The Cyber Kill Chain
Map attacker behaviour across the seven stages of the Kill Chain and align detections, mitigations, and MITRE ATT&CK tactics.
1. Reconnaissance
Adversary researches the target to discover opportunities.
Attacker Objectives
- Harvest email addresses, employee names, technology stack
- Scan external infrastructure for open ports/services
- Gather leaked credentials or data from the dark web
Detection Opportunities
- Monitor for abnormal OSINT scraping (e.g., heavy queries in public portals)
- Detect credential stuffing attempts or bot reconnaissance via WAF logs
- Honeypot services to observe scanning behaviour
Mitigations
- Minimise public exposure (asset inventory, reduce attack surface)
- Implement rate limiting and CAPTCHA on external portals
- User awareness to reduce oversharing on social media
2. Weaponization
Combine exploit with payload, typically off-network.
Attacker Objectives
- Build phishing documents with malicious macros
- Develop exploit kits targeting known vulnerabilities
- Create droppers/loaders integrated with command-and-control
Detection Opportunities
- Monitor malware building infrastructure (sandbox submissions, threat intel)
- YARA scanning of outbound attachments for weaponized content
Mitigations
- Reduce vulnerability exposure through patching
- Leverage content disarm and reconstruction (CDR) for file attachments
- Threat Intel sharing to pre-empt campaigns
3. Delivery
Deploy the weaponized payload to the victim environment.
Attacker Objectives
- Spear phishing emails, malicious links, exploit-laden websites
- Malicious USB drops, supply chain compromises
- Living-off-the-land abuse (e.g., legitimate remote tools)
Detection Opportunities
- Secure email gateway detections, sandbox detonations
- Network IDS/IPS monitoring for exploit signatures
- Proxy logs for anomalous downloads, TLS fingerprinting
Mitigations
- Email authentication (DMARC, DKIM, SPF) and filtering
- User awareness training / phishing simulations
- Zero trust network segmentation, principle of least privilege
4. Exploitation
Trigger the payload to exploit vulnerabilities and execute.
Attacker Objectives
- Execute code via software vulnerabilities (browser, plugin, OS)
- Exploit misconfigurations (weak permissions, default creds)
- Trigger scripts/macros, use LOLBins (PowerShell, WMI)
Detection Opportunities
- EDR alerts for exploit techniques (shellcode, ROP chains)
- Application control logs (unexpected process launches)
- Sysmon/Windows event logs for script engines, LOLBins
Mitigations
- Patch management, configuration hardening, exploit mitigation (DEP, ASLR)
- Application allowlisting, script restriction policies
- EDR prevention policies, memory protection features
5. Installation
Establish persistent foothold in the environment.
Attacker Objectives
- Install backdoors, web shells, registry run keys, services
- Drop additional payloads (RATs, rootkits)
- Modify scheduled tasks, startup scripts
Detection Opportunities
- Monitor persistence mechanisms (Autoruns, Sysmon EventID 13/19)
- File integrity monitoring, registry change alerts
- Baseline deviation detection on startup folders/services
Mitigations
- Enforce endpoint protection policies, restrict admin rights
- Use hardened gold images, infrastructure-as-code rebuilds
- Regular review of persistence points, incident response readiness
6. Command & Control (C2)
Establish communication channel to attacker infrastructure.
Attacker Objectives
- HTTP/S, DNS, SMTP, social media, cloud storage for C2
- Use encryption, domain fronting, or fast-flux networks
- Deploy beaconing with varying intervals, protocols
Detection Opportunities
- Network analytics: beaconing, unusual TLS JA3 fingerprints
- DNS analytics: rare domains, DGA patterns, TXT record usage
- Proxy/firewall logs, cloud egress monitoring
Mitigations
- Egress filtering, proxy authentication, DNS security
- Threat intel updates for indicators, sinkholing, takedowns
- Network segmentation, zero trust policies
7. Actions on Objectives
Achieve attacker goals: data theft, disruption, monetisation.
Attacker Objectives
- Data exfiltration via cloud storage, FTP, DNS tunneling
- Lateral movement, credential theft, privilege escalation
- Ransomware encryption, destruction, manipulation of systems
Detection Opportunities
- DLP alerts, unusual data transfers, high-volume compression
- SIEM correlation for lateral movement (pass-the-hash, RDP usage)
- File integrity systems for critical assets
Mitigations
- Multi-factor authentication, privileged access management
- Network segmentation and just-in-time admin access
- Robust backup and recovery strategy, incident response drills
Aligning Kill Chain with MITRE ATT&CK & NIST CSF
| Kill Chain Phase | MITRE ATT&CK Tactics | NIST CSF Functions |
|---|---|---|
| Reconnaissance | TA0043 Reconnaissance, TA0042 Resource Development | Identify (Asset Management), Protect (Awareness & Training) |
| Weaponization & Delivery | TA0001 Initial Access, TA0002 Execution | Protect (Access Control, Data Security), Detect (Anomalies & Events) |
| Exploitation & Installation | TA0004 Privilege Escalation, TA0003 Persistence, TA0005 Defence Evasion | Protect (Identity Management), Detect (Continuous Monitoring) |
| Command & Control | TA0011 Command and Control | Detect (Anomalies & Events), Protect (Network Segmentation) |
| Actions on Objectives | TA0008 Lateral Movement, TA0010 Exfiltration, TA0040 Impact | Respond (Analysis, Mitigation), Recover (Improvements) |
Detection Engineering Considerations
- Develop layered detections across phases (defence-in-depth, assume some steps bypassed).
- Enrich alerts with ATT&CK tactic/technique tags to support threat hunting.
- Use purple team exercises to validate coverage and build kill chain heat maps.
- Feed detection gaps into backlog for content engineering and automation (SOAR playbooks).
- Leverage threat intel to update detections as adversary tradecraft evolves.