Hacking Is Not an Event — It Is a Process
The crew casing the target for weeks, mapping guard rotations. Someone acquiring the drill, the acetylene torch, the getaway route. An insider planted six months earlier. Reconnaissance. Preparation. Delivery. Entry. Persistence. Escape. Every stage is a distinct operation, each depending on the last, each an opportunity for a security guard to notice something wrong.
A cyberattack is exactly the same. The image of a hoodie-wearing hacker who "gets in" in thirty seconds of frantic keyboard-mashing is a Hollywood invention. Real intrusions unfold across weeks or months, in seven ordered phases, each with its own tools, its own indicators, and — crucially — its own opportunity for the defender to see it happening and shut it down.
In 2011, defence contractor Lockheed Martin published a landmark paper titled Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. It borrowed from US military targeting doctrine and applied the same "find, fix, track, target, engage, assess" logic to cyber intrusions. The result is the framework this tutorial teaches: the Cyber Kill Chain.
The attacker must succeed at every single phase. The defender needs to succeed only once, at any one phase, to break the chain. This is one of the rare structural dynamics in cybersecurity that actually favours the defender — but only if the defender has controls and visibility at every phase, not just the perimeter.
The Seven Phases at a Glance
Before we take each phase apart, here is the whole chain in one view. Every real intrusion — from a script-kiddie defacement to a nation-state supply-chain attack — passes through these seven phases in this order. Understanding this sequence is the single most useful mental model in modern cybersecurity.
When a news story says "Company X was hacked," it almost always means someone reached Phase 7. That is the news-worthy phase. But the failures that allowed Phase 7 happened at Phases 1 through 6 — often weeks or months earlier. Every post-breach investigation is really a hunt backward through the chain to find the earliest link that could have been broken.
Phase 1 — Reconnaissance
Reconnaissance is the pre-attack intelligence phase. No malware has been written, no packets touched. The attacker is building a dossier on the target. Two flavours exist and they matter operationally.
| What | How |
|---|---|
| Google dorking | Advanced search operators |
| LinkedIn scraping | Employee names, roles, tech stack |
| WHOIS / DNS | Domain ownership, subdomains |
| Shodan / Censys | Public-facing services |
| Breach databases | HaveIBeenPwned, dark web dumps |
| GitHub | Leaked credentials, config files |
| Visible to target? | No |
| What | How |
|---|---|
| Port scans | Nmap, masscan |
| Banner grabbing | Netcat, telnet probes |
| Vulnerability scans | Nessus, OpenVAS, Nuclei |
| Web app crawling | Burp Suite, ffuf |
| Wireless probing | Kismet, airodump-ng |
| Social engineering calls | Pretexting IT helpdesk |
| Visible to target? | Yes — logs it |
Real Example — How the Target Attackers Cased Their Prey
First, they found a publicly-hosted Microsoft case study document in which Target proudly described its virtualised server infrastructure — including the fact that it managed those servers with Microsoft System Center Configuration Manager. This gave the attackers Target's endpoint management platform on a plate.
Second, Target's supplier portal — a login-gated system — had some of its tutorial materials publicly viewable. Anyone could read the "how to submit an invoice" walkthrough. This revealed the exact system (Ariba) suppliers used, plus a list of vendor company names. The attackers now had a shopping list of small third parties to target instead of attacking Target directly.
From that list, they selected Fazio Mechanical Services — a family-run HVAC contractor in Sharpsburg, Pennsylvania. Not a defence contractor. Not a bank. An air-conditioning company.
The Microsoft case study was written to celebrate Target's IT modernisation. It was a marketing win — and an intelligence gift to attackers. Every organisation should ask: what have we said in press releases, conference talks, and vendor case studies that reveals our technology stack or organisational structure? This is the essence of OSINT hygiene, and it is almost universally ignored.
Defensive Controls at This Phase
Phase 2 — Weaponisation
Weaponisation is the workshop phase. The attacker combines an exploit (a technique for triggering a vulnerability) with a payload (the malicious code that will run once the exploit succeeds). This all happens on the attacker's own infrastructure — the defender cannot see it. This is the phase most invisible to the target, and yet it is where the attacker's strategic choices about your organisation are baked in.
Categories of Weaponised Payloads
Real Example — The BlackPOS Malware
# === BlackPOS — the weapon used against Target ===
# Also known as: Kaptoxa (Russian for "potato")
# Author: Believed to be a Ukrainian teenager, "ree4"
# Sold on Russian-language forums for ~$2,000 in 2013.
CATEGORY: Point-of-Sale RAM scraper
SIZE: Roughly 200 KB — small enough to hide easily
TARGET: Windows POS terminals running Windows Embedded
TECHNIQUE: Scans memory of the POS process for card data
that matches Track 1/Track 2 magnetic-stripe format
before the retailer's software encrypts it.
PATTERNS SOUGHT:
Track 1: B[0-9]{13,19}\^[A-Z /]+\^[0-9]{4}...
Track 2: [0-9]{13,19}=[0-9]{4}[0-9]*?
EVASION: Named to look like legitimate Windows services
(e.g. POSWDS.exe, similar to Windows Defender)
Only ran during retail business hours to blend with normal load
HANDOFF: Wrote scraped card data to a hidden text file
on the same machine, then a second component (called
"stbotv2" in analyst reports) periodically shipped
the file to internal Target servers, then out via FTP
to attacker-controlled infrastructure in Russia.
A common myth is that malware is written by the same people who deploy it. Almost never true. BlackPOS was purchased. Ransomware is offered as ransomware-as-a-service (RaaS). Initial access is sold by initial access brokers. The modern attack economy is deeply specialised — one group writes the weapon, another buys and deploys it, a third launders the proceeds. Defenders must understand: the person attacking you is often not the person who built the tools attacking you.
Phase 3 — Delivery
Delivery is the moment the weapon reaches the target. It is the first phase in which attacker and defender's environments physically interact. Everything the defender does in Phases 1-2 is intelligence work; Delivery is where the intelligence work meets tangible defence.
| Delivery Vector | Share of Real-World Breaches (Approx.) | Example |
|---|---|---|
| Spear-phishing email | ~65% — dominant for a decade | APT29 targeting COVID vaccine researchers via crafted Word doc |
| Exploitation of exposed services | ~20% — rising fast | Unpatched VPN or web app (Colonial Pipeline VPN, MOVEit 2023) |
| Supply-chain compromise | ~5% — small share, huge impact | SolarWinds SUNBURST, 3CX, Kaseya |
| Compromised credentials | ~5% (often combined with above) | Reused passwords from a prior breach |
| Watering-hole / drive-by | ~3% | Legitimate industry site compromised to serve exploit kit |
| Removable media (USB) | ~1% | Stuxnet, air-gap jumps |
| Physical / insider | ~1% | Malicious hire, planted device |
Anatomy of a Modern Spear-Phishing Email
# === A textbook spear-phishing lure. Compare to what Fazio Mechanical
# Services likely received in late 2013 before the Target breach. ===
FROM: "Bob Wilson <b.wilson@acme-hvac-supplies.com>"
# Attacker-registered look-alike domain.
# Real supplier domain: acmehvacsupplies.com (no hyphen)
TO: "Sarah <sarah@fazio-mechanical.example>"
# Sarah's role is Accounts Receivable — publicly listed on LinkedIn.
# She routinely opens PDF invoices from unknown vendors.
SUBJ: Overdue Invoice #48711 — payment due today
BODY:
Hi Sarah,
Attached is invoice #48711 for the parts we shipped last month.
Payment was due yesterday. Please review the attached PDF and
send confirmation of payment ASAP or we will need to escalate.
Thanks,
Bob
ATTACHMENT:
Invoice_48711.pdf.exe # Double extension trick.
# Windows hides ".exe" by default.
# Sarah sees "Invoice_48711.pdf".
TECHNIQUE:
- Sender name and domain crafted to look almost identical to a real supplier
- Financial urgency ("payment due today") to bypass careful reading
- Personal-sounding tone rather than a formal template
- Attachment named to trigger habitual click-through by an AR clerk
Because it does not exploit computers. It exploits humans doing their jobs. An accounts-receivable clerk who opens invoice PDFs 200 times a day cannot inspect each one forensically. A recruiter who opens CVs cannot analyse each file's macros. Every organisational role that requires opening incoming files from unknown external senders is, by design, a phishing target. This is not a training problem — it is an architectural problem, and it must be solved with technology (sandboxing, attachment stripping, browser isolation), not just posters.
Real Case — Fazio Mechanical Services, September 2013
Based on KrebsOnSecurity reporting, an employee at Fazio Mechanical Services opened a phishing email containing malware — a variant of the Citadel banking Trojan — sometime in the two months preceding the Target breach. Fazio was using the free version of Malwarebytes, which offered only on-demand scanning, not real-time protection. The malware was never detected. It quietly harvested Fazio's credentials to Target's supplier portal and shipped them to the attackers.
Phase 4 — Exploitation
Exploitation is the moment the weapon fires. The delivered payload is now executing on a system inside the target's environment. Something — a software vulnerability, a misconfiguration, or a human decision to click — has been successfully abused to run attacker code.
What Actually Happened at Fazio
# === Chain of events after the phishing email landed at Fazio ===
Day 0 → Fazio employee opens attachment. Citadel trojan installs.
# Exploitation = user clicked run. No CVE needed.
Day 0-2 → Citadel silently keylogs the workstation.
Records credentials as the employee logs in to:
ariba.target.com # Target's vendor portal
Day 3+ → Attackers now hold Fazio's Ariba credentials.
They log in to Target's system as Fazio — a legitimate
partner using legitimate credentials. From Target's
perspective, it looks like Fazio submitting invoices.
# The attacker's genius was that Phase 4 (Exploitation) happened
# NOT at Target — it happened at a third party. Target's Phase 4
# was a valid login from a trusted partner IP address.
A key insight from Target: the seven phases can play out multiple times, one nested inside another. The attackers ran a complete kill chain against Fazio Mechanical Services, whose "Actions on Objectives" was harvesting Ariba credentials. That output became the "Delivery" step of a second kill chain — this time targeting Target itself. Supply-chain attacks are always at least two kill chains stacked. SolarWinds was arguably three.
Phase 5 — Installation
Installation is the phase where the attacker makes their access durable. Exploitation gave them a foothold, but that foothold vanishes when the target reboots, patches, changes a password, or shuts down the process. Installation is about surviving all of those events.
Common Persistence Techniques on Windows
| Technique | MITRE ATT&CK ID | How It Works | Detection Difficulty |
|---|---|---|---|
| Registry Run Keys | T1547.001 | Add malware path to HKCU\Software\Microsoft\Windows\CurrentVersion\Run — executes at logon | Easy |
| Scheduled Task | T1053.005 | Create a task via schtasks.exe to run malware daily / on trigger | Easy |
| Windows Service | T1543.003 | Install as a Windows service — runs as SYSTEM, starts at boot | Medium |
| WMI Event Subscription | T1546.003 | Register a WMI subscription that fires the payload on system events. Fileless — no on-disk artefact | Hard |
| DLL Search-Order Hijacking | T1574.001 | Place a malicious DLL where a legitimate program searches first. Trusted app now loads attacker code | Hard |
| Golden Ticket (Kerberos) | T1558.001 | Forge a Kerberos ticket-granting-ticket using the compromised KRBTGT hash. Effectively permanent AD access | Very hard |
| OAuth Application Consent | T1528 | Register a rogue OAuth app in the tenant. Survives password changes, survives MFA. APT29's favourite. | Very hard |
| Bootkit / UEFI Firmware | T1542 | Modify firmware or boot loader. Survives OS reinstall. Only used by top-tier APTs. | Extreme |
The Target Installation Phase — BlackPOS Goes Live
Once the attackers had elevated to Domain Admin inside Target's network (via a Pass-the-Hash attack that leveraged the compromised Ariba credentials as a stepping-stone), they pushed the BlackPOS payload to point-of-sale systems using Microsoft's own PsExec utility. On each POS terminal, BlackPOS installed itself as a Windows service named to mimic a legitimate anti-malware daemon. It would restart on every reboot, run only during trading hours, and quietly scrape memory of the POS payment application.
In November 2013, Target's newly-installed FireEye security appliance generated automated alerts when BlackPOS was pushed to the POS terminals. The alerts went to Target's outsourced monitoring team in Bangalore, who forwarded them to Target's security operations centre in Minneapolis. According to Bloomberg BusinessWeek, the alerts were classified as low priority and were not acted upon. The chain could have been broken here — the tools worked. The humans did not. This is the enduring lesson: detection without response is not detection.
Phase 6 — Command & Control (C2)
Command & Control is the ongoing communication channel between the attacker and the implant. It is the metaphorical telephone line. Without C2, the attacker has code running on a victim machine but no way to tell it what to do or receive stolen data back.
The radio is C2. And just as Cold War intelligence operations went to enormous lengths to make radio traffic look like ordinary broadcasts, modern C2 goes to enormous lengths to look like ordinary web traffic. Attackers no longer connect to evil-domain.ru. They connect to Slack. To Dropbox. To Google Drive. Because those connections are indistinguishable from normal business traffic.
The Evolution of C2 Channels
Detection at the C2 Phase
# === What a network analyst hunts for to spot C2 beaconing ===
SIGNAL 1 — Periodicity:
Regular outbound connections at consistent intervals.
Example: every 60 seconds ± 5 seconds of random jitter.
Legitimate user browsing is bursty and irregular. Beacons are metronomes.
SIGNAL 2 — Small consistent payload sizes:
A beacon that has nothing to say still says "I'm alive."
Repeated POST requests of 34 bytes are suspicious even to HTTPS.
SIGNAL 3 — Newly-registered domains:
Attacker infrastructure is usually less than 30 days old.
Enrich DNS logs with domain-age intelligence and any hit is a red flag.
SIGNAL 4 — Unusual user-agents:
"Mozilla/4.0" without full modern UA string = often malware.
Python's "python-requests/2.28.1" from a workstation = suspicious.
SIGNAL 5 — Rare destinations:
Threat hunters look for domains contacted by exactly ONE host
in the environment. Legitimate services usually get many callers.
SIGNAL 6 — TLS certificate anomalies:
Self-signed certs, mismatched CN, or well-known "default" Cobalt Strike
certificate hashes (JA3/JA3S fingerprinting). Free win for hunters.
Phase 7 — Actions on Objectives (Effects)
Phase 7 — variously called Actions on Objectives, Effects, or simply Impact — is what the attacker actually came for. Every phase before was preparation. This is the payoff. And this is where the news headline finally gets written.
The Target Breach — Actions on Objectives Details
An outbound FTP connection from a payment-network staging server is one of the highest-signal detections available. Payment servers do not need to speak FTP to the internet. Ever. Egress filtering on the payment segment — a single firewall rule — would have severed the exfiltration path. The chain would have broken at Phase 7 even if every previous phase failed. The lesson: defence in depth means having a control at every phase, including the last one.
Full Case Study — The Target Breach End to End
Now bring it all together. Here is the complete Target 2013 intrusion mapped one-to-one against the Cyber Kill Chain, with sources drawn from the US Senate Committee on Commerce, Science & Transportation report of March 2014, KrebsOnSecurity, Bloomberg BusinessWeek, and the Wall Street Journal.
| Phase | What Happened | Where Defence Failed |
|---|---|---|
| 1. Reconnaissance | Public Microsoft case study revealed Target's use of System Center; supplier portal exposed vendor list; Fazio Mechanical Services identified as a soft entry point. | Publicly-hosted marketing material revealed internal architecture. |
| 2. Weaponisation | Attackers acquired BlackPOS / Kaptoxa RAM-scraper (~$2,000 on Russian forums) and Citadel banking trojan for the phishing lure. | Not visible to Target — occurred on attacker infrastructure. |
| 3. Delivery | Spear-phishing email with Citadel-laden attachment sent to Fazio Mechanical Services. Employee opened it. | Fazio ran free Malwarebytes with no real-time scanning — a Target supplier should have met minimum security standards. |
| 4. Exploitation | Citadel executed on Fazio's workstation, keylogged Ariba portal credentials, shipped them to attackers. Attackers then logged into Target's Ariba portal as Fazio. | Target did not enforce MFA for supplier access — a bare username-and-password sufficed. |
| 5. Installation | Attackers pivoted from vendor portal into Active Directory using Pass-the-Hash, exploited a default BMC software admin credential, elevated to Domain Admin, deployed BlackPOS via PsExec to POS terminals. | Flat network — vendor portal was not segmented from POS environment. Default vendor credentials had not been changed. FireEye alerts were ignored. |
| 6. Command & Control | BlackPOS instances beaconed to internal staging server, which relayed to FTP dropboxes in the US and onward to Russia. | No egress filtering on the payment network. Outbound FTP allowed from POS segment. |
| 7. Actions on Objectives | Card data continuously exfiltrated for 19 days (Nov 27 to Dec 15). Estimated 40 million payment cards and 70 million customer records stolen. | Banks noticed the fraud via card-not-present analytics — Target did not detect it internally. |
Defensive Controls — One Table for the Whole Chain
If you were designing a security programme from scratch, this is the "must-have" grid. At every phase, at least one detective control and one preventive control. Redundancy across phases is the whole point.
| Phase | Preventive Control | Detective Control | Responsive Control |
|---|---|---|---|
| 1. Recon | Attack surface management; OSINT hygiene | Honeypots; scanner-detection SIEM rules | Take-down requests for leaked data |
| 2. Weaponisation | N/A — occurs on attacker infrastructure | Threat intelligence feeds; malware sandboxing | IOC sharing with ISACs |
| 3. Delivery | Email filtering; attachment stripping; browser isolation | Phishing-reporting button; DMARC/DKIM enforcement | Automated URL-rewriting; user quarantine of forwarded threats |
| 4. Exploitation | Patch management (< 30 day SLA on critical); MFA everywhere; disabled macros from internet sources | EDR behavioural rules; process-creation logging | Automated host isolation on high-severity detection |
| 5. Installation | Application allow-listing; PowerShell Constrained Language Mode; privileged access workstations | Registry-write and scheduled-task monitoring; Sysmon | Kill process + revert persistence artefacts via automation |
| 6. C2 | Egress filtering (deny by default); proxy inspection; DNS filtering | Beacon detection; JA3 fingerprinting; new-domain alerts | Sinkhole malicious domains; block ASN at edge |
| 7. Actions on Objectives | Data-loss prevention (DLP); encryption at rest; segmentation of crown-jewel data | Anomaly detection on outbound volume; canary tokens | Immutable backups; incident response plan; breach notification workflow |
Mature security teams keep a live coverage map: for every kill-chain phase, which controls do we have, and how well do they work? If your coverage map has a blank row, you have a critical detection gap. Regular purple-team exercises — offensive and defensive teams working together to simulate specific kill-chain attacks — are how you validate the map is real, not aspirational.
Modern Extensions — MITRE ATT&CK and the Unified Kill Chain
The Lockheed model is now fifteen years old. It remains foundational, but the industry has extended it in two important ways to cover modern attack patterns.
| Element | Detail |
|---|---|
| Published | MITRE, 2013+ |
| Structure | 14 tactics, 200+ techniques |
| Focus | Post-compromise behaviour |
| Granularity | Very high — technique-level |
| Coverage | Windows, Linux, macOS, cloud, mobile, ICS |
| Best for | Detection engineering, red-team simulation |
| Element | Detail |
|---|---|
| Published | Paul Pols, 2017 |
| Structure | 18 phases in 3 groups |
| Focus | Full end-to-end campaign |
| Granularity | Medium — adds lateral movement, privilege escalation, defence evasion |
| Coverage | Combines Lockheed + MITRE philosophies |
| Best for | Modelling APT campaigns; SOC design |
The Lockheed Cyber Kill Chain is unmatched as an executive briefing tool — seven boxes, one arrow through them, anyone in the room can follow it. MITRE ATT&CK is unmatched as a detection-engineering tool — it tells you exactly which log event corresponds to which technique. Mature teams use both, and treat them as complementary rather than competing.
Limitations — Where the Kill Chain Falls Short
No framework is perfect. The Cyber Kill Chain has genuine blind spots, and understanding them is part of using it well.
Practical Exercise — Map a News Story to the Chain
The single best way to internalise the Kill Chain is to grab any recent breach news story and reconstruct the seven phases from what is publicly reported. Here is a worked walkthrough on a second real case for practice.
Worked Example — Colonial Pipeline (May 2021)
| Phase | Colonial Pipeline Facts (per FBI & congressional testimony) |
|---|---|
| Recon | The DarkSide ransomware group operated as a "ransomware-as-a-service" affiliate model. Affiliates scanned continuously for exposed VPNs and public services. Colonial was one target of many. |
| Weaponisation | DarkSide's affiliate configured a bespoke ransomware build with an embedded encryption key and per-victim ransom note. No custom exploit needed — the entry required just a password. |
| Delivery | The attackers logged into a legacy Colonial VPN account. The account was inactive but had not been decommissioned. Its password appeared in a batch of leaked credentials on the dark web. The VPN had no MFA. |
| Exploitation | No CVE. No exploit. Just a valid password on a legacy account. This is the modern reality: "exploitation" often means "logged in with someone else's credentials." |
| Installation | Attackers moved laterally through Colonial's IT network (not OT — the pipeline control network remained uncompromised). Deployed DarkSide ransomware payload onto business systems. |
| C2 | DarkSide's affiliate used standard tooling (likely Cobalt Strike) with HTTPS beacons. Also used their own leak site (hosted on the dark web) to negotiate. |
| Actions on Objectives | On May 7, 2021, ransomware detonated. Colonial shut down its 5,500-mile pipeline as a precaution — the largest fuel pipeline in the US. Fuel shortages hit the east coast. Colonial paid $4.4 million in Bitcoin. The FBI later recovered ~$2.3M of it. Reported extensively by The New York Times, Reuters, and Bloomberg. |
Colonial's entire attack chain — pipeline shutdown, gas panic, $4.4M ransom, congressional hearings, presidential executive order — hinged on one legacy VPN account without MFA. Adding MFA on that single account would have broken the chain at Phase 3 (Delivery). Every incident, every breach, has a moment like this. Your job as a defender is to find those moments before the attackers do.
Newspaper & Reference Coverage
| Case | Publication | Contribution |
|---|---|---|
| Target Breach (2013) | KrebsOnSecurity (Brian Krebs) | December 18, 2013 — first to publicly break the Target breach, a day before Target's official announcement. Continuous follow-up coverage of technical details. |
| Wall Street Journal (Danny Yadron, Paul Ziobro, Devlin Barrett) | "Target Warned of Vulnerabilities Before Data Breach" — February 14, 2014 | |
| Bloomberg BusinessWeek (Michael Riley, Ben Elgin, Dune Lawrence, Carol Matlack) | "Missed Alarms and 40 Million Stolen Credit Card Numbers" — March 13, 2014. The definitive account of Target's ignored FireEye alerts. | |
| Reuters (Jim Finkle, Mark Hosenball) | "Exclusive: More Well-Known U.S. Retailers Victims of Cyber Attacks" — January 12, 2014. Established this was a wider campaign, not a Target-only event. | |
| US Senate Committee | "A 'Kill Chain' Analysis of the 2013 Target Data Breach" — March 26, 2014. The formal congressional report that made the kill-chain framing famous. | |
| Aorato / Tal Be'ery | Technical decomposition of the 11 attacker steps inside Target's network — August 2014. | |
| Colonial Pipeline (2021) | The New York Times (David Sanger, Nicole Perlroth) | Extensive coverage of the shutdown, ransom payment, and Biden administration response — May 2021. |
| Reuters / Bloomberg | Reporting on the missing-MFA VPN account and the FBI's partial recovery of the ransom. | |
| Framework | Lockheed Martin — Hutchins, Cloppert, Amin | "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains" — original 2011 paper. |
| Paul Pols | "The Unified Kill Chain" — 2017 master's thesis extending Lockheed's model to 18 phases. | |
| MITRE | MITRE ATT&CK | Canonical adversary behaviour knowledge base; industry standard for detection engineering. |
| MITRE D3FEND | Companion knowledge base mapping defensive countermeasures to attacker techniques. |
Golden Rules
Fifteen years after Lockheed Martin drew the first version of the Cyber Kill Chain, its central insight has aged beautifully: attacks are sequences, not events, and every sequence has weak links. The frameworks around it have grown — MITRE ATT&CK, the Unified Kill Chain, cloud-specific extensions — but the fundamental discipline has not changed. Understand the phases. Build a control at each phase. Test your controls with real adversary simulation. Break the chain, every time, at whichever link you can. That is the entire job.