The Cyber Kill Chain is a model created by Lockheed Martin that describes the stages of a cyberattack—from the attacker’s initial planning to achieving their final objectives.
Below is a clear explanation of each phase with a real-world example (using well-known incidents such as WannaCry, SolarWinds, and Target breach) to show how attacks unfold in practice.
Cyber Kill Chain — 7 Phases with Real-World Examples
1. Reconnaissance (Information Gathering)
The attacker gathers information about the target’s systems, employees, and network.
Real-World Example: Target Breach (2013)
Attackers identified that a third-party HVAC vendor used a weak security system and had access to Target’s network. They researched employee emails, company portals, and login pages before striking.
2. Weaponization (Preparing the Attack)
The attacker creates the malicious payload (malware, exploit, phishing file, etc.).
Real-World Example: WannaCry Ransomware (2017)
Attackers weaponized the EternalBlue exploit (originally a leaked NSA tool) and packaged it into ransomware that could automatically spread across vulnerable Windows systems.
3. Delivery (Sending the Payload)
The attacker delivers the malware or exploit to the target.
Real-World Example: SolarWinds Supply-Chain Attack (2020)
Attackers inserted malicious code into SolarWinds’ Orion software update.
The “delivery” was the compromised update distributed to 18,000 customers.
4. Exploitation (Triggering the Payload)
The delivered malware exploits a vulnerability to run on the system.
Real-World Example: Equifax Breach (2017)
The attack exploited a known vulnerability in Apache Struts (CVE-2017-5638).
Once the malicious HTTP request was received, the exploit executed on Equifax’s servers.
5. Installation (Installing Backdoors/Malware)
The malware installs itself or creates a persistent backdoor on the target system.
Real-World Example: NotPetya (2017)
Once inside a victim’s system, NotPetya installed a backdoor using modified MBR boot records.
This ensured persistence and allowed further propagation.
6. Command & Control (C2)
The attacker establishes communication with the compromised machine to issue commands.
Real-World Example: TrickBot Malware
Infections connected to TrickBot’s C2 servers, which allowed attackers to:
-
download more modules
-
steal credentials
-
move laterally across networks
The C2 infrastructure was global and frequently rotated to evade detection.
7. Actions on Objectives (Final Goal Achieved)
The attacker performs their main objective: data theft, destruction, ransomware, espionage, etc.
Real-World Example: Colonial Pipeline Ransomware Attack (2021)
Once inside, attackers:
-
encrypted critical systems
-
exfiltrated ~100GB of data
-
demanded ransom (which was paid)
The attack shut down fuel supply to the U.S. East Coast for days.
📌 Summary Table
| Kill Chain Phase | Meaning | Real-World Example |
|---|---|---|
| 1. Reconnaissance | Gather intel | Target breach attackers studied HVAC vendor access |
| 2. Weaponization | Create malware or exploit | WannaCry packaged EternalBlue into ransomware |
| 3. Delivery | Send malicious payload | SolarWinds trojanized software update |
| 4. Exploitation | Payload executes | Equifax exploited via Apache Struts flaw |
| 5. Installation | Malware installs | NotPetya modified MBR for persistence |
| 6. Command & Control | Attacker communicates with compromised system | TrickBot botnet C2 communication |
| 7. Actions on Objectives | Theft, destruction, encryption | Colonial Pipeline ransomware shutdown |