08.06 · The lifecycle of every campaign

The Kill Chain

Lockheed Martin's seven-phase model for how a targeted attack unfolds. Born in 2011 to describe nation-state campaigns, it now describes nearly every criminal intrusion too. Each phase is an opportunity for defenders to break the chain — the model exists to make that point explicit.

The seven phases

Click any phase to see what happens, plus an example drawn from the ransomware attack on the previous page. The connection is intentional — every kill-chain phase maps to specific MITRE ATT&CK tactics, and every defensive control disrupts specific phases.

Lockheed Martin Cyber Kill Chain · click a phase
Phase 1
Reconnaissance
Phase 2
Weaponization
Phase 3
Delivery
Phase 4
Exploitation
Phase 5
Installation
Phase 6
Command & Control
Phase 7
Actions on Objectives

What changed between Lockheed (2011) and MITRE ATT&CK (2013+)

The Kill Chain has seven phases. MITRE ATT&CK — the modern alternative — has fourteen "tactics" (and ~200 sub-techniques under each). Why the inflation?

  • Kill Chain is linear; ATT&CK is a graph. Real attacks loop: post-installation, attackers do more reconnaissance (this time from inside), more exploitation (privilege escalation), more delivery (lateral movement). ATT&CK calls these out as separate tactics rather than folding them into "Actions on Objectives."
  • ATT&CK separates "tactic" (the why) from "technique" (the how). Lateral Movement is a tactic; "Pass the Hash" is a technique that achieves it. Defenses are easier to map to techniques than to phases.
  • ATT&CK is observational. Each technique is documented with which threat groups used it, on which platforms, with which detection signals. The Kill Chain is a model; ATT&CK is a database.

In practice, defensive teams use both. The Kill Chain is a way to talk to executives about what attackers do. ATT&CK is a way to tell engineers which specific behaviors to detect.

The MITRE ATT&CK tactics, briefly

TacticWhat the attacker wants
ReconnaissanceGather information about the target before access.
Resource DevelopmentBuild the infrastructure (servers, accounts, malware) for the campaign.
Initial AccessGet the first foothold on a target system.
ExecutionRun attacker-controlled code on the foothold.
PersistenceStay on the system across reboots and credential changes.
Privilege EscalationMove from low-privilege to high-privilege access.
Defense EvasionAvoid detection by AV, EDR, logging, humans.
Credential AccessSteal passwords, tokens, keys.
DiscoveryMap the environment from inside: hosts, services, accounts, network shares.
Lateral MovementMove from compromised host to other hosts.
CollectionGather data of interest (files, mailboxes, databases).
Command & ControlMaintain remote control of the compromised systems.
ExfiltrationMove stolen data out of the target environment.
ImpactEncrypt, destroy, manipulate — the final objective.

Why this matters defensively

The whole point of the chain is that defenders don't have to win at every phase — they just have to win at one. The attacker has to succeed at all seven (or all fourteen) in sequence. Force them to make seven independent bets and the math tilts hard in the defender's favor.

That's the lens the next page uses: every defensive control we list (EDR, allowlisting, segmentation, backups, MFA) is annotated with which kill-chain phases it disrupts. The goal is not to deploy the maximum number of controls; it's to ensure no single phase has a single defender.