Cyber Kill Chain’s phases: Understanding the cycle of a cyber attack

by | Aug 15, 2025 | Articles

Post Views: 319

Reading Time: 3 Minutes

Introduction

In the scenario of cyber security, understanding the methodology behind the attacks is crucial to effective defense. A model widely used to analyze and categorize the steps of a targeted attack is Cyber Kill Chain, a concept developed by Lockheed Martin. This structure divides a cyber attack into seven distinct phases, offering a clear view of the progression of a threat and allowing security teams to be contracted at each stage. It is widely used in cyber defense strategies, helping to identify, detect and interrupt attacks at different phases.

Understanding Cyber Kill Chain not only helps in post-ending forensic analysis, but also enables organizations to adopt a proactive stance, identifying potential vulnerabilities and implementing safety controls that can stop the attack chain in their early stages. Let’s explore each of the seven phases that make up this essential model.

See Also: The Difference between Internal and External Pentesting

Reconnaissance (Recognition): Intelligence Collection

Like an army in campaign, a cyber striker begins his operation with the recognition phase. The invader seeks to collect as much information as possible about the target. This may involve network scanning to identify active systems and services in execution, research from public sources (such as websites, social networks and DNS) for details about the infrastructure, employees and technologies used by the organization. The goal is to map the attack surface and identify possible weaknesses to be explored in the subsequent phases.

At this stage, the attacker collects information about the target. This may include:

  • Public IP addresses and DNS
  • Network structure
  • Technologies used
  • Employee profiles (via social media)
  • Known vulnerabilities
  • Common tools: Shodan, Recon-ng, Maltego

Objective: Map the attack surface with as much data as possible, without being detected.

 

Weaponization: Preparing the malicious load

With the information collected in the recognition phase, the attacker moves to the arms stage. Here, the threat is created, combining a vulnerability (exploit) with a malicious load, such as a virus, ransomware or backdoor. The result is a digital “weapon” ready to be delivered to the target. This phase involves the selection of the most appropriate vulnerability and the customization of Payload to achieve the objectives of the attack.

With the information obtained, the striker creates a cyber weapon. This usually involves:

  • Choice of known vulnerability (zero-day or public CVE)
  • Development or customization of a malicious payload
  • Link this payload with a delivery vector (eg malicious pdf)

Objective: Prepare a payload that will be effective against the specific target.

See Also: So you want to be a hacker?
Offensive Security and Ethical Hacking Course

Delivery: Transport from the weapon to the target

The delivery phase is the method by which the gun (exploit and combined payload) is transmitted to the target system or user. There are several common delivery vectors, including phishing emails containing malicious attachments or compromised websites, exploration of web application vulnerabilities, compromising USB devices, or even internal attacks. The success of this phase depends on the attacker’s ability to deceive the target or exploit security failures to introduce the threat to the environment.

It’s time to convey payload to the target. This can occur by:

  • Phishing (emails with attachments or malicious links)
  • Site compromises (drive-by download)
  • Infected USB devices

Objective: Make the target interact with the attack vector and activate the payload.

 

Exploitation (Exploration): taking advantage of vulnerability

Once the weapon is delivered to the target system, the exploration phase comes into action. At this stage, Exploit is used to take advantage of a vulnerability of software or hardware present in the system. The success of the exploration gives the attacker unauthorized access to the system, allowing him to perform malicious code. Vulnerabilities can be known programming failures or even zero day vulnerabilities (unknown supplier and no correction available).

Here, Payload takes into action, exploring vulnerabilities in the target system, such as:

  • Remote code execution
  • Buffer overflow
  • Vulnerabilities in browsers or plugins

Objective: Break the system defenses and gain initial access.

 

Installation: establishing a persistent presence

After successful exploitation, the attacker seeks to establish a persistent presence in the compromised system. This usually involves installing additional tools such as backdoors, rootkits or remote control agents. These mechanisms allow the attacker to maintain access to the system even if the initial vulnerability is corrected or the exploration is detected. The installation ensures that the invader can return to the committed system to perform additional actions.

The attacker installs malicious software, such as:

  • Backdoors
  • Trojans
  • Rootkits

Objective: To establish persistence in the compromised system.

See Also: The Importance of Expertise: Why Manual Pentesting Beats Automated Solutions

Command and Control (C2): the direct line with the attacker

With the presence established in the compromised system, the attacker needs a communication channel to control the infected assets and send commands. The control and control phase (C2) establishes this connection between the committed system and the infrastructure controlled by the attacker. This communication can occur through various protocols (HTTP, DNS, etc.) and is often overshadowed to avoid detection by firewalls and intrusion detection systems. The C2 channel allows the attacker to run commands, transfer files and advance to their goals.

Malware communicates with the striker’s infrastructure to:

  • Receive commands
  • Send collected data
  • Update Malware

Typical channel: http, https, dns tunneling, c2 via telegram or discord
Objective: Maintain the remote control of the invaded system.

 

Actions on Objectives: reaching the purpose of the attack

The final phase of Cyber Kill Chain is where the striker takes the actions to achieve his initial goals. These objectives may vary widely, including confidential data theft (intellectual property, financial information, customer data), service interruption (denial attacks), extortion (ransomware), data destruction or even spy. The actions at this stage are the result of all previous steps and represent the final impact of the attack.

The striker performs his main intentions, such as:

  • Data theft (Exphration)
  • File encryption (ransomware)
  • Sabotage or Destruction of Systems
  • Corporate spy

Objective: To fulfill the final purpose of the attack, which can be financial, political, or strategic.

Based on this structure I created an iterative map to better understand the above topics representing a graph with the sequences of the steps to be performed. As follows below:

Figure1: Interactive Chart Cyber Kill Chain

(https://geovanidps.github.io/cyber-kill-chain/)

The importance of Cyber Kill Chain for the defense

The great value of Cyber Kill Chain is in its defensive potential. By understanding each phase, security professionals can; Implement preventive and detectable controls at critical points. Create response playbooks for each stage. Interrupt the attack before it completes

Cyber Kill Chain provides a valuable structure for security teams in various applications:

  • Threat Analysis: Helps to understand how different types of attacks develop and identify critical points where defense can be more effective.
  • Detection and Prevention: Allows the development of specific security controls for each phase, increasing the likelihood of attack detection and prevention.
  • Incident Response: Facilitates the analysis of safety incidents, allowing teams to identify the phase in which the attack was interrupted or the violation occurred, assisting in containment and remediation.
  • Risk Assessment: Contributes to risk assessment, allowing organizations to prioritize their security investments based on probability and potential impact of attacks in each phase.

 

Although Cyber Kill Chain is a powerful model, it is important to recognize that cyber attacks are constantly evolving. It transforms the incident response into a structured approach where early detection can mean the difference between an isolated incident and a catastrophic violation. More recent models, such as the Miter Att & CK Framework, offer a more granular view of the tactics and techniques used by attackers. However, Cyber Kill Chain remains a fundamental concept to understand the progression of an attack and to develop deep defense strategies. By internalizing Cyber Kill Chain phases, organizations can significantly strengthen their safety stance and reduce the risk of being victims of successful cyber attacks.

This article is written by Geovane da Costa Oliveira

See Also: Stuxnet – A weapon made out of code that almost started WW3

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to Information Security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Merch

Recent Articles

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This