Cyber Kill Chain — Technology Wiki

Overview

Direct Answer

The Cyber Kill Chain is a linear model that segments cyberattacks into seven distinct phases, from initial reconnaissance through data exfiltration and actions on objectives. It provides a structured framework for analysing adversary behaviour and identifying intervention points before an attack succeeds.

How It Works

The model progresses through reconnaissance (gathering target intelligence), weaponisation (creating malicious payloads), delivery (transmitting exploits), exploitation (executing code on systems), installation (establishing persistence), command and control (maintaining access), and finally actions on objectives (achieving attacker goals). Each phase represents an opportunity where defensive controls can detect and disrupt the attack sequence before advancing to subsequent stages.

Why It Matters

Organisations use this framework to map their defensive capabilities against each phase, prioritising resources where gaps exist. Understanding the chain enables security teams to anticipate adversary progression, allocate monitoring efforts effectively, and design layered defences rather than relying on single-point preventative measures.

Common Applications

Incident response teams employ the model to reconstruct attack timelines and identify missed detection opportunities. Threat intelligence analysts use it to profile adversary tactics and techniques, whilst security architects reference it when designing network segmentation and logging strategies across enterprise environments.

Key Considerations

The linear seven-phase model can oversimplify complex, iterative attacks where adversaries loop back to earlier stages. Modern attacks frequently diverge from this sequence, and the framework does not account for supply chain compromises or insider threats that bypass initial reconnaissance phases entirely.

Related in Offensive Security

Cybersecurity

The practice of protecting systems, networks, and programs from digital attacks, unauthorised access, and data breaches.

Threat Intelligence

Evidence-based knowledge about existing or emerging threats to an organisation's digital assets and infrastructure.

Vulnerability Assessment

The process of identifying, quantifying, and prioritising security vulnerabilities in systems and applications.

Penetration Testing

A simulated cyberattack against a system to evaluate the security of its defences and identify exploitable vulnerabilities.

Red Team

A group of security professionals who simulate real-world attacks to test an organisation's defensive capabilities.

Blue Team

A group of security professionals who defend against both real attackers and simulated attacks from red teams.

Purple Team

A collaborative security approach combining red team attack knowledge with blue team defensive capabilities.

Intrusion Prevention System

A network security technology that examines network traffic to detect and prevent vulnerability exploits.

Ransomware

Malicious software that encrypts a victim's files and demands payment for the decryption key.

Malware

Malicious software designed to disrupt, damage, or gain unauthorised access to computer systems.

Phishing

A social engineering attack that uses fraudulent communications to trick recipients into revealing sensitive information.

Spear Phishing

A targeted phishing attack directed at specific individuals or organisations using personalised deceptive content.

More in Cybersecurity

Attack Surface

Offensive Security

The total number of points where an unauthorised user can try to enter or extract data from a system.

Supply Chain Attack

Offensive Security

A cyberattack targeting the less-secure elements of a supply chain to compromise a primary target.

Security by Design

Security Governance

An approach that integrates security considerations into every stage of the software development lifecycle.

Zero-Day Vulnerability

Offensive Security

A software security flaw unknown to the vendor that can be exploited before a patch is available.

Honeypot

Defensive Security

A decoy system designed to attract attackers and study their methods while protecting real systems.

Digital Forensics

Defensive Security

The process of collecting, preserving, and analysing electronic evidence for investigating security incidents.

End-to-End Encryption

Data Protection

A communication system where only the communicating users can read the messages, with encryption at both endpoints.

Sandbox

Offensive Security

An isolated testing environment that mimics production settings for safely running untrusted programs or code.