Lockheed Martin derived the structure of the kill chain from a military model-originally set up to define, plan

to strike, engage, and destroy the target. The kill chain has developed since its inception to better predict

and understand insider attacks, social engineering, advanced malware and disruptive assaults. The purpose

of the model is to better understand the stages an attack must go through to conduct an attack, and help

security teams stop an attack at each stage.

The kill chain model describes an attack by an external attacker attempting to gain access to data or assets

inside the security perimeter. The attacker performs reconnaissance, intrusion of the security perimeter,

exploitation of vulnerabilities, gaining and escalating privileges, lateral movement to gain access to more

valuable targets, attempts to obfuscate their activity, and finally exhilarate data from the organization.

Lockheed Martin’s cyber kill chain breaks down an external-originating cyber-attack into 7 distinct steps:

Each stage is related to a certain type of activity in a cyber-attack, regardless of whether it’s an internal or

external attack:

Reconnaissance

At the reconnaissance stage, the attacker gathers information about the target organization. They can use

automated scanners to find vulnerabilities and weak points that may allow penetration. Attackers will try to

identify and investigate security systems that are in place, such as firewalls, intrusion prevention systems and

authentication mechanisms.

Types of reconnaissance attack:

Passive reconnaissance

Passive reconnaissance is an attempt to gain information about targeted computers and networks

without actively engaging with the systems. 

Active reconnaissance

Active reconnaissance, in contrast, the attacker engages with the target system, typically conducting a port

scan to determine find any open ports.

Weaponization

During Weaponization, the threat actor develops malware specifically crafted to the vulnerabilities

discovered during the reconnaissance phase of the cyber kill chain. Based on the intelligence gathered in the

reconnaissance phase, the attacker will tailor their toolset to meet the specific requirements of the target

network.

Delivery

The third stage of cyber kill chain is delivery, in these stage Intruder transmits the malware via a phishing

email, web, USB or another medium.

Exploitation

At the exploitation stage, attackers seek additional vulnerabilities or weak points they can exploit inside the

organization’s systems. For example, from the outside, the attacker may have no access to an organization’s

databases, but after the intrusion, they can see a database uses an old version and is exposed to a wellknown vulnerability.

Example: PowerShell, Local job scheduling, Scripting, Dynamic data exchange

Installation

At this stage the installation of a remote access Trojan or backdoor on the victim system allows the

adversary to maintain persistence inside the environment. Installing malware on the asset requires enduser participation by unknowingly enabling the malicious code. Taking action at this point can be considered critical.

Command and Control

Command and control is the sixth phase of the cyber kill chain. Command and control, also known as C2, is

when the attacker has put in place their management and communication APT code onto to the target

network. This software allows the attacker to fully manage the APT code in the environment and allows the

attacker to move deeper into the network, exhilarate data and conduct destruction or denial of service

operations.

Actions on Objective

Intruder initiates end goal actions, such as data theft, data corruption, or data destruction.

It is recommended that an organization implement a defense-in-depth strategy that will serve to protect the

organization's people, process, and technology in a holistic and layered fashion. Some defense in depth areas

include:

• Implementation of an enterprise-wide information security program with the leadership backing and

authority

• Effective user training and awareness related to email-borne threats (phishing)

• Strong cyber hygiene practices throughout the organization.