According to Lockheed Martin, the Cyber Kill Chain has seven steps:
- Recon: Recon, short for reconnaissance, refers to the step where the attacker tries to learn as much as possible about the target. Information such as the types of servers, operating system, IP addresses, names of users, and email addresses, can help the attack’s success.
- Weaponization: This step refers to preparing a file with a malicious component, for example, to provide the attacker with remote access.
- Delivery: Delivery means delivering the “weaponized” file to the target via any feasible method, such as email or USB flash memory.
- Exploitation: When the user opens the malicious file, their system executes the malicious component.
- Installation: The previous step should install the malware on the target system.
- Command & Control (C2): The successful installation of the malware provides the attacker with a command and control ability over the target system.
- Actions on Objectives: After gaining control over one target system, the attacker has achieved their objectives. One example objective is Data Exfiltration (stealing target’s data).
| Technique | Purpose | Examples |
|---|---|---|
| Reconnaissance | Obtain information on the target | Harvesting emails, OSINT |
| Weaponization | Combine the objective with an exploit. Commonly results in a deliverable payload. | Exploit with backdoor, malicious office document |
| Delivery | How will the weaponized function be delivered to the target | Email, web, USB |
| Exploitation | Exploit the target’s system to execute code | MS17-010, Zero-Logon, etc. |
| Installation | Install malware or other tooling | Mimikatz, Rubeus, etc. |
| Command & Control | Control the compromised asset from a remote central controller | Empire, Cobalt Strike, etc. |
| Actions on Objectives | Any end objectives: ransomware, data exfiltration, etc. | Conti, LockBit2.0, etc. |