The 7 Phases of the Cyber Kill Chain
An Intelligence-Driven Defense Framework
Phase 1: Reconnaissance
Information Gathering
Attackers research and identify targets, gathering intelligence about the organization, employees, and technical infrastructure.
Attacker Tactics
- OSINT collection
- Social media profiling
- DNS/WHOIS lookups
- Email harvesting
Defensive Actions
- Monitor public information
- Employee security awareness
- Threat intelligence feeds
- Attack surface management
🔍 Reconnaissance Detection
Common tools used by defenders to detect or prevent activity in this phase.
Phase 2: Weaponization
Exploit + Payload
Attackers combine exploits with malicious payloads to create weaponized deliverables tailored to the target environment.
Attacker Tactics
- Malicious document creation
- RAT/Backdoor packaging
- Zero-day exploit integration
- Payload obfuscation
Defensive Actions
- Threat intelligence sharing
- Signature development
- Behavioral analysis
- Malware sandboxing
⚔️ Weaponization Analysis
Common tools used by defenders to detect or prevent activity in this phase.
Phase 3: Delivery
Payload Transport
The weaponized payload is transmitted to the target through various delivery mechanisms, with email being the most common vector.
Attacker Tactics
- Spear phishing emails
- Malicious website hosting
- USB/removable media drops
- Watering hole attacks
Defensive Actions
- Email security gateways
- Web content filtering
- USB device controls
- User awareness training
📧 Delivery Protection
Common tools used by defenders to detect or prevent activity in this phase.
Phase 4: Exploitation
Code Execution
The attacker triggers the exploit, taking advantage of vulnerabilities in applications, operating systems, or human psychology.
Attacker Tactics
- Buffer overflow
- Social engineering execution
- Zero-day vulnerability abuse
- Privilege escalation
Defensive Actions
- Patch management
- Host-based IPS (HIPS)
- Application sandboxing
- Endpoint Detection & Response (EDR)
💥 Exploitation Prevention
Common tools used by defenders to detect or prevent activity in this phase.
Phase 5: Installation
Persistence Setup
Attackers install backdoors, remote access trojans, or other persistence mechanisms to maintain access to the compromised system.
Attacker Tactics
- RAT installation
- Registry modification
- Service creation
- Scheduled task setup
Defensive Actions
- Anti-malware solutions
- File integrity monitoring
- Registry monitoring
- Application whitelisting
🔧 Installation Detection
Common tools used by defenders to detect or prevent activity in this phase.
Phase 6: Command & Control
Remote Communication
The compromised system establishes communication with external command and control (C2) servers, giving attackers remote access.
Attacker Tactics
- HTTP/HTTPS beaconing
- DNS tunneling
- Social media C2 channels
- Encrypted communications
Defensive Actions
- Network traffic monitoring
- DNS analysis & filtering
- Proxy log analysis
- Firewall egress filtering
📡 C2 Monitoring
Common tools used by defenders to detect or prevent activity in this phase.
Phase 7: Actions on Objectives
Mission Accomplishment
With full access established, attackers finally execute their ultimate goals, whether data theft, destruction, or further compromise.
Attacker Tactics
- Data exfiltration
- Lateral movement
- Privilege escalation
- Data destruction/encryption
Defensive Actions
- Data Loss Prevention (DLP)
- Network segmentation
- Privileged access monitoring
- Incident response activation
🎯 Actions Prevention
Common tools used by defenders to detect or prevent activity in this phase.
💡 Key Insight
Breaking the chain at ANY phase prevents the attack from succeeding. Early detection is exponentially more effective than late response.