• John Gullette


Updated: Jun 17


As the world’s information goes digital, cyber security is growing in necessity. Regulations, like GDPR, are forcing companies to enhance their measures but with rapidly evolving technology, cyber threats are always a step ahead of regulation. Keeping a system truly secure isn’t just about doing the bare minimum, but actively staying ahead of the evolving tactics. Cyber Threat Intelligence (CTI) is the rising field that helps to solve this problem. CTI focuses on understanding the adversary and how to protect against their evolving tactics.

One of the largest data sets used to understand the adversary’s tactics is their past intrusion attempts. In intrusion analysis, CTI analysts rely on various models to make sense of the activities of an adversary.

One of the most used and valuable models used by CTI analysts is a concept known as the “Cyber Kill Chain®.” In this post, we’ll take a look at the Cyber Kill Chain and each of its seven stages.


The Cyber Kill Chain® is a deterministic process, developed by Lockheed Martin, that describes seven successive stages of a typical cyber intrusion: reconnaissance/precursors, weaponization, delivery, exploitation, installation, command and control (C2), and actions-on-objectives. Not every intrusion perfectly follows this model, however, it creates a framework for understanding the foundations of an intrusion. This model is helpful because it both supports CTI analysts in understanding the adversary and it helps cyber security decision makers understand the seven (7) stages in which compromise can be stopped; assisting their ability to know what needs to be fortified.

Reconnaissance/Precursors refers to all of the upfront preparation necessary to execute an intrusion. This step may include but is not limited to identification of targets, acquisition of infrastructure and tools, and organizational research. Often, this stage is difficult to detect, however some indicators may be present in the referrer string from a search engine.

Weaponization is the process of taking the infrastructure and tools necessary and preparing them for specific use against the target. This is like the military creating the bomb that will be dropped on their target. In the cyber world, this includes configuring and packaging the cyber weapons. A common tool used in this stage is the Metasploit Framework. Now the weapon is ready to be delivered.

Delivery is the mechanism in which the malicious tools, those weaponized in the previous stage, get to the target. This may include physical methods like a USB device or, more commonly, phishing emails and malicious websites. Just because something is successfully delivered does not mean that it has successfully reached the target system. That requires an exploit.

Exploitation is the step when a vulnerability is taken advantage of in order for the weapon to get inside the target system. In the cyber world, when people talk about the Zero Day Exploit, this is the phase when that is used. It is the threat taking advantage of a vulnerability that was previously unknown. Software vulnerabilities, however, are not the only type of vulnerability. Humans are always vulnerable and if a software vulnerability can not be exploited, humans are also the next target.

Once the vulnerability has been exploited, and the weapon has invaded the system, it now must install itself to the computer.

Installation is the phase in which the malware installs itself on the device to now act in the desired way for achieving its designed purpose. Without installation, the malware is just a file unable to act; but once installed, it can now run on the device. This phase includes the file names, how they are placed on the machine, and how the process is invoked on startup. Often, there are additional components that need to be downloaded after the first one, and these are called “droppers.” They are additional installed items that set up aspects of the operation like a backdoor for persistent access.

At this point, however, the adversary cannot receive information from the malware’s actions. Therefore they now need to establish communication with the victim machine.

Command and Control (C2) is the stage of establishing communication between the adversary and the victim machine. This stage includes properties like the type of backdoor (Trojan or RAT) used, the protocol for communication (HTTP etc.), and external servers (often shown in domains or IP addresses) used to receive and transmit communication with the victim device. This stage is critical in order for the adversary to now have operational control of the victim device. Once this is established, they can attempt to fulfill their intended purpose for attack.

Actions on Objectives is the final stage of the Cyber Kill Chain®. Here the adversary uses their operational control of the device to fulfill whatever purpose they attacked for. This may include exfiltrating files, stealing browser information, and logging keystrokes for credentials. Once this stage has been completed, the adversary’s attack is successful. It is at this point when a device is officially compromised. If the adversary, however, is stopped at any of the stages of the Cyber Kill Chain®, then the compromise is unsuccessful.


The Cyber Kill Chain® is one of the most important models to understand in cyber security. Cyber security specialists need to have protective measures in place at each stage. Mapping intrusion attempts to this model helps understand the tactics of your adversary and the strengths and weaknesses of your defense. Good cyber security is fed from knowing yourself and your adversary; and the Cyber Kill Chain® is a model that when used properly can assist in both.