Trace Id is missing
Skip to main content
Microsoft Security

What is the cyber kill chain?

Learn about a security operations (SecOps) framework that outlines the stages of a cyberattack, including reconnaissance, breach, and data exfiltration.

The cyber kill chain in cybersecurity

The cyber kill chain, also known as the cyberattack chain, is a cybersecurity model designed to help interrupt and prevent sophisticated cyberattacks. By breaking down a typical cyberattack into stages, this approach helps security teams identify in-progress cyberattacks and stop them before they do damage to an organization.

Key takeaways

  • The cyber kill chain is a cybersecurity model that breaks down a typical cyberattack into stages to help security teams identify in-progress cyberattacks and stop them.
  • The cyber kill chain includes eight phases: reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on objectives, and monetization.
  • Implementing the cyber kill chain model starts with analyzing each stage of the model as it relates to the affected organization.
  • Some common critiques of the cyber kill chain model are that it’s less effective against insider threats and attacks that don’t involve malware.

History of the cyber kill chain

In 2011, Lockheed Martin adapted a military concept called the kill chain for the cybersecurity industry and named it the cyber kill chain. Like the kill chain, the cyber kill chain identifies the stages of an attack and gives defenders insight into their adversaries’ typical tactics and techniques during each stage. Both models are also linear with the expectation that attackers will follow each stage sequentially.

Since the cyber kill chain was first introduced, cyberthreat actors have evolved their tactics and don’t always follow every stage of the cyber kill chain. In response, the security industry has updated its approach and developed new models. The MITRE ATT&CK® matrix is a detailed list of tactics and techniques based on real attacks. It uses similar stages as the cyber kill chain but doesn’t follow a linear order.

In 2017 Paul Pols in collaboration with Fox-IT and Leiden University developed another framework, the unified kill chain, which combines elements of both the MITRE ATT&CK matrix and the cyber kill chain into a model with 18 stages.

Stages of the cyber kill chain

Reconnaissance


The cyber kill chain defines a sequence of cyberattack phases with the goal of understanding the mindset of cyberattackers, including their motives, tools, methods, and techniques, how they make decisions, and how they evade detection. Understanding how the cyber kill chain works helps defenders stop cyberattacks in the earliest stages.

Weaponization

During the weaponization phase, bad actors use the information uncovered during reconnaissance to create or modify malware to best exploit the targeted organization’s weaknesses.

Delivery

Once they’ve built malware, cyberattackers attempt to launch their attack. One of the most common methods is using social engineering techniques such as phishing to trick employees into handing over their sign-in credentials. Bad actors may also gain entry by taking advantage of a public wireless connection that isn’t very secure or exploiting a software or hardware vulnerability uncovered during reconnaissance.

Exploitation

After cyberthreat actors infiltrate the organization, they use their access to move laterally from system to system. Their goal is to find sensitive data, additional vulnerabilities, administrative accounts, or email servers that they can use to inflict damage on the organization.

Installation

In the installation stage, bad actors install malware that gives them control of more systems and accounts.

Command and control

After cyberattackers have gained control of a significant number of systems, they create a control center that allows them to operate remotely. During this stage they use obfuscation to cover their tracks and avoid detection. They also use denial-of-service attacks to distract security professionals from their true objective.

Actions on objectives

In this stage, cyberattackers take steps to achieve their primary goal, which could include supply chain attacks, data exfiltration, data encryption, or data destruction.

Monetization

Although Lockhead Martin’s original cyber kill chain included just seven steps, many cybersecurity experts have expanded it to eight to account for the activities bad actors take to generate income from the attack, such as using ransomware to extract a payment from their victims or selling sensitive data on the dark web.

Impact of the cyber kill chain on cybersecurity

Understanding how cyberthreat actors plan and conduct their attacks helps cybersecurity professionals find and mitigate vulnerabilities across the organization. It also helps them identify indicators of compromise during the early stages of a cyberattack. Many organizations use the cyber kill chain model to proactively put security measures in place and to guide incident response.

Benefits of the cyber kill chain model

The cyber kill chain model helps security professionals:

  • Identify threats at every stage of the cyber kill chain.

  • Make it harder for unauthorized users to gain access.

  • Harden privileged accounts, data, and systems.

  • Routinely patch and upgrade old hardware and software.

  • Teach employees how to spot a phishing email.

  • Uncover and respond quickly to lateral movement.

  • Stop in-progress cyberattacks.

Implementing the cyber kill chain

Threat intelligence

One of the most important tools for protecting an organization from cyberthreats is threat intelligence. Good threat intelligence solutions synthesize data from across an organization’s environment and deliver actionable insights that help security professionals detect cyberattacks early.

Identity and access management

Often bad actors infiltrate an organization by guessing or stealing passwords. After they get inside, they attempt to escalate privileges to gain access to sensitive data and systems. Identity and access management solutions help detect anomalous activity that may be an indication that an unauthorized user has gained access. They also offer controls and security measures, such as two-factor authentication, that make it more difficult for someone to use stolen credentials to sign in.

Security information and event management

Many organizations stay ahead of the latest cyberthreats with the help of a security information and event management (SIEM) solution. SIEM solutions aggregate data from across the organization and from third-party sources to surface critical cyberthreats for security teams to triage and address. Many SIEM solutions also automatically respond to certain known threats, reducing the number of incidents that a team needs to investigate.

Endpoint detection and response

In any one organization there are hundreds or thousands of endpoints. Between the servers, computers, mobile devices, and Internet of Things (IoT) devices that companies use to conduct business, it can be nearly impossible to keep them all up to date. Bad actors know this, which is why many cyberattacks start with a compromised endpoint. Endpoint detection and response solutions help security teams monitor them for threats and respond quickly when they discover a security issue with a device.

Extended detection and response

Extended detection and response (XDR) solutions take endpoint detection and response one step further with a single solution that protects endpoints, identities, cloud apps, and emails.

Managed detection and response

Not all companies have in-house resources available to effectively detect and respond to threats. To augment their existing security team, these organizations turn to service providers that offer managed detection and response. These service providers take on the responsibility of monitoring an organization’s environment and responding to threats.

Cyber kill chain challenges

Although understanding the cyber kill chain can help companies and governments proactively prepare for and respond to complex, multistage cyberthreats, relying on it exclusively may make an organization vulnerable to other types of cyberattacks. A few of the common critiques of the cyber kill chain are that it’s:
  • Focused on malware. The original cyber kill chain framework was designed to detect and respond to malware and is not as effective against other types of attacks, such as an unauthorized user gaining access with compromised credentials.
  • Ideal for perimeter security. With an emphasis on protecting endpoints, the cyber kill chain model worked well when there was a single network perimeter to protect. Now with so many remote workers, the cloud, and an ever-expanding number of devices accessing a company’s assets, it can be nearly impossible to address every endpoint vulnerability.
  • Not equipped for insider threats. Insiders, who already have access to some systems, are harder to detect with a cyber kill chain model. Instead, organizations need to monitor and detect changes in user activity.
  • Too linear. Although many cyberattacks follow the eight stages outlined in the cyber kill chain, there are also many that don’t or combine several steps into a single action. Organizations that are too focused on each of the stages may miss these cyberthreats.

Cyber kill chain solutions

Since 2011 when Lockhead Martin first introduced the cyber kill chain, a lot has changed in the technology and cyberthreat landscape. Cloud computing, mobile devices, and IoT devices have transformed how people work and businesses operate. Cyberthreat actors have responded to these new technologies with their own innovations, including using automation and AI to accelerate and improve their cyberattacks. The cyber kill chain offers a great starting point for developing a proactive security strategy that takes into account the cyberattacker mindset and objectives. Microsoft Security offers a unified SecOps platform that brings together XDR and SIEM into one adaptable solution to help organizations develop a multilayered defense that protects all stages in the cyber kill chain. And organizations are also preparing for emerging, AI-powered cyberthreats by investing in AI for cybersecurity solutions, like Microsoft Security Copilot.

Frequently asked questions

  • The cyber kill chain is a cybersecurity model that breaks down a typical cyberattack into stages to help security teams identify in-progress cyberattacks and stop them before they do damage.

    The MITRE ATT&CK matrix is a more detailed list of tactics and techniques based on real cyberattacks. It uses similar stages as the cyber kill chain but doesn’t follow a linear order.
  • The tools that organizations use to detect and stop cyberattacks across the cyber kill chain are SIEM solutions, XDR solutions, and threat intelligence.
  • The traditional cyber kill chain includes the following seven stages:
    • Reconnaissance
    • Weaponization
    • Delivery 
    • Exploitation
    • Installation
    • Command and control
    • Actions on objectives 
       
    Some people also include an eighth stage, which is monetization.
  • Implementing the cyber kill chain model starts with analyzing each stage of the model as it relates to the affected organization. This will help security teams identify vulnerabilities and areas of greatest risk. Once an organization knows what to prioritize, the following strategies and tools can help security teams detect and respond to sophisticated cyberthreats:
     
    • Develop an end-to-end threat intelligence program.
    • Implement a SIEM solution.
    • Deploy an XDR solution.
    • Put in place comprehensive identity and access management.
    • Run regular security training for all employees.
    • Develop incident response playbooks.
  • The cyber kill chain protects again multistage malware attacks.

Follow Microsoft Security