Cyber Kill Chain Methodology

Cyber Kill Chain Methodology(CKC)

In the year 2011 the Lockheed Martin was implemented a methodology about cyber-attack pattern to help the incident response team, digital forensic investigators and malware analysts to process work/analysis in a chained manner. In this methodology it explains in the seven phases how attacker penetrate the information about target to launch attack. Lockheed Martin was co-opted the word “kill chain” was used by the military to define the steps of an enemy uses to attack target. CKC explains the flow of a cyber-attack in seven steps. They are






6.Command and Control

7.Action on Object


In Reconnaissance phases, the attacker gets the information about the target before the attack starts. A target may be an organization or individual. Attacker pick a target, do selection, profiling, research and looks for vulnerabilities. The attacker search about the target and collect information from the internet sites, blogs, mailing lists, social networking sites, job postings, and scanning, foot printing of network, ports or services. Information gathered from reconnaissance phase is used in later phases of cyber kill chain to design and deliver the malicious code or payload based on the vulnerabilities appeared on the target.

The techniques used for the information gathering for identifying the target and selection based on Domain Names, Who is, database records from RIPE,APNIC. For gathering personal information attacker used the social networking sites(Facebook, Instagram, LinkedIn), blogs etc., system information like ports, mails used fingerprinting, ports scanning and services. For validating of targets attacker uses Phishing Mails and Social Engineering.

Through these techniques and knowledge acquired about the target in Reconnaissance phase the attacker will decide about the approach(weapon) that can reach the target to penetrate the information. Attacker will we design & develop a weapon(malware installation and for bypassing security mechanisms).


In Weaponize phase the attacker may design a malware payload based on the vulnerabilities found in the target system from reconnaissance phase or coupling exploit with the virus files into deliverable payload.

These can be paired with the phishing email or distributed via USB or might be sharing through Social Networking Sites and ready to deliver to the target without getting noticed.

The attacker can create a Remote Access software which executes on target system and give remote access. This software was hidden and undetected by the targets system.


In Delivery phase the attacker needs to transmit the weapon created in weaponize phase. The attacker might use the VPN connection to transmit the files to the target system through network or attacker may use the phishing method to the target through the mail or social network sites or blogs related to the target or might be transmitted through the USB devices. The transmission through the websites by using the exploiting vulnerabilities in the network and target system.


The delivered cyber weapon(payloads, malicious code, viruses) will be started execution in the target system, exploitation vulnerability will trigger attacker weapon. Based on the exploited vulnerabilities are categorized by different levels(OS level, kernel level, software & network level etc.,). For Example, the weapon is attached to the document and delivered to target system by using phishing method. The target system unknowingly downloads the document file and in background the software(weapon) will be downloaded to the system.


To gain the access of the target system the weapon(payloads, malicious code, viruses) will be install into the target system. This can not be identified by the target system but the attacker has access to the targets system. The attacker will be updating the weapon based on the upgradation of target system.

6.Command and Control (C2):-

Once the system is infected by the attacker’s weapon, the system will be communicating with the attacker through the command-and-control phase. Command and Control will analyse the communication traffic to detect communication pattern among infected systems. The attacker will be able to maintain control over the system and observe the target actions.

7.Actions on Objectives:-

In this phase the attacker accomplishes his goals or objectives. The attacker may involve in data theft, data correction or deletion of data in the target’s environment. The attacker gets the user credentials for online accounts to gain the information to sell.

Since 2011, different types of the “Cyber Kill Chain” methods were released, they are “Internal Cyber Kill Chain” Model and the “Unified Kill Chain”. In my point of view The most informative model for the pattern of cyber kill chain is Lockheed Martin Model only.