The cyber kill chain is a series of steps that trace stages of a cyberattack from the early reconnaissance stages to the exfiltration of data. The kill chain helps us understand and combat ransomware, security breaches, and advanced persistent attacks (APTs).

Lockheed Martin derived the kill chain framework from a military model – originally established to identify, prepare to attack, engage, and destroy the target. Since its inception, the kill chain has evolved to better anticipate and recognize insider threats, social engineering, advanced ransomware and innovative attacks.

Get a free Data Risk Assessment

cyber kill chain definition

How the Cyber Kill Chain Works

There are several core stages in the cyber kill chain. They range from reconnaissance (often the first stage in a malware attack) to lateral movement (moving laterally throughout the network to get access to more data) to data exfiltration (getting the data out).  All of your common attack vectors – whether phishing or brute force or the latest strain of malware – trigger activity on the cyber kill chain.

cyber kill chain phases

Each stage is related to a certain type of activity in a cyber attack, regardless of whether it’s an internal or external attack:

  • Reconnaissance
    The observation stage: attackers typically assess the situation from the outside-in, in order to identify both targets and tactics for the attack.
  • Intrusion
    Based on what the attackers discovered in the reconnaissance phase, they’re able to get into your systems: often leveraging malware or security vulnerabilities.
  • Exploitation
    The act of exploiting vulnerabilities, and delivering malicious code onto the system, in order to get a better foothold.
  • Privilege Escalation
    Attackers often need more privileges on a system to get access to more data and permissions: for this, they need to escalate their privileges often to an Admin.
  • Lateral Movement
    Once they’re in the system, attackers can move laterally to other systems and accounts in order to gain more leverage: whether that’s higher permissions, more data, or greater access to systems.
  • Obfuscation / Anti-forensics
    In order to successfully pull off a cyberattack, attackers need to cover their tracks, and in this stage they often lay false trails, compromise data, and clear logs to confuse and/or slow down any forensics team.
  • Denial of Service
    Disruption of normal access for users and systems, in order to stop the attack from being monitored, tracked, or blocked
  • Exfiltration
    The extraction stage: getting data out of the compromised system.

Below, we’ll explore each phase of the cyber kill chain in more detail.

8 Phases of The Cyber Kill Chain

cyber kill chain in depth phases

Each phase of the kill chain is an opportunity to stop a cyberattack in progress: with the right tools to detect and recognize the behavior of each stage, you’re able to better defend against a systems or data breach.


In every heist, you’ve got to scope the joint first. Same principle applies in a cyber-heist: it’s the preliminary step of an attack, the information gathering mission. During reconnaissance, an attacker is seeking information that might reveal vulnerabilities and weak points in the system. Firewalls, intrusion prevention systems, perimeter security – these days, even social media accounts – get ID’d and investigated. Reconnaissance tools scan corporate networks to search for points of entry and vulnerabilities to be exploited.


Once you’ve got the intel, it’s time to break in. Intrusion is when the attack becomes active: attackers can send malware – including ransomware, spyware, and adware – to the system to gain entry. This is the delivery phase: it could be delivered by phishing email, it might be a compromised website or that really great coffee shop down the street with free, hacker-prone wifi. Intrusion is the point of entry for an attack, getting the attackers inside.


You’re inside the door, and the perimeter is breached. The exploitation stage of the attack…well, exploits the system, for lack of a better term. Attackers can now get into the system and install additional tools, modify security certificates and create new script files for nefarious purposes.

Privilege Escalation

What’s the point of getting in the building, if you’re stuck in the lobby? Attackers use privilege escalation to get elevated access to resources. Privilege escalation techniques often include brute force attacks, preying on password vulnerabilities, and exploiting zero day vulnerabilities. They’ll modify GPO security settings, configuration files, change permissions, and try to extract credentials.

Lateral Movement

You’ve got the run of the place, but you still need to find the vault. Attackers will move from system to system, in a lateral movement, to gain more access and find more assets. It’s also an advanced data discovery mission, where attackers seek out critical data and sensitive information, admin access and email servers – often using the same resources as IT and leveraging built-in tools like PowerShell – and position themselves to do the most damage.

Obfuscation (anti-forensics)

Put the security cameras on a loop and show an empty elevator so nobody sees what’s happening behind the scenes. Cyber-attackers do the same thing: conceal their presence and mask activity to avoid detection and thwart the inevitable investigation. This might mean wiping files and metadata, overwriting data with false timestamps (timestomping) and misleading information, or modifying critical information so that it looks like the data was never touched.

Denial of Service

Jam the phone lines and shut down the power grid. Here’s where the attackers target the network and data infrastructure, so that the legitimate users can’t get what they need. The denial of service (DoS) attack disrupts and suspends access, and could crash systems and flood services.


Always have an exit strategy. The attackers get the data: they’ll copy, transfer, or move sensitive data to a controlled location, where they do with the data what they will. Ransom it, sell it on ebay, send it to wikileaks. It can take days to get all of the data out, but once it’s out, it’s in their control.

The Takeaway

Different security techniques bring forward different approaches to the cyber kill chain – everyone from Gartner to Lockheed Martin defines the stages slightly differently. Alternative models of the cyber kill chain combine several of the above steps into a C&C stage (command and control, or C2) and others into an ‘Actions on Objective’ stage. Some combine lateral movement and privilege escalation into an exploration stage; others combine intrusion and exploitation into a ‘point of entry’ stage.

It’s a model often criticized for focusing on perimeter security and limited to malware prevention. When combined with advanced analytics and predictive modeling, however, the cyber kill chain becomes critical to data security.

With the above breakdown, the kill chain is structured to reveal the active state of a data breach. Each stage of the kill chain requires specific instrumentation to detect cyber attacks, and Varonis has out-of-the-box threat models to detect those attacks at every stage of the kill chain.

Varonis monitors attacks at the entry, exit, and everywhere in between. By monitoring outside activity – like VPN, DNS, and Proxy, Varonis helps guard the primary ways to get in and out of an organization.  By monitoring file activity and user behavior, Varonis can detect attack activity on every stage of the kill chain – from kerberos attacks to malware behavior.

Want to see it in action? See how Varonis addresses each stage of the kill chain in a 1:1 demo – and learn how you can prevent and stop ongoing attacks before the damage is done.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who’d enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.


Michael Buckbee

Michael Buckbee

Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.