Kill chain

The concept of the cybersecurity kill chain provides a framework for analyzing and preventing cyber attacks by breaking down the stages of an attack into a series of steps that attackers follow. Understanding this framework allows security teams to implement targeted defenses at each stage, significantly enhancing their ability to thwart cyber adversaries.
  • Organizations that effectively apply kill chain principles reduce their incident detection time by up to 70%. (Source: SANS Institute)
  • 80% of cybersecurity breaches involve a combination of phishing and hacking techniques, targeting the initial stages of the kill chain. (Source: Verizon Data Breach Investigations Report)

The cybersecurity kill chain is a conceptual framework for identifying and preventing cyber intrusions. Its origin lies in military strategy, where the term "kill chain" was used to describe stages in an attack lifecycle. In the context of cybersecurity, Lockheed Martin, an American aerospace, defense, and advanced technologies company with worldwide interests, adapted this concept. They introduced the framework to systematically identify and counter cyber-attacks through distinct phases.

Further evolution of this concept led to the development of the Unified Kill Chain, which integrates the traditional kill chain with the MITRE ATT&CK framework. This integration provides a more comprehensive and nuanced understanding of attack techniques, tactics, and procedures (TTPs), enhancing the ability of organizations to detect, analyze, and mitigate cyber threats.

The Lockheed Martin Kill Chain

The Lockheed Martin Cyber Kill Chain model breaks down the cyber-attack process into seven distinct stages, providing a systematic framework for cybersecurity professionals to identify, prevent, and counteract cyber threats:


This initial phase involves the attacker gathering information about the target. This can include identifying vulnerabilities in systems, finding valuable data, and understanding security defenses. Attackers may use techniques like social engineering, public information searches, and network scanning.


At this stage, the attacker creates a cyber-attack tool tailored to exploit the identified vulnerabilities. This often involves pairing a remote access malware with an exploit into a deliverable payload. The intent is to ensure that this payload can infiltrate and execute within the target network without detection.


The delivery phase is where the attacker transmits the weaponized payload to the target. Common delivery methods include phishing emails, malicious websites, or USB devices. The goal is to get the target to trigger the payload, either by opening a file, visiting a compromised website, or connecting a contaminated device.


This stage occurs when the payload activates and exploits a vulnerability in the target system. Exploitation is the critical point where the attacker gains access to the target's network or system.


After successful exploitation, the attacker installs a remote access tool or backdoor. This allows the attacker to maintain persistent access to the target network, often going undetected by traditional defense mechanisms.

Command and Control (C2)

Once the backdoor is established, the attacker sets up a command-and-control channel to remotely manipulate the compromised systems and exfiltrate data. This phase is crucial for maintaining control over the target systems and for orchestrating further actions.

Actions on Objectives

In the final stage, the attacker achieves their primary objective. This could range from data exfiltration and destruction to establishing a long-term presence within the target's environment for future campaigns.

Lockheed Martin Kill Chain
The Cyber Kill Chain illustrated by Lockheed Martin

By understanding and monitoring these stages, SOC teams can implement targeted strategies and defenses at each step of the kill chain. For instance, robust intrusion detection systems and comprehensive employee training can thwart attempts at the delivery stage, while network segmentation and regular system updates can mitigate the risks of exploitation and installation. This structured approach enables a more proactive and effective defense against complex and evolving cyber threats.

The Unified Kill Chain

The Unified Kill Chain is an advanced framework, developed by Security Expert Paul Pols, that integrates the concepts of the Lockheed Martin Cyber Kill Chain with the MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework.

This integration aims to provide a more comprehensive and detailed perspective on the tactics, techniques, and procedures (TTPs) used by cyber adversaries.

The Unified Kill Chain
The Unified Kill Chain

Here's an overview of how the Unified Kill Chain expands on the traditional model:

Incorporating ATT&CK Framework

The MITRE ATT&CK framework is a globally-accessible knowledge base of adversary TTPs based on real-world observations. It categorizes and details a wide array of specific tactics and techniques used in cyber attacks. By integrating this with the Lockheed Martin model, the Unified Kill Chain offers a more granular view of the attacker's behavior at each stage.

Enhanced Detail and Context

The Unified Kill Chain provides deeper insights into each stage of an attack by linking specific techniques from the ATT&CK framework to each phase of the traditional kill chain. This allows for a more detailed understanding of how specific attack methodologies evolve throughout the attack lifecycle.

Improved Detection and Response

With the detailed TTPs from the ATT&CK framework, cybersecurity teams can develop more precise detection strategies and responses. This includes creating specific indicators of compromise (IoCs) and tailoring security controls to the nuanced behaviors of different threat actors.

Adaptation to Evolving Threats

The dynamic nature of the ATT&CK framework, which is continuously updated with new findings, ensures that the Unified Kill Chain remains relevant in the face of rapidly evolving cyber threats. This continuous update process allows organizations to stay informed about the latest attack techniques and adapt their defenses accordingly.

Strategic Planning and Risk Assessment

The comprehensive nature of the Unified Kill Chain aids in strategic cybersecurity planning and risk assessment. Organizations can use this model to evaluate their security posture against a wide range of attack scenarios, identifying potential vulnerabilities and prioritizing defense strategies based on real-world threat intelligence.

Enhanced Training and Awareness

The detailed breakdown of TTPs in the Unified Kill Chain serves as an educational tool for cybersecurity teams. It aids in training personnel to recognize and respond to specific attack methodologies, thereby enhancing overall organizational resilience against cyber threats. Overall, the Unified Kill Chain represents a significant advancement in the field of cybersecurity, offering a more nuanced and actionable framework for understanding, detecting, and countering sophisticated cyber attacks.

Vectra AI empowers SOC teams with advanced tools and insights to detect, disrupt, and neutralize threats at each stage of the kill chain. Reach out to us to learn how our solutions can help you stay ahead of cyber adversaries and protect your organization's valuable assets.


What is the cybersecurity kill chain?

How can the kill chain be used to improve cybersecurity defenses?

What are some effective strategies for disrupting the reconnaissance stage?

How can SOC teams prevent the weaponization and delivery stages?

What measures can be taken to mitigate exploitation and installation?

How can command and control communications be detected and disrupted?

What actions can be taken to prevent the final stage of the kill chain?

Can the kill chain model be applied to insider threats?

How important is collaboration and information sharing in combating cyber threats?

What future developments are expected in the evolution of the kill chain model?