My Games
Account 🔐
Sign Up
Login
Global Leaderboard
Case Vault
Badge Backpack
Blue Team Glossary
Login and start playing
Leaving so soon?
×
You really want to log out? We were having so much fun!
Home
›
Glossary
›
Cyber Kill Chain
Cyber Kill Chain
Definition
The Cyber Kill Chain is a model that describes the typical stages of a cyber attack from the attacker’s point of view. It was created by Lockheed Martin to help defenders understand how intrusions progress so they can detect and stop attacks at different stages, not just at the end. The Cyber Kill Chain is usually broken into seven steps: 1. **Reconnaissance** The attacker gathers information about the target. They identify systems, technologies, employees, email formats, and possible weaknesses. This can involve scanning, open-source research, and social media. 2. **Weaponization** The attacker builds a “weapon” that can take advantage of a weakness. This might be a malicious document, a phishing email with a payload, or an exploit for a specific software vulnerability. They combine an exploit with a delivery mechanism. 3. **Delivery** The attacker sends the weapon to the target. Common delivery methods include email attachments, links to malicious websites, drive-by downloads, or compromised USB devices. 4. **Exploitation** The weapon triggers the vulnerability. Code runs on the victim system, often when the user opens a file, clicks a link, or when the system processes a malformed request. This step turns a potential weakness into an active compromise. 5. **Installation** The attacker installs malware, backdoors, or tools on the victim system. These tools help them maintain a presence, run commands, or gather data over time. 6. **Command and Control (C2)** The compromised system connects back to an attacker-controlled server or service. Through this channel, the attacker can send instructions, move laterally, and update or remove tools. 7. **Actions on Objectives** The attacker carries out their ultimate goals. This might include data theft, data destruction, encryption of files for ransom, disruption of services, or long-term espionage. For defenders, the Cyber Kill Chain is useful because it breaks an attack into steps that can each be monitored and disrupted. Stopping an attacker at reconnaissance or delivery is easier and less costly than dealing with them after they have already reached their final objectives. The model also gives analysts a shared language to describe where they first detected an attack and where defenses failed or succeeded.
Related Terms
Reconnaissance
.png)
