Cyber Kill Chain — Technology Wiki

Overview

Direct Answer

The Cyber Kill Chain is a linear model that segments cyberattacks into seven distinct phases, from initial reconnaissance through data exfiltration and actions on objectives. It provides a structured framework for analysing adversary behaviour and identifying intervention points before an attack succeeds.

How It Works

The model progresses through reconnaissance (gathering target intelligence), weaponisation (creating malicious payloads), delivery (transmitting exploits), exploitation (executing code on systems), installation (establishing persistence), command and control (maintaining access), and finally actions on objectives (achieving attacker goals). Each phase represents an opportunity where defensive controls can detect and disrupt the attack sequence before advancing to subsequent stages.

Why It Matters

Organisations use this framework to map their defensive capabilities against each phase, prioritising resources where gaps exist. Understanding the chain enables security teams to anticipate adversary progression, allocate monitoring efforts effectively, and design layered defences rather than relying on single-point preventative measures.

Common Applications

Incident response teams employ the model to reconstruct attack timelines and identify missed detection opportunities. Threat intelligence analysts use it to profile adversary tactics and techniques, whilst security architects reference it when designing network segmentation and logging strategies across enterprise environments.

Key Considerations

The linear seven-phase model can oversimplify complex, iterative attacks where adversaries loop back to earlier stages. Modern attacks frequently diverge from this sequence, and the framework does not account for supply chain compromises or insider threats that bypass initial reconnaissance phases entirely.

Related in Offensive Security

Cybersecurity

The practice of protecting systems, networks, and programs from digital attacks, unauthorised access, and data breaches.

Threat Intelligence

Evidence-based knowledge about existing or emerging threats to an organisation's digital assets and infrastructure.

Vulnerability Assessment

The process of identifying, quantifying, and prioritising security vulnerabilities in systems and applications.

Penetration Testing

A simulated cyberattack against a system to evaluate the security of its defences and identify exploitable vulnerabilities.

Red Team

A group of security professionals who simulate real-world attacks to test an organisation's defensive capabilities.

Blue Team

A group of security professionals who defend against both real attackers and simulated attacks from red teams.

Purple Team

A collaborative security approach combining red team attack knowledge with blue team defensive capabilities.

Intrusion Prevention System

A network security technology that examines network traffic to detect and prevent vulnerability exploits.

Ransomware

Malicious software that encrypts a victim's files and demands payment for the decryption key.

Malware

Malicious software designed to disrupt, damage, or gain unauthorised access to computer systems.

Phishing

A social engineering attack that uses fraudulent communications to trick recipients into revealing sensitive information.

Spear Phishing

A targeted phishing attack directed at specific individuals or organisations using personalised deceptive content.

More in Cybersecurity

Security by Design

Security Governance

An approach that integrates security considerations into every stage of the software development lifecycle.

Cyber Resilience

Offensive Security

An organisation's ability to continuously deliver intended outcomes despite adverse cyber events, encompassing prevention, detection, response, and recovery capabilities.

Zero Trust Architecture

Network Security

A security model that requires strict identity verification for every person and device accessing resources regardless of location.

Encryption

Data Protection

The process of converting plaintext data into ciphertext using an algorithm, making it unreadable without the decryption key.

Biometric Authentication

Identity & Access

Using unique biological characteristics like fingerprints, facial features, or iris patterns to verify identity.

AI-Powered Threat Detection

Offensive Security

Security systems that leverage machine learning and behavioural analytics to identify sophisticated cyber threats, anomalous patterns, and zero-day attacks in real time.

Information Security

Security Governance

The practice of protecting information by mitigating information risks including unauthorised access, use, and disruption.

MITRE ATT&CK

Offensive Security

A globally accessible knowledge base of adversary tactics and techniques based on real-world cyber observations.