Home > Fundamentals

Cyber Kill Chain (Stages of a Cyber Attack)

The Cyber Kill Chain is a step-by-step model created by Lockheed Martin that explains how cyberattacks happen from start to finish.
It helps cybersecurity teams understand how hackers think and work, so they can detect and stop attacks at any stage — before serious damage occurs.

It has seven stages, like steps in a plan:

๐Ÿ” 1. Reconnaissance (Information Gathering)

This is the first step, where the hacker studies the target.
Before attacking, they collect as much information as possible about the organization or person.

What Hackers Do:

  • OSINT (Open-Source Intelligence): They look for public information — company websites, social media (LinkedIn, Facebook), job listings, or public records.

  • Passive Scanning: They quietly monitor systems and networks without triggering alerts.

  • Vulnerability Scanning: Use tools to find weak points or outdated software.

  • Network Mapping: Learn how the network is structured and which systems are important.

  • Finding Key People: Identify employees (like admins or executives) to target with phishing or social engineering.

  • Security Research: Check what defenses (firewalls, antivirus, etc.) are in place.

๐Ÿ“Œ Important: This stage is hard to detect because it mostly happens outside the organization — before any system is touched.

๐Ÿ’ฃ 2. Weaponization (Building the Attack)

Once hackers know the target’s weak points, they create the weapon — a malicious file or code (called a payload) that will be used in the attack.

Common Activities:

  • Malware Creation: Making viruses, worms, trojans, ransomware, or bots.

  • Payload Development: Designing code that can exploit more than one vulnerability to increase success.

  • Tool Modification: Changing existing malware slightly so it won’t be detected by antivirus tools.

Types of Malware:

  • Virus: Attaches to other programs and spreads when those programs run.

  • Worm: Spreads by itself without needing another program.

  • Trojan: Looks like safe software but secretly opens doors for hackers.

  • Ransomware: Locks or encrypts your files and demands money.

  • Bot: Turns infected computers into robots that hackers can control remotely.

๐Ÿง  Fun Fact: Advanced groups, like nation-states, make new tools from scratch.
Amateurs or “script kiddies” use or tweak ready-made tools from the internet.

๐Ÿ“ฆ 3. Delivery (Sending the Weapon)

Now the hacker needs to deliver the malicious file or link to the victim.

Common Delivery Methods:

  • Email Attachments: The most popular method — sending infected files (like PDFs or Word documents).

  • Malicious Links: Emails or websites with harmful links.

  • USB Drives: Infected drives that automatically run malware when plugged in.

  • Compromised Websites: Hacked sites that secretly install malware when visited.

  • Fake Software Updates: Attackers replace real updates with infected ones.

  • Network Exploits: Directly using weaknesses in network devices to inject malware.

  • Social Engineering: Pretending to be someone trustworthy (like IT support) to trick users into installing malware.

๐ŸŽฏ Smart attackers pick their delivery method based on the target’s defenses — for example, if emails are well-filtered, they might use a watering hole attack (infecting a website the target often visits).

โš™๏ธ 4. Exploitation (Triggering the Attack)

This is where the attack actually begins.
The malware is activated and takes advantage of the vulnerabilities the hacker found earlier.

What Happens:

  • Vulnerability Trigger: The malware starts running on the target system.

  • Code Execution: The hacker’s code now runs inside the system.

  • Privilege Escalation: The hacker gains higher access (e.g., from user → admin).

  • Lateral Movement: Once inside, they move to other computers or servers to reach more valuable data.

  • Exploit Chains: Using multiple vulnerabilities together for a stronger attack.

Example:

In 2025, a zero-day bug called CVE-2025-31324 in SAP software allowed attackers to upload files and run code remotely — leading to full system compromise.
First used by spies, later used by ransomware gangs.

๐Ÿงฉ 5. Installation (Gaining Long-Term Access)

Once they get inside, hackers want to stay hidden and keep control — even if the initial malware is found.

Common Techniques:

  • Backdoors: Secret entrances that let them back in anytime.

  • Persistence: Making sure malware stays after a reboot (e.g., using startup folders or scheduled tasks).

  • Remote Access Tools (RATs): Software that lets attackers control the computer remotely.

  • Stealing Credentials: Grabbing usernames and passwords.

  • Creating Admin Accounts: Giving themselves higher permissions.

  • Disabling Firewalls: Turning off protection to make further attacks easier.

๐Ÿ’ก Why it matters: This is the turning point — from just breaking in to owning the system.
Attackers can now quietly spy, steal, or expand their control.

๐Ÿ›ฐ๏ธ 6. Command and Control (C2)

Now the hacker sets up communication between their system and the infected machine.
This is how they send commands, get data back, or update the malware.

What Happens:

  • Communication Setup: The victim’s device connects to a C2 server run by the attacker.

  • Command Execution: The attacker sends instructions (steal files, spread malware, etc.).

  • Data Exfiltration: Stolen data gets sent back to the hacker’s server.

  • Updates: Hackers can push new versions of malware.

  • Botnet Use: Compromised machines can join large attack networks.

How They Hide:

  • Use encryption to make traffic look normal.

  • Use trusted apps (like Slack or Telegram) for secret communication — called Living Off Trusted Sites (LOTS).

  • Use Domain Generation Algorithms (DGAs) to constantly change domain names so defenders can’t block them all.

C2 Structures:

  • Centralized: One main server controls all bots (easy to manage, but easy to shut down).

  • Decentralized (Peer-to-Peer): No single point of failure, harder to block.

๐ŸŽฏ 7. Actions on Objectives (The Final Goal)

Finally, the hacker does what they came to do — steal, destroy, or demand ransom.

Possible Goals:

  • Data Theft: Steal personal info, secrets, or research data.

  • Ransomware: Encrypt data and demand payment.

  • Destruction: Delete or corrupt files to cause chaos.

  • Sabotage: Shut down or damage systems (like in critical infrastructure).

  • Credential Theft: Capture admin accounts for more control.

  • Espionage: Steal government or company secrets.

  • Business Advantage: Steal plans, pricing, or strategies.

๐Ÿ“Š Example:
In early 2025, ransomware attacks shot up by 60%.
The Akira group launched 72 attacks in one month, mostly targeting U.S. manufacturing companies.

๐Ÿงจ By this stage, hackers have full control and have achieved their mission — whether that’s money, power, or political advantage.

๐Ÿ›ก๏ธ Summary Table — The 7 Stages of Cyber Kill Chain

Stage What Happens Example
1. Reconnaissance Gathering info about the target Using LinkedIn to find IT staff
2. Weaponization Creating malware or exploit Making a trojan that steals passwords
3. Delivery Sending the weapon to target Emailing infected PDF
4. Exploitation Activating the malware Running the infected file
5. Installation Maintaining access Installing a backdoor
6. Command & Control Controlling infected systems Sending commands via Telegram
7. Actions on Objectives Completing the goal Encrypting data and demanding ransom
HOME LEARN COMMUNITY DASHBOARD