure, a poisoned document, an exploit chain. You can't really detect this — it happens on the attacker's infrastructure. Your job is to make the next stage harder.

    Stages 3–4: Delivery & Exploitation

    Delivery. The payload reaches the victim — usually email, sometimes USB, watering-hole websites, or supply chain. Defenses: email security, web filtering, removable-media policies, SaaS allowlisting.

    Exploitation. The payload triggers — a clicked link, an opened doc, an unpatched vulnerability. Defenses: patching, endpoint hardening, browser isolation, application allowlisting.

    Stages 5–6: Installation & Command and Control

    Installation. The attacker establishes persistence — a scheduled task, a malicious service, a web shell. Defenses: EDR with behavioral detection, integrity monitoring, just-in-time admin.

    Command and Control (C2). The attacker establishes a communication channel back. Defenses: egress filtering, DNS monitoring, TLS inspection, blocking known C2 infrastructure.

    Stage 7: Actions on Objective — and the Earlier You Stop, the Better

    Actions on Objective. Data exfiltration, ransomware deployment, lateral movement, fraud. By this stage, prevention has already failed; you're in detection-and-response mode.

    "The cost of stopping an attacker doubles at every stage. Stop them at delivery and you've burned a phishing email. Stop them at actions on objective and you're running an incident."

    This is why defense in depth and the kill chain are companion ideas — depth gives you multiple chances to interrupt the chain at every stage.