The Cyber Kill Chain: What it is and How it’s Evolving

In our last edition, we defined cyber threats, vulnerabilities, and attacks—but how do threat actors actually carry out an attack?

Cyberattacks usually do not occur in a single step; rather, they follow a structured process. This is where the Cyber Kill Chain plays a crucial role.

History of the Cyber Kill Chain and What it is

In 2011, Lockheed Martin applied a military concept known as the Kill Chain to the cybersecurity field, calling it the Cyber Kill Chain (also known as the cyberattack chain).

Similar to the original Kill Chain, this framework identifies seven key stages of a cyberattack, ranging from the initial planning phase to the final impact. This approach helps security teams understand how adversaries operate, enabling them to stop cyber threats early in the process and prevent damage to an organization.

Let's go through the stages of a cyberattack, step by step.

The Cyber Kill Chain: How Cyber Attacks Progress

1?. Reconnaissance – The Attacker’s Research Phase

Before launching an attack, threat actors gather intelligence about their target. They must assess their target, similar to how a thief surveys a neighborhood before attempting a break-in.

During this phase, attackers look for information that can help them break in. They might:

• Search public sources like company websites, social media, and leaked databases to find employee emails and job roles.
• Scan for technical vulnerabilities, checking which servers or systems might be outdated and unpatched.
• Test how employees respond to bait, sending out fake phishing emails just to see who clicks.

Some attacks begin and end at this phase—if an attacker finds exposed credentials or a misconfigured system, they might already have a way in without taking further steps.

2?. Weaponization – Creating the Attack Tools

Once attackers have gathered sufficient information, they develop their attack tools. These may include malicious files, harmful scripts, or software exploits designed to infiltrate the target’s systems.

At this stage, attackers customize their tools based on what they discovered earlier. If they learned that a company uses an outdated version of software, they might prepare a specific exploit for it. If they found employee emails, they might craft a fake email containing a malicious attachment.

Attackers don’t always create their own tools—many rely on ready-made exploit kits available on the dark web. Just like picking a lock, they only need the right tool for the job.

?

3?. Delivery – Getting the Payload to the Target

A weapon is useless unless it reaches the target. In this phase, the attacker delivers the malicious payload.

This can happen in different ways:

• Phishing emails: A fake email tricks someone into opening a malicious attachment or clicking a harmful link.
• Compromised websites: Just visiting an infected website can trigger malware to download in the background.
• Exploiting software vulnerabilities: Attackers directly target security flaws in web applications or networks to inject malicious code.

At this stage, the attacker is just waiting for someone to take the bait—a single click or misconfiguration can open the door to the next phase.

?

4?. Exploitation – Breaking In

Now that the malicious payload has reached the target, it needs to execute and take control of the system.

Exploitation happens when the attacker triggers a vulnerability to gain unauthorized access. This could involve:

• Exploiting outdated software to gain system privileges.
• Running malicious code inside an innocent-looking file, such as a macro-enabled document.
• Executing a script that installs a backdoor, allowing further remote access.

Some exploits require user interaction (like clicking a link), while others work silently in the background. In either case, once this stage is successful, the attacker moves deeper into the system.

?

5?. Installation – Establishing a Foothold

Gaining access is just the beginning. The attacker now ensures they stay inside the system undetected.

To maintain control, cybercriminals often:

• Install hidden backdoors, allowing them to return at any time.
• Modify system settings, so their access doesn’t disappear after a reboot.
• Use built-in tools, blending into normal activity to avoid raising alarms.

At this stage, attackers don’t want to make noise. They prepare the groundwork for their next steps, whether that’s stealing data, deploying ransomware, or moving to other parts of the network.

?

6?. Command & Control (C2) – Remote Access for Attackers

Now that the attacker has gained a foothold, they need a way to communicate with the compromised system. This is known as Command & Control (C2)—the stage where the attacker establishes remote access.

A compromised system will often “phone home” to the attacker’s servers, waiting for instructions. The attacker can now:

• Send commands to extract data, install more malware, or move to other systems.
• Use encryption or stealth techniques to avoid detection.
• Blend in with normal traffic, making it hard for security teams to notice unusual activity.

At this stage, the attacker has full remote control—and if they’ve remained undetected so far, they can now execute their final objective.

?

7?. Actions on Objectives – The Final Attack

This is the attacker’s end goal. Depending on their motive, they might:

• Steal sensitive data to sell, leak, or use for extortion.
• Deploy ransomware to encrypt files and demand payment.
• Destroy systems using wiper malware to erase everything.
• Move laterally across the network, infecting more systems for a larger impact.

At this stage, the attack has succeeded—unless it’s caught in time.

How the Cyber Kill Chain Has Evolved

Since the introduction of the Cyber Kill Chain, attackers have adapted their tactics and no longer adhere strictly to these seven stages in sequence.

In response, the cybersecurity industry has refined its strategies and developed new models.

• MITRE ATT&CK? Matrix – Instead of a strict sequence like the Cyber Kill Chain, MITRE ATT&CK provides a comprehensive list of tactics and techniques based on real-world attacks. While it incorporates stages similar to those in the cyber kill chain, it does not follow a linear sequence.
• The Unified Kill Chain (2017) – Developed by Paul Pols in collaboration with Fox-IT and Leiden University, the Unified Kill Chain is designed to defend against end-to-end cyber-attacks launched by advanced threat actors.

From Cyber Kill Chain to Unified Kill Chain:

As we have already seen, the Cyber Kill Chain consists of seven sequential stages, covering the steps an attacker takes from initial reconnaissance to the final objective. The Unified Kill Chain expands upon this by introducing 18 stages and integrating existing models, such as Lockheed Martin’s Cyber Kill Chain and MITRE’s ATT&CK.

Modern cyberattacks typically follow a structured progression toward strategic goals. Both these attacks and their perpetrators can be classified based on Tactics, Techniques, and Procedures (TTPs). The Unified Kill Chain analyzes attacks at the tactical level, where specific activities are executed to achieve the attack's objectives.

When analyzing the sequence in which tactics unfold, they can be regarded as distinct attack phases. This tactical framework remains consistent across various attacks, even if specific techniques and procedures are modified at the operational level.

How the Unified Kill Chain Expands on the Cyber Kill Chain

In:

The objectives of an attack may require an attacker to gain access to systems or data that are only accessible within a trusted environment, typically inside an organization's internal network. To accomplish this, the attacker can employ the initial phases of the Unified Kill Chain to breach the organization's perimeter and gain access.

Through:

Once inside the targeted network, the attacker may require elevated privileges to access assets essential for achieving the attack's objectives. '"Hacking through" a network entails various techniques aimed at escalating privileges and gaining deeper access to systems and data. These actions are typically carried out by an external attacker who has gained either digital or physical access beyond the organization's defenses, often by compromising a single system through multiple attack vectors.

Out:

By infiltrating the targeted network and navigating through its defenses, attackers can obtain the necessary privileges to eventually perform actions on the objectives of the attack, such as extracting sensitive data or disrupting critical infrastructure.

The New Phases in the Unified Kill Chain:

• Resource Development - Before launching an attack, adversaries need to set up infrastructure, acquire tools, and establish assets to support their operations.
• Social Engineering - Recognized as a separate stage because many attacks start with psychological manipulation (e.g., phishing, pretexting, or deepfake scams), not just technical exploits.

Post-Exploitation

Post-exploitation is the phase where the attackers consolidate control, escalate privileges, and move deeper into the network before executing their final objective.

The Unified Kill Chain explicitly breaks down post-exploitation into multiple stages:

• Defense Evasion & Covering Tracks (Anti-Forensics) - Attackers don’t just want to avoid detection while executing an attack—they also cover their tracks to ensure security teams can’t trace their activities.

While Defense Evasion focuses on bypassing security tools (e.g., obfuscating malware, disabling antivirus, using encrypted C2 channels), Anti-Forensics (or Covering Tracks) focuses on removing forensic evidence after malicious activity has occurred.

Common Anti-Forensics Techniques include:

1. Log Manipulation – Deleting, modifying, or corrupting system and security logs (wevtutil.exe cl, auditpol /clear).
2. Timestamp Forging – Changing file creation/modification timestamps (timestomp.exe).
3. Fileless Malware & Memory Injection – Running malicious code in memory to avoid leaving artifacts on disk.
4. Data Encryption of Malware Files – Attackers encrypt their own tools to prevent forensic analysis.
5. Clearing Bash History – Removing command history on Linux/Mac (history -c).
6. Steganography – Hiding malicious payloads inside images or legitimate files.

These techniques ensure that even if a breach is detected, tracing the attacker’s steps becomes extremely difficult

• Pivoting - is an essential post-exploitation technique where attackers tunnel their traffic through a compromised system to reach other parts of the network that would otherwise be inaccessible.
• Discovery - Once inside a network, attackers must understand what systems exist, where sensitive data is stored, and which security defenses are in place.
• Privilege Escalation - Attackers gain higher access rights (e.g., from regular user to admin) using system exploits, misconfigurations, or stolen credentials.
• Credential Access - Involves stealing passwords, hashes, or session tokens to escalate privileges and move deeper into the network.
• Lateral Movement - Instead of staying on the initial compromised system, attackers spread across the network, infecting other machines and escalating their reach.

• Execution - refers to the actual running of attacker-controlled code on a compromised system. Unlike Exploitation, which focuses on gaining access, Execution is about carrying out specific malicious actions after access is obtained.
• Collection - Before attackers steal data (exfiltration), they must identify, gather, and stage the most valuable information for extraction.
• Exfiltration - A separate phase for stealing data, whether sensitive corporate files, credentials, or personal records. Unlike CKC, UKC explicitly separates this from the final objective.
• Impact - Covers a broader range of attack consequences, including ransomware encryption, data wiping, sabotage, and operational disruption, instead of treating all final actions as a single step.

The Future of Cyber Attacks: Will AI Become a New Phase in the Kill Chain?

Artificial Intelligence (AI) is becoming a game-changer—not just for defenders but also for attackers. While AI-powered security solutions are improving detection and response, threat actors are also leveraging AI to automate and enhance attacks.

Right now, AI isn’t explicitly listed as a phase in either the Cyber Kill Chain or Unified Kill Chain, but this is likely to change in the coming years. As AI continues to evolve, it may become a distinct stage in the attack lifecycle, just like reconnaissance, exploitation, and lateral movement.

How AI is Reshaping Cyber Attacks

AI is already being used in multiple attack stages, automating tasks that once required human effort. Here’s how AI is accelerating cyber threats:

1?. AI-Driven Reconnaissance – AI-powered tools rapidly scan the internet, social media, and dark web to identify potential targets and vulnerabilities.

2?. Automated Social Engineering – AI-generated deepfake videos, voice cloning, and hyper-personalized phishing emails make scams more convincing and scalable.

3?. AI-Powered Exploitation – Attackers use AI to identify zero-day vulnerabilities faster than ever.

4?. Evasion Through AI – Malware can now dynamically change its behavior in real time, bypassing security tools that rely on pattern recognition.

5?. Autonomous Lateral Movement – AI-driven malware can analyze network environments and move strategically without human input.

With AI’s ability to mimic human behavior, learn from security measures, and adjust in real time, we are stepping into an era where cyberattacks could operate autonomously and on an unparalleled scale.

Final Thoughts:

Cyber threats have evolved significantly over the years, and so has our understanding of how threat actors operate. On the other hand, threat actors don’t care about neat and linear steps. They move unpredictably, skip phases, repeat tactics, and adapt as they go. And that’s exactly why cybersecurity needs to evolve just as quickly.

Once attackers infiltrate a system, they don’t just execute a payload and walk away. Instead, they persist, escalate, evade, and move laterally—sometimes for months—before launching their final attack. With AI becoming a weapon of its own, the way we think about cyber threats needs to change again.

We are entering an era where AI is not only protecting us but also being weaponized against us.

Relying on static models puts defenders at a disadvantage. As attackers innovate, defensive strategies must also evolve—incorporating flexibility, deeper post-exploitation analysis, and AI-powered detection mechanisms.

Understanding the attack lifecycle is only half the battle—the real test is figuring out how to break the chain before real attackers do. This is where penetration testing becomes crucial. A well-executed penetration test does more than identify vulnerabilities—it actively simulates attacks across every stage of the kill chain to assess how effectively security teams can detect, respond to, and contain threats before they escalate. Cybersecurity is not just about defense; it requires adopting the mindset of an attacker to stay ahead of one.

INFORMATION SECURITY SERVICES

Learn More: https://www.blackhatethicalhacking.com/solutions/

Educational Content:

?? Learn & Level Up

Courses:

?? Offensive Security & Ethical Hacking

?? The Bug Bounty Hunting Course

Learn More: https://www.blackhatethicalhacking.com/courses/

Exclusive Content on Patreon

WHY JOIN OUR PATREON PAGE?

Our goal is to expand your creativity as a hacker, sharpen your Red Team mindset, and push the limits of Offensive Security.

If you're comfortable with Kali Linux and understand hacking methodologies, this is for you.

WHAT YOU GET:

??Exclusive Monthly Content – Only available to Patrons!

??Hands-on Hacking Techniques – OSINT, Brute-Forcing, Fuzzing, Web App Testing and more!

??Deep-Dive into Offensive Security – Post-Exploitation, Recon, and Red Team strategies.

??Instant Access to 70+ Episodes & 30+ Hours of Content

Learn More: https://www.patreon.com/blackhatethicalhacking

Join Our Official Discord Community Channel!

?? https://discord.com/invite/EYMqveWXkv