What is the Cyber Kill Chain?

Cyber Kill Chain Explained

The Cyber Kill Chain is a seven-stage framework developed by Lockheed Martin in 2011 that models the sequential phases an adversary must complete to successfully execute a cyberattack. Introduced by analysts Eric Hutchins, Michael Cloppert, and Rohan Amin, the framework adapts military kill chain doctrine to cybersecurity, providing defenders with a structured model for identifying and disrupting intrusions. The core principle is straightforward: if defenders break any single link in the chain, the entire attack fails.

Stages of the Cyber Kill Chain

The framework defines seven stages that an attacker progresses through from initial targeting to mission completion:

1. Reconnaissance. The attacker researches and identifies targets by harvesting email addresses, mapping organizational structure, scanning for exposed services, and gathering intelligence from public sources such as social media and conference attendee lists.
2. Weaponization. The attacker pairs an exploit with a payload (such as a remote access trojan embedded in a document) to create a deliverable weapon, often using automated toolkits.
3. Delivery. The weapon is transmitted to the target environment through a delivery vector such as a phishing email, a compromised website, or a removable media device.
4. Exploitation. The delivered payload triggers on the target system, exploiting a software vulnerability, a configuration weakness, or human trust to execute the attacker's code.
5. Installation. The attacker establishes persistence on the compromised system by installing malware, creating backdoor accounts, or modifying system services to survive reboots and detection efforts.
6. Command and Control (C2). The compromised system establishes an outbound communication channel to the attacker's infrastructure, enabling remote control, lateral movement instructions, and data staging.
7. Actions on Objectives. The attacker accomplishes their mission, which may include data exfiltration, encryption for ransom, credential harvesting, system destruction, or establishing long-term access for an advanced persistent threat campaign.

Email Security Across the Cyber Kill Chain

Email plays a central role in several kill chain stages. At the Delivery stage, phishing emails carrying weaponized attachments or malicious links represent the most common attack vector. Blocking these messages before they reach the inbox is the highest-impact defensive action within the kill chain model.

Email defenses also operate at other stages. At the Reconnaissance stage, limiting the exposure of employee email addresses and organizational details reduces the quality of threat intelligence an attacker can gather. At the Exploitation stage, scanning attachments for embedded exploits and analyzing URLs for malicious redirects can prevent payload execution even after delivery succeeds.

Defenders use indicators of compromise (IOCs) collected at each stage to build detection signatures, enrich threat intelligence feeds, and improve response playbooks across the entire chain.

Cyber Kill Chain Limitations and Modern Alternatives

The Cyber Kill Chain assumes a linear progression that matches the pattern of many targeted intrusions, particularly those involving email-delivered payloads. However, real-world attacks do not always follow a strict sequence. Insider threats, supply chain compromises, and cloud-native attacks may skip stages or operate in parallel.

The MITRE ATT&CK framework addresses these limitations by organizing adversary behavior into a matrix of 14 tactics and hundreds of techniques without enforcing a fixed order. ATT&CK provides more granular detail for threat detection and covers attack surfaces (mobile, cloud, ICS) that the original kill chain did not address.

Despite these critiques, the Cyber Kill Chain remains valuable as a strategic planning tool. Many security teams use the kill chain for high-level threat modeling and combine it with ATT&CK for tactical detection engineering. CISA training programs continue to teach both frameworks as complementary approaches to understanding adversary behavior.

Related Terms

• Phishing
• Indicators of Compromise
• Advanced Persistent Threat
• Social Engineering
• Ransomware