Cyber Kill Chain — 7 Stages of a Cyberattack Explained
What Is the Cyber Kill Chain and Why Does It Matter?
Section titled “What Is the Cyber Kill Chain and Why Does It Matter?”According to Lockheed Martin’s 2011 white paper, the Cyber Kill Chain is a seven-stage intelligence-driven defence model that maps every step an adversary must complete to achieve their objective, giving defenders seven distinct opportunities to detect and disrupt an intrusion.
The cyber kill chain is one of the most important frameworks in cybersecurity. Developed by Lockheed Martin in 2011, it maps the seven stages an attacker must complete to achieve their objective. For defenders, it provides seven opportunities to detect and stop an attack before it succeeds.
If you are a career changer entering cybersecurity, the kill chain gives you a mental model for understanding how attacks work from start to finish. Instead of seeing an attack as a single event — “they got hacked” — you learn to see it as a sequence of steps, each of which can be disrupted.
The kill chain was the framework that made everything click for me. Before this, I studied threats and defences as separate topics. Phishing was one thing. Malware was another. Firewalls, logs, incident response — all disconnected pieces. When I mapped a real attack through the seven stages of the kill chain, I suddenly saw how every defensive tool and technique I had studied connected to a specific moment in the attacker’s journey. It was like getting the table of contents for a book I had been reading out of order. If you feel overwhelmed by how many things there are to learn in cybersecurity, the kill chain shows you how they all fit together.
What Do Real-World Cyber Kill Chain Attacks Look Like?
Section titled “What Do Real-World Cyber Kill Chain Attacks Look Like?”According to the Verizon 2024 Data Breach Investigations Report (DBIR), over 80% of breaches involving hacking leveraged stolen credentials or exploited vulnerabilities — actions that map directly to the kill chain’s delivery and exploitation stages.
Every major cyberattack follows a version of the kill chain. Understanding the stages helps you see the pattern behind the headlines.
| Real attack | Kill chain stage that failed to stop it | Impact |
|---|---|---|
| SolarWinds (2020) — Attackers compromised the software build process and distributed malware to 18,000 organisations through a trusted update | Delivery (Stage 3) — malware came through a legitimate update channel, bypassing traditional defences | US government agencies and Fortune 500 companies compromised for months |
| Medibank (2022) — Stolen credentials used to access internal systems and exfiltrate 9.7 million customer records | Exploitation (Stage 4) + Installation (Stage 5) — attackers escalated privileges and moved laterally undetected | Regulatory action, class action lawsuits, lasting reputational damage in Australia |
| Colonial Pipeline (2021) — A single compromised VPN password (no MFA) gave attackers access to the network | Exploitation (Stage 4) — a password without MFA was the single point of failure | $4.4 million ransom, fuel shortages across the US East Coast |
| WannaCry (2017) — Ransomware exploited a known Windows vulnerability (EternalBlue) and spread automatically | Weaponisation (Stage 2) + Delivery (Stage 3) — the exploit was publicly known and patches were available | 200,000+ computers in 150 countries encrypted, including UK NHS hospitals |
The pattern is clear: attacks that succeed usually exploited a weakness at one specific stage. If defenders had disrupted that stage — better patching, MFA, network segmentation, or monitoring — the outcome would have been different.
How Does the Cyber Kill Chain Work?
Section titled “How Does the Cyber Kill Chain Work?”The Cyber Kill Chain is a sequential, intelligence-driven defence model comprising seven phases — Reconnaissance, Weaponisation, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives — as defined by Lockheed Martin’s original 2011 paper on intrusion kill chain analysis.
Think of the kill chain like a burglar breaking into a house. The burglar does not simply appear inside your locked safe. They follow a sequence:
- Research the neighbourhood (reconnaissance)
- Prepare their tools — lock picks, bag for valuables (weaponisation)
- Approach the house — walk up to the back door (delivery)
- Break in — pick the lock or force the door (exploitation)
- Disable the alarm (installation)
- Signal their partner outside (command and control)
- Steal the valuables (actions on objectives)
At each step, the homeowner has a chance to stop them: security cameras at step 1, a stronger lock at step 4, an alarm that calls police at step 5. The same logic applies to cybersecurity — every kill chain stage is a chance to detect and disrupt the attacker.
Certification objective: CompTIA Security+ SY0-701 covers attack frameworks including the Cyber Kill Chain and MITRE ATT&CK. CySA+ CS0-003 tests your ability to apply these frameworks to threat detection and analysis.
The 7 Stages — Step by Step
Section titled “The 7 Stages — Step by Step”Stage 1: Reconnaissance
Section titled “Stage 1: Reconnaissance”The attacker researches the target to gather information. This is the planning phase.
What attackers do:
- Harvest email addresses from the target’s website and LinkedIn
- Identify technologies using tools like Shodan, Wappalyzer, or BuiltWith
- Scan for open ports and services using Nmap
- Search for leaked credentials on dark web databases
- Research employee names, roles, and reporting structures for social engineering
What defenders can do:
- Limit public information exposure (review what your website reveals)
- Monitor for reconnaissance activity in web server logs
- Set up honeypots to detect scanning attempts
- Train employees about social media oversharing
Stage 2: Weaponisation
Section titled “Stage 2: Weaponisation”The attacker creates a weapon — combining an exploit with a payload (usually malware) — tailored to the vulnerabilities discovered in reconnaissance.
What attackers do:
- Package malware into a document, PDF, or executable
- Create a phishing email crafted for the target (spear phishing)
- Develop or acquire an exploit for a known vulnerability
- Set up infrastructure — command and control servers, fake domains
What defenders can do:
- Keep systems patched so known exploits do not work (see ASD Essential Eight)
- Use threat intelligence to identify known attacker infrastructure
- This stage is largely invisible to defenders — it happens on the attacker’s side
Stage 3: Delivery
Section titled “Stage 3: Delivery”The attacker transmits the weapon to the target.
What attackers do:
- Send phishing emails with malicious attachments or links
- Compromise a legitimate website the target visits (watering hole attack)
- Distribute malware through USB drives
- Exploit a public-facing application (web server, VPN, email gateway)
What defenders can do:
- Email filtering and sandboxing (detonate attachments in a safe environment)
- Web proxies that block known malicious domains
- Disable USB auto-run
- Patch public-facing applications promptly
Stage 4: Exploitation
Section titled “Stage 4: Exploitation”The weapon activates — the exploit runs on the target system, taking advantage of a vulnerability.
What attackers do:
- The user opens a malicious attachment, triggering the exploit
- A vulnerability in a web application is exploited (SQL injection, remote code execution)
- A zero-day exploit targets an unpatched vulnerability
- The user enters credentials on a phishing site
What defenders can do:
- Application whitelisting (only approved software can run)
- Endpoint detection and response (EDR) tools
- Keep all software patched and up to date
- User awareness training — recognising phishing attempts
Stage 5: Installation
Section titled “Stage 5: Installation”The attacker installs persistent malware on the compromised system — ensuring access survives a reboot.
What attackers do:
- Install a remote access trojan (RAT) or backdoor
- Modify startup scripts or registry keys for persistence
- Create new user accounts with administrative privileges
- Install rootkits that hide their presence from the OS
What defenders can do:
- Endpoint protection that detects unauthorised software installation
- Monitor for new scheduled tasks, services, or registry modifications
- Restrict administrative privileges (least privilege principle)
- File integrity monitoring on critical system files
Stage 6: Command and Control (C2)
Section titled “Stage 6: Command and Control (C2)”The compromised system establishes a communication channel back to the attacker, allowing remote control.
What attackers do:
- Malware “phones home” to the attacker’s command and control server
- Communication often uses HTTPS (port 443) or DNS to blend in with normal traffic
- C2 channels allow the attacker to issue commands, download additional tools, and exfiltrate data
What defenders can do:
- Network monitoring for unusual outbound connections
- DNS monitoring for suspicious queries (DNS tunnelling detection)
- Block known C2 infrastructure using threat intelligence feeds
- Network segmentation to limit what compromised systems can reach
Stage 7: Actions on Objectives
Section titled “Stage 7: Actions on Objectives”The attacker achieves their goal — whatever they came to do.
What attackers do:
- Exfiltrate sensitive data (customer records, intellectual property, financial data)
- Encrypt files and demand ransom (ransomware)
- Destroy data or disrupt operations (sabotage)
- Move laterally to compromise additional systems
- Establish long-term persistent access for future operations
What defenders can do:
- Data loss prevention (DLP) tools that detect unusual data transfers
- Network segmentation to contain lateral movement
- Tested backup and recovery procedures (ransomware resilience)
- Incident response procedures to detect and contain the attack
The Complete Kill Chain
Section titled “The Complete Kill Chain”📊 Visual Explanation
Section titled “📊 Visual Explanation”The 7 Stages of the Cyber Kill Chain
Lockheed Martin's framework — each stage is an opportunity for defenders to detect and disrupt
What Does a Cyber Kill Chain Attack Look Like in Practice?
Section titled “What Does a Cyber Kill Chain Attack Look Like in Practice?”According to the Verizon 2024 DBIR, phishing remains the top initial access vector, appearing in over 36% of breaches — making it the most practical example for understanding how each kill chain stage operates.
Let us walk through a realistic phishing attack, step by step, to see the kill chain in action.
Scenario: An attacker targets a medium-sized accounting firm in Melbourne during tax season.
Stage 1 — Reconnaissance: The attacker finds the firm’s website, identifies staff names and email addresses, and notices they use Xero for accounting. They find the senior partner’s name on LinkedIn.
# Attacker's reconnaissance (for educational understanding only)# WHOIS lookup to find domain registration detailswhois examplefirm.com.au
# Search for email patterns# The attacker checks LinkedIn, the company website, and email verification toolsStage 2 — Weaponisation: The attacker creates a Word document that looks like a Xero invoice, embedded with a macro that downloads malware when the document is opened. They register a domain similar to xero.com — like xer0-invoices.com.
Stage 3 — Delivery: An email arrives at the firm: “Urgent: Overdue Invoice from Xero - Action Required.” The email comes from support@xer0-invoices.com and contains the malicious Word document. It is personalised with the senior partner’s name and the firm’s ABN.
Stage 4 — Exploitation: A junior staff member opens the attachment. Microsoft Word prompts “Enable Macros to view this document.” The staff member clicks “Enable.” The macro executes, exploiting a vulnerability in Word to run a PowerShell script.
Stage 5 — Installation: The PowerShell script downloads a remote access trojan (RAT) from the attacker’s server and installs it as a Windows service called “XeroUpdateService” — designed to look legitimate. It adds a registry key for persistence.
Stage 6 — Command and Control: The RAT connects to the attacker’s C2 server via encrypted HTTPS on port 443, blending in with normal web traffic. The attacker can now remotely control the compromised computer.
Stage 7 — Actions on Objectives: The attacker discovers the firm stores client tax returns on a shared network drive. They exfiltrate 3,000 client records containing names, addresses, tax file numbers, and financial data. They then deploy ransomware across the network, encrypting all shared drives.
How defenders could have stopped it at each stage:
| Stage | Defensive control | How it helps |
|---|---|---|
| 1. Recon | Limit information on the website, monitor for domain spoofing | Harder for the attacker to build a convincing lure |
| 2. Weapon | Keep Office and OS patched | Known macro exploits are blocked by patches |
| 3. Delivery | Email gateway with attachment sandboxing | Detonates the document in a safe environment and blocks it |
| 4. Exploit | Disable macros by default (Group Policy) | The macro cannot execute even if the user clicks “Enable” |
| 5. Install | Application whitelisting, EDR on endpoints | Blocks the RAT from installing or alerts on the new service |
| 6. C2 | Network monitoring, DNS filtering | Detects the unusual outbound connection to the C2 server |
| 7. Actions | Network segmentation, DLP, tested backups | Limits data access, detects exfiltration, enables recovery without paying ransom |
How Does the Cyber Kill Chain Fit Into a Security Architecture?
Section titled “How Does the Cyber Kill Chain Fit Into a Security Architecture?”The MITRE ATT&CK framework catalogues 14 tactics and over 200 techniques observed in real-world intrusions, providing the granular operational detail that complements the kill chain’s strategic seven-stage model (MITRE Corporation, ATT&CK v14).
The Cyber Kill Chain and MITRE ATT&CK are the two most important attack frameworks in cybersecurity. They are complementary, not competing.
Two Frameworks Compared
Section titled “Two Frameworks Compared”📊 Visual Explanation
Section titled “📊 Visual Explanation”Cyber Kill Chain vs MITRE ATT&CK
- 7 sequential stages — Linear progression from recon to objective
- High-level view — Good for understanding attack flow and strategy
- Defender-focused — Each stage maps to defensive controls
- Created by Lockheed Martin — Published in 2011, widely adopted
- Best for planning — Helps structure security investment by stage
- 14 tactics, 200+ techniques — Detailed matrix of specific attacker behaviours
- Granular detail — Maps exact techniques to specific threat actors
- Detection-focused — Each technique has documented detection methods
- Created by MITRE Corporation — Continuously updated, community-driven
- Best for operations — Helps SOC teams build detection rules and hunt threats
How they map together:
| Kill Chain Stage | MITRE ATT&CK Tactics |
|---|---|
| Reconnaissance | Reconnaissance (TA0043) |
| Weaponisation | Resource Development (TA0042) |
| Delivery | Initial Access (TA0001) |
| Exploitation | Execution (TA0002) |
| Installation | Persistence (TA0003), Privilege Escalation (TA0004) |
| Command & Control | Command and Control (TA0011) |
| Actions on Objectives | Collection (TA0009), Exfiltration (TA0010), Impact (TA0040) |
MITRE ATT&CK provides much more granularity. For example, within “Initial Access” there are specific techniques like phishing (T1566), drive-by compromise (T1189), and exploiting public-facing applications (T1190). Each technique has documented real-world examples and detection strategies.
What Are the Limitations of the Cyber Kill Chain?
Section titled “What Are the Limitations of the Cyber Kill Chain?”The original Lockheed Martin model was designed for external, perimeter-focused intrusions — a limitation acknowledged by the broader security community and addressed by complementary frameworks such as MITRE ATT&CK and Zero Trust architecture (NIST SP 800-207).
The kill chain is a powerful framework, but it has known limitations.
| Limitation | Explanation | Workaround |
|---|---|---|
| Linear model | Real attacks are not always strictly sequential — attackers may loop back to earlier stages | Use alongside MITRE ATT&CK which allows non-linear mapping |
| Perimeter-focused | The original model assumes attackers start outside the network | Modern attacks may start inside (insider threats, supply chain) — supplement with Zero Trust thinking |
| No insider threat coverage | The kill chain was designed for external attackers | Combine with insider threat frameworks and user behaviour analytics |
| Dated for cloud | Published in 2011 when on-premise was dominant | Apply the concepts to cloud environments — the stages still exist, the specific techniques differ |
| Oversimplifies advanced attacks | APTs may run multiple kill chains simultaneously across different targets | Use MITRE ATT&CK for complex, multi-stage campaigns |
Common beginner mistakes
- Thinking the kill chain is a checklist — it is a thinking framework, not a compliance requirement
- Focusing only on Stage 4 (exploitation) and ignoring reconnaissance and delivery
- Believing you must stop the attack at Stage 1 — disrupting any stage is valuable
- Confusing the kill chain with MITRE ATT&CK — they are complementary, not identical
- Memorising the stages without understanding the defensive actions at each one
The kill chain ties together concepts from across the curriculum — threats, defences, detection, response. This tracker helps you see how each topic connects and where you are in the bigger picture.
Career Roadmap & Study TrackerAvailable Now
Step-by-step roadmap with study tracker worksheets and certification decision framework.
What Interview Questions Should You Expect About the Cyber Kill Chain?
Section titled “What Interview Questions Should You Expect About the Cyber Kill Chain?”The CompTIA Security+ SY0-701 exam objectives explicitly list the Cyber Kill Chain under Domain 1.2 (Threat Actors and Attack Surfaces), making it a foundational topic for both certification exams and job interviews.
Kill chain questions are common in SOC analyst and security operations interviews. They test whether you can think about attacks systematically.
Q1: What is the Cyber Kill Chain?
Strong answer: “The Cyber Kill Chain is a seven-stage framework developed by Lockheed Martin that describes the steps an attacker takes to achieve their objective — from initial reconnaissance through to completing their mission. For defenders, each stage represents an opportunity to detect and disrupt the attack. The seven stages are reconnaissance, weaponisation, delivery, exploitation, installation, command and control, and actions on objectives.”
Q2: At which stage would you want to stop an attack?
Strong answer: “As early as possible — ideally at delivery or earlier. But the key insight of the kill chain is that disrupting any stage breaks the chain. Even if you miss the initial compromise, detecting command and control traffic or unusual data exfiltration at later stages still prevents the attacker from achieving their objective. Defense in depth means having detection at every stage.”
Q3: Walk me through how a phishing attack maps to the kill chain.
Strong answer: “The attacker researches the target and finds employee email addresses (reconnaissance). They create a malicious document and craft a convincing email (weaponisation). They send the email to the target (delivery). The user opens the attachment and the exploit runs (exploitation). Malware installs itself and creates a persistent backdoor (installation). The malware connects back to the attacker’s server (command and control). The attacker steals data or deploys ransomware (actions on objectives).”
Q4: What is the difference between the Cyber Kill Chain and MITRE ATT&CK?
Strong answer: “The Kill Chain is a high-level, seven-stage model that shows the overall flow of an attack. MITRE ATT&CK is a detailed matrix of 14 tactics and over 200 specific techniques, mapped to real threat actors. The Kill Chain helps you understand the strategy. ATT&CK helps you build specific detection rules. Most security teams use both — the Kill Chain for planning and communication, ATT&CK for operations.”
Q5: How does the kill chain help with incident response?
Strong answer: “During an incident, the kill chain helps you determine how far the attacker has progressed. If you detect malware phoning home, you know they have reached Stage 6 — which means Stages 1 through 5 already succeeded. This tells you what evidence to look for, what to contain, and where your defences failed. It also guides the post-incident review — which stage should you have detected the attack at?”
How Is the Cyber Kill Chain Used in Real Security Operations?
Section titled “How Is the Cyber Kill Chain Used in Real Security Operations?”According to the MITRE ATT&CK framework documentation, mapping observed adversary behaviour to kill chain phases and ATT&CK techniques is a core practice in modern Security Operations Centre (SOC) detection engineering and threat hunting.
SOC analysts use the kill chain daily to contextualise alerts and prioritise response.
Day-One SOC Application
Section titled “Day-One SOC Application”On your first day as a SOC analyst, you might see:
- A suspicious email reported by a user — This is Stage 3 (Delivery). Your job: analyse the email, check if anyone clicked the link, and determine if it progressed to Stage 4.
- An EDR alert for a new scheduled task on a workstation — This could be Stage 5 (Installation). Your job: check what created the task, whether it is legitimate, and if the machine has any other indicators of compromise.
- Unusual DNS queries to a domain registered yesterday — This could be Stage 6 (Command and Control). Your job: investigate the source system, check if malware is present, and block the domain.
Each alert maps to a kill chain stage, which tells you what to investigate next.
Australian Context: ASD Essential Eight and the Kill Chain
Section titled “Australian Context: ASD Essential Eight and the Kill Chain”The Australian Signals Directorate’s Essential Eight mitigation strategies map directly to kill chain stages:
| Essential Eight Control | Kill Chain Stage(s) Disrupted |
|---|---|
| Application control | Stage 4 (Exploitation), Stage 5 (Installation) |
| Patch applications | Stage 4 (Exploitation) |
| Configure Microsoft Office macros | Stage 3 (Delivery), Stage 4 (Exploitation) |
| User application hardening | Stage 3 (Delivery), Stage 4 (Exploitation) |
| Restrict admin privileges | Stage 5 (Installation), Stage 7 (Actions on Objectives) |
| Patch operating systems | Stage 4 (Exploitation) |
| Multi-factor authentication | Stage 4 (Exploitation), Stage 7 (Actions on Objectives) |
| Regular backups | Stage 7 (Actions on Objectives — ransomware recovery) |
This mapping is valuable in Australian job interviews. If an interviewer asks how you would improve security, you can reference both the Essential Eight and the kill chain stages they protect — demonstrating that you understand frameworks, not just tools.
Applying the Kill Chain to Log Analysis
Section titled “Applying the Kill Chain to Log Analysis”# Stage 1 detection: Check web server logs for reconnaissance scanninggrep -i "nikto\|nmap\|masscan\|sqlmap" /var/log/apache2/access.log
# Stage 3 detection: Check email logs for suspicious attachmentsgrep -i "\.exe\|\.scr\|\.bat\|\.ps1\|\.vbs" /var/log/mail.log
# Stage 5 detection: Check for new scheduled tasks (Linux)ls -la /etc/cron.d/crontab -lsystemctl list-unit-files --type=service | grep enabled
# Stage 6 detection: Check for unusual outbound connectionsss -tunap | grep ESTAB | awk '{print $5}' | sort | uniq -c | sort -rn
# Stage 6 detection: Look for DNS queries to newly registered domains# (in a production SOC, this is done by DNS monitoring tools, not manually)Legal and ethical warning: Only run these commands on systems you own or have explicit written authorisation to investigate. Practice in your home lab to build familiarity with these techniques.
Summary and Key Takeaways
Section titled “Summary and Key Takeaways”The Cyber Kill Chain gives you a structured way to understand how attacks work and where to stop them.
- Seven stages — Reconnaissance, Weaponisation, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives. Every attack follows this pattern.
- Each stage is an opportunity for defenders. You do not need to stop the attacker at Stage 1 — disrupting any stage breaks the chain.
- Defense in depth means having detection and prevention at every stage, not just one.
- The kill chain and MITRE ATT&CK are complementary. Use the kill chain for strategic understanding and ATT&CK for operational detail.
- Real attacks follow the pattern. SolarWinds, Medibank, Colonial Pipeline, WannaCry — all map to the seven stages.
- The Essential Eight (Australia) directly maps to kill chain stages, making this framework immediately practical for Australian job seekers.
- Interview-critical. Being able to walk through a phishing attack using the kill chain demonstrates structured thinking that hiring managers value.
Related
Section titled “Related”- Understanding the Threat Landscape for context on who uses the kill chain to attack
- Incident Response for what happens when you detect an attack at any kill chain stage
- What Is Ethical Hacking to understand the methodology ethical hackers use, which mirrors the kill chain
- Security Concepts for the defensive principles (defense in depth, least privilege) that disrupt the kill chain
- Career Roadmap to see where kill chain knowledge fits in your learning path
Framework details verified against the original Lockheed Martin Cyber Kill Chain paper (2011), MITRE ATT&CK v14, and ASD Essential Eight guidance. Last verified: March 2026. Individual results vary based on background, effort, and market conditions.
Frequently Asked Questions
What is the Cyber Kill Chain?
The Cyber Kill Chain is a seven-stage framework developed by Lockheed Martin that describes the sequence of steps an attacker follows to compromise a target — from initial research through to achieving their objective. It is used by defenders to identify where attacks can be detected and disrupted.
What are the 7 stages of the Cyber Kill Chain?
The seven stages are: 1) Reconnaissance — researching the target, 2) Weaponisation — creating the attack tool, 3) Delivery — transmitting it to the target, 4) Exploitation — triggering the vulnerability, 5) Installation — establishing persistence, 6) Command and Control — establishing remote access, and 7) Actions on Objectives — achieving the attacker's goal.
How does the Cyber Kill Chain help defenders?
Each stage represents an opportunity to detect and disrupt the attack. If you block the phishing email (Stage 3), the attacker cannot exploit the vulnerability (Stage 4). If you detect command and control traffic (Stage 6), you can contain the attack before data is stolen (Stage 7). Defense in depth means having controls at every stage.
What is the difference between the Cyber Kill Chain and MITRE ATT&CK?
The Kill Chain is a high-level, seven-stage sequential model showing the overall attack flow. MITRE ATT&CK is a detailed matrix with 14 tactics and over 200 specific techniques, each mapped to real threat actors and detection methods. They are complementary — the Kill Chain for strategy, ATT&CK for operational detail.
Which kill chain stage is most important to defend?
All stages matter, but disrupting earlier stages is more efficient. Blocking at Stage 3 (Delivery) prevents everything that follows. However, defense in depth requires detection at every stage because no single control is perfect. If a phishing email gets through, endpoint detection at Stage 5 or network monitoring at Stage 6 can still stop the attack.
Is the Cyber Kill Chain still relevant?
Yes, though it has known limitations. The linear model does not perfectly capture all modern attacks, especially insider threats and supply chain compromises. However, the fundamental concept — that attacks follow stages, and each stage is an opportunity for defense — remains valid. Most security teams use the Kill Chain alongside MITRE ATT&CK for comprehensive coverage.
How does the kill chain apply to phishing attacks?
An attacker researches the target and gathers email addresses (recon), creates a malicious document and convincing email (weaponisation), sends the email (delivery), the user opens the attachment and the exploit runs (exploitation), malware installs itself (installation), malware connects back to the attacker (C2), and the attacker steals data or deploys ransomware (actions on objectives).
What is command and control (C2) in the kill chain?
Command and control is Stage 6 — where the compromised system establishes a communication channel back to the attacker. This allows remote control of the infected system. C2 traffic often uses HTTPS or DNS to blend in with normal network traffic. Detecting unusual outbound connections is a key SOC analyst skill.
How does the ASD Essential Eight relate to the kill chain?
Each Essential Eight control disrupts specific kill chain stages. Application control blocks Stages 4-5, patching blocks Stage 4, macro restrictions block Stages 3-4, MFA blocks Stages 4 and 7, restricting admin privileges blocks Stages 5 and 7, and regular backups provide recovery from Stage 7 ransomware attacks.
Will I be asked about the kill chain in job interviews?
Yes, the Cyber Kill Chain is a common topic in SOC analyst and security operations interviews. Interviewers typically ask you to explain the stages, walk through a specific attack using the kill chain, or compare it with MITRE ATT&CK. Being able to map a real-world scenario to the seven stages demonstrates the structured thinking employers value.
More resources
The original paper and official overview of the Cyber Kill Chain framework from Lockheed Martin.
MITRE ATT&CK FrameworkThe comprehensive knowledge base of adversary tactics and techniques — the operational complement to the Kill Chain.
ASD Essential EightAustralia's baseline cyber security mitigation strategies — maps directly to kill chain disruption points.