Cyber Kill Chain Phases - Explained

The cyber kill chain is a method that deals with these questions.  It is an efficient and effective way of illustrating how an adversary can attack the target organization. This model helps organizations understand the various possible threats at every stage of an attack and the necessary countermeasures to defend against such attacks. The cyber kill chain divides the attack into phases and helps to organize the workforce in times of emergency.

The cyber kill chain is equipped with a seven-phase protection mechanism to mitigate and reduce cyber threats. We have mentioned below the fundamentals with examples of any cyber-attack:


At this phase, the attacker gathers information about the target like email addresses, vulnerable endpoints, network blocks, IP addresses, etc,  to probe for weak points before actually attacking. The information obtained from this phase is used extensively throughout the chain and this phase can be revisited if the attacker is lacking information. Example:

  • Performing analysis of various online activities and publicly available information. 
  • Performing whois, DNS, and network footprinting.
  • Performing scanning to identify open ports and services. 
  • Gathering information about the target organization by searching the Internet or through social engineering.
  • Gathering information from social networking sites and web services. 
  • Obtaining information about websites visited. 
  • Monitoring and analyzing the target organization's website. 


At this phase, the attacker analyzes the collected data to identify the techniques to create malware, tailored to exploit vulnerabilities in the chosen system. This phase uses the footprinting info like OS used, Version of patches, etc. obtained in the previous phase. Example:

  • Identifying appropriate malware payload based on the analysis.
  • Leveraging exploit kits and botnets.
  • Creating a new malware payload or selecting, reusing, and modifying the available malware payloads based on the identified vulnerability.
  • Creating a phishing email campaign. 


At this phase, as the weapon is already created, the attacker decides upon the point of entry as well as the medium to transmit the malware. This is mostly based on the native programs used by the organization and the victim's likely choice to use certain programs. This info can be found through certain techniques of social engineering. This is a key stage that measures the effectiveness of the defence strategies implemented by the target organization based on whether the intrusion attempt of the attacker is blocked or not. Example:

  • Sending phishing emails to employees of the target organization.
  • Performing attacks such as watering holes on the compromised website. 
  • Distributing USB drives containing malicious payloads to employees of the target organization.
  • Implementing various hacking tools against the operating systems, applications, and servers of the target organization.


At this phase, the attacker begins executing the malware. This process is also considered important so as to not get flagged as abnormal by the security controls. Example:

  • Exploiting software or hardware vulnerabilities to gain remote access to the target system.


At this phase, after successful execution, the attacker injects more malicious software to maintain access inside the network without being detected for as long as possible by using encryption. After injection, the attacker gains the capability to spread the infection to other end systems in the network. Example:

  • Downloading and installing malicious software such as backdoors.
  • Gaining remote access to the target system.
  • Leveraging various methods to keep the backdoor hidden and running.
  • Maintaining access to the target system.

Command & Control

At this phase, the attacker creates a command and control channel, which establishes persistent access between the victim's system and the attacker's server to communicate and pass data back and forth. Thus, starts setting up the stage for the final objective. Example:

  • Establishing a two-way communication channel between the victim's system and the adversary-controlled server.
  • Applying privilege escalation techniques. 
  • Hiding evidence of compromise using techniques such as encryption. 
  • Leveraging channels such as web traffic, email communication, and DNS messages.

Actions on Objectives

At this stage, the attacker starts to make moves towards the final goal may it be exfiltration, ransom, disruption, etc. The attacker may use this as a launching point to perform other attacks.

You might be interested in,


Attackers won’t necessarily follow the steps from the implemented attack chains. Sometimes, they skip steps or sometimes they backtrack. Many attacks sometimes combine multiple steps together into one single action. That is to say, the attacks are becoming dynamic day by day and hard to predict. Cyber Kill Chains are now based upon linear predictive models whereas the attacks are completely random. Thus, Cyber Kill Chain models if based upon stochastic processes can become an effective countermeasure for the everchanging cyber-attacks.

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible. 

No comments:

Post a Comment