Seven Steps of a Cyberattack

The Cyber Kill Chain: The Seven Steps of a Cyberattack

January 1, 2022
| Threat Intelligence

The Cyber Kill Chain framework, developed by Lockheed Martin (2022), explains how attackers move through networks to identify vulnerabilities that they can then exploit. Attackers use the steps in the Cyber Kill Chain when conducting offensive operations in cyberspace against their targets. If you’re responsible for defending a network, this model can help you understand the stages of a cyberattack and the measures you can take to prevent or intercept each step.

The Cyber Kill Chain is divided into seven stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control (C2), and actions on objectives. This article describes what each of these steps entails, including the preventive measures that network defenders can take in each stage. You’ll also learn how EC-Council’s Certified Threat Intelligence Analyst (C|TIA) certification can advance your cybersecurity knowledge.

1. Reconnaissance

Reconnaissance is the first stage in the Cyber Kill Chain and involves researching potential targets before carrying out any penetration testing. The reconnaissance stage may include identifying potential targets, finding their vulnerabilities, discovering which third parties are connected to them (and what data they can access), and exploring existing entry points as well as finding new ones. Reconnaissance can take place both online and offline.

2. Weaponization

The weaponization stage of the Cyber Kill Chain occurs after reconnaissance has taken place and the attacker has discovered all necessary information about potential targets, such as vulnerabilities. In the weaponization stage, all of the attacker’s preparatory work culminates in the creation of malware to be used against an identified target. Weaponization can include creating new types of malware or modifying existing tools to use in a cyberattack. For example, cybercriminals may make minor modifications to an existing ransomware variant to create a new Cyber Kill Chain tool.

3. Delivery

In the delivery stage, cyberweapons and other Cyber Kill Chain tools are used to infiltrate a target’s network and reach users. Delivery may involve sending phishing emails containing malware attachments with subject lines that prompt users to click through. Delivery can also take the form of hacking into an organization’s network and exploiting a hardware or software vulnerability to infiltrate it.

4. Exploitation

Exploitation is the stage that follows delivery and weaponization. In the exploitation step of the Cyber Kill Chain, attackers take advantage of the vulnerabilities they have discovered in previous stages to further infiltrate a target’s network and achieve their objectives. In this process, cybercriminals often move laterally across a network to reach their targets. Exploitation can sometimes lead attackers to their targets if those responsible for the network have not deployed deception measures.

5. Installation

After cybercriminals have exploited their target’s vulnerabilities to gain access to a network, they begin the installation stage of the Cyber Kill Chain: attempting to install malware and other cyberweapons onto the target network to take control of its systems and exfiltrate valuable data. In this step, cybercriminals may install cyberweapons and malware using Trojan horses, backdoors, or command-line interfaces.

6. Command and Control

In the C2 stage of the Cyber Kill Chain, cybercriminals communicate with the malware they’ve installed onto a target’s network to instruct cyberweapons or tools to carry out their objectives. For example, attackers may use communication channels to direct computers infected with the Mirai botnet malware to overload a website with traffic or C2 servers to instruct computers to carry out cybercrime objectives.

7. Actions on Objectives

After cybercriminals have developed cyberweapons, installed them onto a target’s network, and taken control of their target’s network, they begin the final stage of the Cyber Kill Chain: carrying out their cyberattack objectives. While cybercriminals’ objectives vary depending on the type of cyberattack, some examples include weaponizing a botnet to interrupt services with a Distributed Denial of Service (DDoS) attack, distributing malware to steal sensitive data from a target organization, and using ransomware as a cyber extortion tool.

Learn How to Prevent Cyberattacks with EC-Council

Cyberattacks are not to be taken lightly. It doesn’t matter if you have the most secure firewall in the world; any step in the Cyber Kill Chain can dismantle your security and lead to a breach of your network. That’s why it’s so important to know how to detect an attack as it happens—or, ideally, stop it from happening in the first place.

At EC-Council, we offer a variety of certification programs to help you protect your network against cyberattacks and learn top cyberattack prevention and defense strategies. Enroll in EC-Council’s C|TIA certification program today to learn more about cybersecurity and network defense.


Lockheed Martin. (2022). Cyber Kill Chain. 

Share this Article
You may also like
Recent Articles
Become a Certified Threat Intelligence Analyst (C|TIA)

"*" indicates required fields