Cyber Security Basics 📂 Foundation · 14 of 15 49 min read

Hacking as a Process: The Cyber Kill Chain

Real cyberattacks unfold in stages, not a single moment. This tutorial explains Lockheed Martin's 7-phase Cyber Kill Chain using the 2013 Target breach (110 million records stolen) as a step-by-step case study. Learn reconnaissance, malware delivery, C2, data exfiltration, MITRE ATT&CK, Unified Kill Chain, Colonial Pipeline (2021), BlackPOS, defenses for every phase, and 10 practical ways to break the attack chain.

Section 01

Hacking Is Not an Event — It Is a Process

How a Bank Robber Actually Robs a Bank
In every movie, a bank heist looks instantaneous — the door bursts open, the vault is emptied, the getaway car peels away. Real bank robberies are nothing like that. They take months.

The crew casing the target for weeks, mapping guard rotations. Someone acquiring the drill, the acetylene torch, the getaway route. An insider planted six months earlier. Reconnaissance. Preparation. Delivery. Entry. Persistence. Escape. Every stage is a distinct operation, each depending on the last, each an opportunity for a security guard to notice something wrong.

A cyberattack is exactly the same. The image of a hoodie-wearing hacker who "gets in" in thirty seconds of frantic keyboard-mashing is a Hollywood invention. Real intrusions unfold across weeks or months, in seven ordered phases, each with its own tools, its own indicators, and — crucially — its own opportunity for the defender to see it happening and shut it down.

In 2011, defence contractor Lockheed Martin published a landmark paper titled Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. It borrowed from US military targeting doctrine and applied the same "find, fix, track, target, engage, assess" logic to cyber intrusions. The result is the framework this tutorial teaches: the Cyber Kill Chain.

🔑
The Framework's Central Insight

The attacker must succeed at every single phase. The defender needs to succeed only once, at any one phase, to break the chain. This is one of the rare structural dynamics in cybersecurity that actually favours the defender — but only if the defender has controls and visibility at every phase, not just the perimeter.


Section 02

The Seven Phases at a Glance

Before we take each phase apart, here is the whole chain in one view. Every real intrusion — from a script-kiddie defacement to a nation-state supply-chain attack — passes through these seven phases in this order. Understanding this sequence is the single most useful mental model in modern cybersecurity.

01
Reconnaissance — Casing the Target
The attacker gathers intelligence: employees, technologies, IP addresses, exposed services, third-party vendors. This is the "planning" phase. Nothing has been touched yet on the target's actual systems, but every downstream decision flows from what is learned here.
02
Weaponisation — Building the Bullet
Combine an exploit with a payload. A malicious Word document, a booby-trapped PDF, a trojanised software update. This is the workshop stage: entirely on the attacker's own infrastructure, so the defender cannot see it.
03
Delivery — Getting the Bullet to the Target
The weapon is transmitted. Spear phishing, malicious USB, watering-hole websites, exploited VPN. This is the first phase where attacker and target actually touch, and the first phase where a well-instrumented defender might see it.
04
Exploitation — Pulling the Trigger
The payload actually runs on the target. A vulnerability is triggered, a user clicks a link, a macro executes. Code is now running inside the victim's environment.
05
Installation — Setting up Camp
Persistence is established. Registry keys, scheduled tasks, WMI subscriptions, service accounts. The goal is to survive reboots, patches, and IT clean-up efforts.
06
Command & Control (C2) — Phoning Home
The implant beacons out to attacker infrastructure for instructions. This is the ongoing telephone line between attacker and victim. Modern C2 hides in normal-looking traffic — HTTPS, Slack, Google Drive.
07
Actions on Objectives (Effects) — The Payoff
The mission itself. Data exfiltration, ransomware detonation, destructive wipers, credential harvesting, sabotage. Everything before was set-up; this is what the attacker actually came for.
💡
Read the Whole Chain, Not Just the Punchline

When a news story says "Company X was hacked," it almost always means someone reached Phase 7. That is the news-worthy phase. But the failures that allowed Phase 7 happened at Phases 1 through 6 — often weeks or months earlier. Every post-breach investigation is really a hunt backward through the chain to find the earliest link that could have been broken.


Section 03

Phase 1 — Reconnaissance

Reconnaissance is the pre-attack intelligence phase. No malware has been written, no packets touched. The attacker is building a dossier on the target. Two flavours exist and they matter operationally.

🔍 Passive Recon
WhatHow
Google dorkingAdvanced search operators
LinkedIn scrapingEmployee names, roles, tech stack
WHOIS / DNSDomain ownership, subdomains
Shodan / CensysPublic-facing services
Breach databasesHaveIBeenPwned, dark web dumps
GitHubLeaked credentials, config files
Visible to target?No
🔮 Active Recon
WhatHow
Port scansNmap, masscan
Banner grabbingNetcat, telnet probes
Vulnerability scansNessus, OpenVAS, Nuclei
Web app crawlingBurp Suite, ffuf
Wireless probingKismet, airodump-ng
Social engineering callsPretexting IT helpdesk
Visible to target?Yes — logs it

Real Example — How the Target Attackers Cased Their Prey

Case File: Target Corporation, mid-2013
Before touching a single Target server, the attackers gathered intelligence in two extraordinary ways.

First, they found a publicly-hosted Microsoft case study document in which Target proudly described its virtualised server infrastructure — including the fact that it managed those servers with Microsoft System Center Configuration Manager. This gave the attackers Target's endpoint management platform on a plate.

Second, Target's supplier portal — a login-gated system — had some of its tutorial materials publicly viewable. Anyone could read the "how to submit an invoice" walkthrough. This revealed the exact system (Ariba) suppliers used, plus a list of vendor company names. The attackers now had a shopping list of small third parties to target instead of attacking Target directly.

From that list, they selected Fazio Mechanical Services — a family-run HVAC contractor in Sharpsburg, Pennsylvania. Not a defence contractor. Not a bank. An air-conditioning company.
📣
Your Marketing Team Is Part of Your Attack Surface

The Microsoft case study was written to celebrate Target's IT modernisation. It was a marketing win — and an intelligence gift to attackers. Every organisation should ask: what have we said in press releases, conference talks, and vendor case studies that reveals our technology stack or organisational structure? This is the essence of OSINT hygiene, and it is almost universally ignored.

Defensive Controls at This Phase

🛡️ Breaking the Chain at Reconnaissance
Do
Attack Surface Management (ASM). Continuously discover what of your own is exposed on the internet. If you don't know a service exists, you cannot patch it. Tools: Censys, Detectify, or CISA's free scans.
Do
Brand and executive OSINT monitoring. Watch dark web forums, paste sites, and Telegram for mentions of your company, employees, and credentials.
Do
Sanitize public documents. Case studies, job ads, and conference slides routinely leak internal tool names, versions, and org structure.
Do
Deploy honeypots. Fake internet-facing services designed to detect scanning. Any hit is by definition an attacker — no false positives.
Don't
Rely on rate-limiting alone. Modern scanners rotate through cloud IPs and complete a full port sweep in minutes.

Section 04

Phase 2 — Weaponisation

Weaponisation is the workshop phase. The attacker combines an exploit (a technique for triggering a vulnerability) with a payload (the malicious code that will run once the exploit succeeds). This all happens on the attacker's own infrastructure — the defender cannot see it. This is the phase most invisible to the target, and yet it is where the attacker's strategic choices about your organisation are baked in.

The Formula
Exploit + Payload = Weapon
An exploit without a payload is a proof-of-concept. A payload without an exploit needs a user to voluntarily run it. Combine them, and you have a self-executing weapon that runs the moment it reaches the target.
Common Wrappers
.docx / .xlsm / .pdf / .lnk / .iso
Weapons are usually wrapped inside file types users open without thinking. Office documents with macros dominated 2015-2022. Since Microsoft blocked internet-sourced macros by default in 2022, attackers pivoted to .iso, .lnk, and container files.

Categories of Weaponised Payloads

💾
Droppers / Loaders
Stage 1
Small, innocuous-looking programs whose only job is to reach out and fetch the real malware once inside the environment. Detection of the dropper alone reveals nothing about the follow-on operation.
👻
Remote Access Trojans (RATs)
Full control
Give the attacker full interactive shell access. Cobalt Strike Beacon, Sliver, PoshC2, Meterpreter. This is the go-to for post-exploitation.
🔒
Ransomware / Wipers
Destructive
Encrypt or destroy data. Usually staged for late deployment after the attacker has maximised access. LockBit, Conti, BlackCat, Sandworm's ZEROLOT wiper.
📈
Credential Stealers
Silent theft
Grab passwords, browser cookies, session tokens. Redline, Raccoon, Vidar. Often sold via "logs" markets on Telegram — an entire industry.
💸
POS / RAM Scrapers
Retail-specific
Read unencrypted card data from point-of-sale memory. BlackPOS (used against Target), FrameworkPOS, MalumPOS. Once dominant, now waning after EMV chip adoption.
🔧
Rootkits / Bootkits
Deep persistence
Live below the operating system — in the boot loader, firmware, or hypervisor. Extraordinarily hard to remove. LoJax (APT28), MosaicRegressor, Black Lotus.

Real Example — The BlackPOS Malware

# === BlackPOS — the weapon used against Target ===
# Also known as: Kaptoxa (Russian for "potato")
# Author: Believed to be a Ukrainian teenager, "ree4"
# Sold on Russian-language forums for ~$2,000 in 2013.

CATEGORY:       Point-of-Sale RAM scraper
SIZE:           Roughly 200 KB — small enough to hide easily
TARGET:         Windows POS terminals running Windows Embedded
TECHNIQUE:      Scans memory of the POS process for card data
                that matches Track 1/Track 2 magnetic-stripe format
                before the retailer's software encrypts it.

PATTERNS SOUGHT:
    Track 1:  B[0-9]{13,19}\^[A-Z /]+\^[0-9]{4}...
    Track 2:  [0-9]{13,19}=[0-9]{4}[0-9]*?

EVASION:        Named to look like legitimate Windows services
                (e.g. POSWDS.exe, similar to Windows Defender)
                Only ran during retail business hours to blend with normal load

HANDOFF:        Wrote scraped card data to a hidden text file
                on the same machine, then a second component (called
                "stbotv2" in analyst reports) periodically shipped
                the file to internal Target servers, then out via FTP
                to attacker-controlled infrastructure in Russia.
📕
Weaponisation Is a Marketplace, Not a Craft

A common myth is that malware is written by the same people who deploy it. Almost never true. BlackPOS was purchased. Ransomware is offered as ransomware-as-a-service (RaaS). Initial access is sold by initial access brokers. The modern attack economy is deeply specialised — one group writes the weapon, another buys and deploys it, a third launders the proceeds. Defenders must understand: the person attacking you is often not the person who built the tools attacking you.


Section 05

Phase 3 — Delivery

Delivery is the moment the weapon reaches the target. It is the first phase in which attacker and defender's environments physically interact. Everything the defender does in Phases 1-2 is intelligence work; Delivery is where the intelligence work meets tangible defence.

Delivery Vector Share of Real-World Breaches (Approx.) Example
Spear-phishing email~65% — dominant for a decadeAPT29 targeting COVID vaccine researchers via crafted Word doc
Exploitation of exposed services~20% — rising fastUnpatched VPN or web app (Colonial Pipeline VPN, MOVEit 2023)
Supply-chain compromise~5% — small share, huge impactSolarWinds SUNBURST, 3CX, Kaseya
Compromised credentials~5% (often combined with above)Reused passwords from a prior breach
Watering-hole / drive-by~3%Legitimate industry site compromised to serve exploit kit
Removable media (USB)~1%Stuxnet, air-gap jumps
Physical / insider~1%Malicious hire, planted device

Anatomy of a Modern Spear-Phishing Email

# === A textbook spear-phishing lure. Compare to what Fazio Mechanical
# Services likely received in late 2013 before the Target breach. ===

FROM:    "Bob Wilson <b.wilson@acme-hvac-supplies.com>"
         # Attacker-registered look-alike domain.
         # Real supplier domain: acmehvacsupplies.com  (no hyphen)

TO:      "Sarah <sarah@fazio-mechanical.example>"
         # Sarah's role is Accounts Receivable — publicly listed on LinkedIn.
         # She routinely opens PDF invoices from unknown vendors.

SUBJ:    Overdue Invoice #48711 — payment due today

BODY:
    Hi Sarah,

    Attached is invoice #48711 for the parts we shipped last month.
    Payment was due yesterday. Please review the attached PDF and
    send confirmation of payment ASAP or we will need to escalate.

    Thanks,
    Bob

ATTACHMENT:
    Invoice_48711.pdf.exe             # Double extension trick.
                                       # Windows hides ".exe" by default.
                                       # Sarah sees "Invoice_48711.pdf".

TECHNIQUE:
    - Sender name and domain crafted to look almost identical to a real supplier
    - Financial urgency ("payment due today") to bypass careful reading
    - Personal-sounding tone rather than a formal template
    - Attachment named to trigger habitual click-through by an AR clerk
⚠️
Why Spear-Phishing Still Works After 25 Years

Because it does not exploit computers. It exploits humans doing their jobs. An accounts-receivable clerk who opens invoice PDFs 200 times a day cannot inspect each one forensically. A recruiter who opens CVs cannot analyse each file's macros. Every organisational role that requires opening incoming files from unknown external senders is, by design, a phishing target. This is not a training problem — it is an architectural problem, and it must be solved with technology (sandboxing, attachment stripping, browser isolation), not just posters.

Real Case — Fazio Mechanical Services, September 2013

Based on KrebsOnSecurity reporting, an employee at Fazio Mechanical Services opened a phishing email containing malware — a variant of the Citadel banking Trojan — sometime in the two months preceding the Target breach. Fazio was using the free version of Malwarebytes, which offered only on-demand scanning, not real-time protection. The malware was never detected. It quietly harvested Fazio's credentials to Target's supplier portal and shipped them to the attackers.


Section 06

Phase 4 — Exploitation

Exploitation is the moment the weapon fires. The delivered payload is now executing on a system inside the target's environment. Something — a software vulnerability, a misconfiguration, or a human decision to click — has been successfully abused to run attacker code.

🔧
Software Vulnerability
An unpatched flaw. Buffer overflows, deserialisation bugs, injection flaws. Public CVEs get exploited within days of disclosure. Log4Shell (CVE-2021-44228) was mass-exploited within 12 hours.
e.g. CVE-2021-44228 Log4Shell
🎰
Zero-Day Exploit
A flaw with no public patch. Used only by high-tier actors because zero-days burn once discovered. Stuxnet chained four zero-days — an unheard-of investment before 2010.
value: $100K to $2.5M per bug
👤
User Interaction
A macro enabled. A link clicked. An installer approved by a confused user. This category still accounts for the majority of exploitation events because it does not require any code vulnerability at all.
click-to-run remains #1
⚙️
Misconfiguration
Default credentials, exposed admin interfaces, permissive S3 buckets. Not technically a vulnerability, but exploitable in exactly the same way. The Capital One 2019 breach turned on a misconfigured AWS WAF.
no CVE, still catastrophic
🔑
Credential Reuse
An employee's password from a prior breach still works on the corporate VPN. No exploit needed — the attacker just logs in. This is now the #1 initial-access vector for financially motivated intrusions.
solution: MFA everywhere
👾
Living-off-the-Land
No exploit at all. The attacker uses tools already installed — PowerShell, WMI, PsExec, certutil. Traditional AV does not flag them because they are legitimate binaries.
technique: LOLbins

What Actually Happened at Fazio

# === Chain of events after the phishing email landed at Fazio ===

Day 0    Fazio employee opens attachment. Citadel trojan installs.
              # Exploitation = user clicked run. No CVE needed.

Day 0-2    Citadel silently keylogs the workstation.
                Records credentials as the employee logs in to:
                    ariba.target.com  # Target's vendor portal

Day 3+    Attackers now hold Fazio's Ariba credentials.
                They log in to Target's system as Fazio — a legitimate
                partner using legitimate credentials. From Target's
                perspective, it looks like Fazio submitting invoices.

# The attacker's genius was that Phase 4 (Exploitation) happened
# NOT at Target — it happened at a third party. Target's Phase 4
# was a valid login from a trusted partner IP address.
🔑
The Kill Chain Is Fractal

A key insight from Target: the seven phases can play out multiple times, one nested inside another. The attackers ran a complete kill chain against Fazio Mechanical Services, whose "Actions on Objectives" was harvesting Ariba credentials. That output became the "Delivery" step of a second kill chain — this time targeting Target itself. Supply-chain attacks are always at least two kill chains stacked. SolarWinds was arguably three.


Section 07

Phase 5 — Installation

Installation is the phase where the attacker makes their access durable. Exploitation gave them a foothold, but that foothold vanishes when the target reboots, patches, changes a password, or shuts down the process. Installation is about surviving all of those events.

Common Persistence Techniques on Windows

Technique MITRE ATT&CK ID How It Works Detection Difficulty
Registry Run Keys T1547.001 Add malware path to HKCU\Software\Microsoft\Windows\CurrentVersion\Run — executes at logon Easy
Scheduled Task T1053.005 Create a task via schtasks.exe to run malware daily / on trigger Easy
Windows Service T1543.003 Install as a Windows service — runs as SYSTEM, starts at boot Medium
WMI Event Subscription T1546.003 Register a WMI subscription that fires the payload on system events. Fileless — no on-disk artefact Hard
DLL Search-Order Hijacking T1574.001 Place a malicious DLL where a legitimate program searches first. Trusted app now loads attacker code Hard
Golden Ticket (Kerberos) T1558.001 Forge a Kerberos ticket-granting-ticket using the compromised KRBTGT hash. Effectively permanent AD access Very hard
OAuth Application Consent T1528 Register a rogue OAuth app in the tenant. Survives password changes, survives MFA. APT29's favourite. Very hard
Bootkit / UEFI Firmware T1542 Modify firmware or boot loader. Survives OS reinstall. Only used by top-tier APTs. Extreme

The Target Installation Phase — BlackPOS Goes Live

Once the attackers had elevated to Domain Admin inside Target's network (via a Pass-the-Hash attack that leveraged the compromised Ariba credentials as a stepping-stone), they pushed the BlackPOS payload to point-of-sale systems using Microsoft's own PsExec utility. On each POS terminal, BlackPOS installed itself as a Windows service named to mimic a legitimate anti-malware daemon. It would restart on every reboot, run only during trading hours, and quietly scrape memory of the POS payment application.

🚫
Installation Is Where Automated Alerts Should Fire — and Target's Did

In November 2013, Target's newly-installed FireEye security appliance generated automated alerts when BlackPOS was pushed to the POS terminals. The alerts went to Target's outsourced monitoring team in Bangalore, who forwarded them to Target's security operations centre in Minneapolis. According to Bloomberg BusinessWeek, the alerts were classified as low priority and were not acted upon. The chain could have been broken here — the tools worked. The humans did not. This is the enduring lesson: detection without response is not detection.


Section 08

Phase 6 — Command & Control (C2)

Command & Control is the ongoing communication channel between the attacker and the implant. It is the metaphorical telephone line. Without C2, the attacker has code running on a victim machine but no way to tell it what to do or receive stolen data back.

The Spy and the Radio
Think of the attacker as a spy who has smuggled a sleeper agent into a foreign embassy. The agent is inside — that is installation. But without a radio to receive orders and transmit intelligence, the agent is useless.

The radio is C2. And just as Cold War intelligence operations went to enormous lengths to make radio traffic look like ordinary broadcasts, modern C2 goes to enormous lengths to look like ordinary web traffic. Attackers no longer connect to evil-domain.ru. They connect to Slack. To Dropbox. To Google Drive. Because those connections are indistinguishable from normal business traffic.

The Evolution of C2 Channels

Gen 1
Direct TCP to Attacker IP (1990s-2000s)
Malware connected straight to a hard-coded attacker IP. Trivial to block once discovered. This is the era of "just blacklist the IP".
Gen 2
Domain Generation Algorithms (2008+)
Malware algorithmically generates hundreds of pseudo-random domains per day (tqbwvxzk1029.com). The attacker only needs to register one to make contact. Conficker and Zeus made this famous.
Gen 3
HTTPS Beaconing (2010s)
C2 hidden inside encrypted HTTPS traffic to attacker-controlled cloud infrastructure. Beacons every X minutes with jitter. Cobalt Strike defaults to this and dominates the space.
Gen 4
Legitimate Cloud Services (2020+)
C2 traffic tunnels through Google Drive, Dropbox, Discord, Slack, Telegram, GitHub, Microsoft Graph API. Indistinguishable from routine SaaS usage. APT29 and APT41 are pioneers.
Gen 5
DNS Tunnelling and Novel Channels
Data exfiltrated via DNS queries. Or hidden in Twitter posts. Or encoded in Steam game profile updates. Genuinely creative — and largely invisible to conventional network monitoring.

Detection at the C2 Phase

# === What a network analyst hunts for to spot C2 beaconing ===

SIGNAL 1 — Periodicity:
    Regular outbound connections at consistent intervals.
    Example: every 60 seconds ± 5 seconds of random jitter.
    Legitimate user browsing is bursty and irregular. Beacons are metronomes.

SIGNAL 2 — Small consistent payload sizes:
    A beacon that has nothing to say still says "I'm alive."
    Repeated POST requests of 34 bytes are suspicious even to HTTPS.

SIGNAL 3 — Newly-registered domains:
    Attacker infrastructure is usually less than 30 days old.
    Enrich DNS logs with domain-age intelligence and any hit is a red flag.

SIGNAL 4 — Unusual user-agents:
    "Mozilla/4.0" without full modern UA string = often malware.
    Python's "python-requests/2.28.1" from a workstation = suspicious.

SIGNAL 5 — Rare destinations:
    Threat hunters look for domains contacted by exactly ONE host
    in the environment. Legitimate services usually get many callers.

SIGNAL 6 — TLS certificate anomalies:
    Self-signed certs, mismatched CN, or well-known "default" Cobalt Strike
    certificate hashes (JA3/JA3S fingerprinting). Free win for hunters.
EXAMPLE HUNT — COBALT STRIKE JA3 FINGERPRINTS
Cobalt Strike default profile JA3 hash: 72a589da586844d7f0818ce684948eea Cobalt Strike default profile JA3S hash: b74a5406afcf8e46be6e5abf1c50e9b8 Any TLS handshake matching either of these — from ANY endpoint on your network — is a P1 investigation. There is no legitimate business reason for a corporate host to negotiate TLS with Cobalt Strike's default fingerprint. This single detection has caught more attackers than most SIEM rules combined.

Section 09

Phase 7 — Actions on Objectives (Effects)

Phase 7 — variously called Actions on Objectives, Effects, or simply Impact — is what the attacker actually came for. Every phase before was preparation. This is the payoff. And this is where the news headline finally gets written.

📁
Data Exfiltration
Most common
Steal customer data, IP, credentials, source code. Sold on criminal markets or used for further attacks. The Target breach ended here — 40 million cards exfiltrated to FTP servers in Russia.
🔒
Ransomware Detonation
Fast payday
Encrypt data, demand payment. Modern strains add "double extortion" — leak the data if the ransom isn't paid. Colonial Pipeline paid $4.4M in DarkSide's 2021 detonation.
💥
Destruction / Wipers
Nation-state
Wipe disks, corrupt firmware, brick industrial controllers. Sandworm's NotPetya (2017) caused ~$10 billion in global damage — the most destructive cyber event on record.
📡
Espionage
Long-term
Silent monitoring. Mailbox reads. Document exfiltration. Persist for months without triggering anything. This is the classic APT29 pattern from SolarWinds.
💰
Financial Fraud
Direct theft
SWIFT-network transfers, cryptocurrency drainage, business email compromise diverted invoices. Lazarus's Bybit heist netted $1.5 billion in a single operation.
🚗
Sabotage / Disruption
Strategic
Take down services, corrupt control systems, damage physical infrastructure. Sandworm's 2015 attack blacked out ~230,000 Ukrainians for six hours.

The Target Breach — Actions on Objectives Details

💸 How 40 Million Cards Left Target's Network
Step 1
BlackPOS on each of thousands of infected POS terminals wrote scraped card data to a local hidden text file.
Step 2
A separate component periodically pushed those files to a staging server inside Target's own network — a Windows share the attackers had chosen because it aggregated traffic without raising flags.
Step 3
From the staging server, data was uploaded via FTP to compromised servers in the United States that acted as first-hop drop points.
Step 4
From those first-hop drops, the data flowed onward to servers in Russia under the attackers' direct control.
Step 5
The card data was then sold in batches on underground "card shops" — the largest of which, Rescator, listed the Target dumps within days. Batches were priced by freshness, issuing bank, and country of origin.
Step 6
Buyers cloned physical cards using magnetic-stripe writers and fraudulent charges started appearing on 40 million account statements over the following weeks — the phenomenon that ultimately prompted issuing banks to notify Target's payment processors and trigger the investigation.
📮
Why Card Data Exfiltrating via FTP Should Have Been Caught

An outbound FTP connection from a payment-network staging server is one of the highest-signal detections available. Payment servers do not need to speak FTP to the internet. Ever. Egress filtering on the payment segment — a single firewall rule — would have severed the exfiltration path. The chain would have broken at Phase 7 even if every previous phase failed. The lesson: defence in depth means having a control at every phase, including the last one.


Section 10

Full Case Study — The Target Breach End to End

Now bring it all together. Here is the complete Target 2013 intrusion mapped one-to-one against the Cyber Kill Chain, with sources drawn from the US Senate Committee on Commerce, Science & Transportation report of March 2014, KrebsOnSecurity, Bloomberg BusinessWeek, and the Wall Street Journal.

Phase What Happened Where Defence Failed
1. Reconnaissance Public Microsoft case study revealed Target's use of System Center; supplier portal exposed vendor list; Fazio Mechanical Services identified as a soft entry point. Publicly-hosted marketing material revealed internal architecture.
2. Weaponisation Attackers acquired BlackPOS / Kaptoxa RAM-scraper (~$2,000 on Russian forums) and Citadel banking trojan for the phishing lure. Not visible to Target — occurred on attacker infrastructure.
3. Delivery Spear-phishing email with Citadel-laden attachment sent to Fazio Mechanical Services. Employee opened it. Fazio ran free Malwarebytes with no real-time scanning — a Target supplier should have met minimum security standards.
4. Exploitation Citadel executed on Fazio's workstation, keylogged Ariba portal credentials, shipped them to attackers. Attackers then logged into Target's Ariba portal as Fazio. Target did not enforce MFA for supplier access — a bare username-and-password sufficed.
5. Installation Attackers pivoted from vendor portal into Active Directory using Pass-the-Hash, exploited a default BMC software admin credential, elevated to Domain Admin, deployed BlackPOS via PsExec to POS terminals. Flat network — vendor portal was not segmented from POS environment. Default vendor credentials had not been changed. FireEye alerts were ignored.
6. Command & Control BlackPOS instances beaconed to internal staging server, which relayed to FTP dropboxes in the US and onward to Russia. No egress filtering on the payment network. Outbound FTP allowed from POS segment.
7. Actions on Objectives Card data continuously exfiltrated for 19 days (Nov 27 to Dec 15). Estimated 40 million payment cards and 70 million customer records stolen. Banks noticed the fraud via card-not-present analytics — Target did not detect it internally.
AFTERMATH — THE FULL COST
Direct settlement (2017 multi-state): $18.5 million Total direct costs (technology + legal): ~$202 million Analyst estimates including revenue impact: ~$1 billion Executive departures: CEO Gregg Steinhafel, CIO Beth Jacob — first Fortune 500 CEO to resign over a cyber breach. PCI DSS status at time of breach: Certified compliant (recently audited). Culprit: Never identified. Attributed by researchers to Eastern European organised crime, likely operating out of Russia. Coverage: Brian Krebs broke the story Dec 18, 2013 (KrebsOnSecurity), one day BEFORE Target's official disclosure. WSJ, NYT, Bloomberg BusinessWeek and Reuters ran extensive follow-ups.

Section 11

Defensive Controls — One Table for the Whole Chain

If you were designing a security programme from scratch, this is the "must-have" grid. At every phase, at least one detective control and one preventive control. Redundancy across phases is the whole point.

Phase Preventive Control Detective Control Responsive Control
1. Recon Attack surface management; OSINT hygiene Honeypots; scanner-detection SIEM rules Take-down requests for leaked data
2. Weaponisation N/A — occurs on attacker infrastructure Threat intelligence feeds; malware sandboxing IOC sharing with ISACs
3. Delivery Email filtering; attachment stripping; browser isolation Phishing-reporting button; DMARC/DKIM enforcement Automated URL-rewriting; user quarantine of forwarded threats
4. Exploitation Patch management (< 30 day SLA on critical); MFA everywhere; disabled macros from internet sources EDR behavioural rules; process-creation logging Automated host isolation on high-severity detection
5. Installation Application allow-listing; PowerShell Constrained Language Mode; privileged access workstations Registry-write and scheduled-task monitoring; Sysmon Kill process + revert persistence artefacts via automation
6. C2 Egress filtering (deny by default); proxy inspection; DNS filtering Beacon detection; JA3 fingerprinting; new-domain alerts Sinkhole malicious domains; block ASN at edge
7. Actions on Objectives Data-loss prevention (DLP); encryption at rest; segmentation of crown-jewel data Anomaly detection on outbound volume; canary tokens Immutable backups; incident response plan; breach notification workflow
🔬
The "Coverage Map" Discipline

Mature security teams keep a live coverage map: for every kill-chain phase, which controls do we have, and how well do they work? If your coverage map has a blank row, you have a critical detection gap. Regular purple-team exercises — offensive and defensive teams working together to simulate specific kill-chain attacks — are how you validate the map is real, not aspirational.


Section 12

Modern Extensions — MITRE ATT&CK and the Unified Kill Chain

The Lockheed model is now fifteen years old. It remains foundational, but the industry has extended it in two important ways to cover modern attack patterns.

📋 MITRE ATT&CK
ElementDetail
PublishedMITRE, 2013+
Structure14 tactics, 200+ techniques
FocusPost-compromise behaviour
GranularityVery high — technique-level
CoverageWindows, Linux, macOS, cloud, mobile, ICS
Best forDetection engineering, red-team simulation
🔯 Unified Kill Chain
ElementDetail
PublishedPaul Pols, 2017
Structure18 phases in 3 groups
FocusFull end-to-end campaign
GranularityMedium — adds lateral movement, privilege escalation, defence evasion
CoverageCombines Lockheed + MITRE philosophies
Best forModelling APT campaigns; SOC design
📋
Use the Kill Chain for Communication, ATT&CK for Engineering

The Lockheed Cyber Kill Chain is unmatched as an executive briefing tool — seven boxes, one arrow through them, anyone in the room can follow it. MITRE ATT&CK is unmatched as a detection-engineering tool — it tells you exactly which log event corresponds to which technique. Mature teams use both, and treat them as complementary rather than competing.


Section 13

Limitations — Where the Kill Chain Falls Short

No framework is perfect. The Cyber Kill Chain has genuine blind spots, and understanding them is part of using it well.

Assumes Linearity
Real attacks are non-linear — attackers loop back to reconnaissance mid-campaign, use multiple parallel implants, and change objectives on the fly. The Kill Chain flattens this into a straight line.
reality: campaigns are graphs
Weak on Insider Threats
A malicious insider skips Phases 1-4 entirely. They already have delivery and access. The Kill Chain has almost nothing to say about them, which is a serious gap given insider incidents are ~15% of breaches.
use UEBA + DLP for insiders
Perimeter-Centric
Designed in 2011 when the perimeter was still a meaningful concept. Cloud, SaaS, and remote work have dissolved that perimeter. Modern attacks may skip the "network intrusion" concept entirely.
bring: Zero Trust model
Doesn't Address Web-App Attacks Well
SQL injection, XSS, CSRF, IDOR — the entire OWASP top ten sits awkwardly in a framework designed around malware payloads. Web application security has its own frameworks (OWASP ASVS).
gap: use OWASP alongside
Silent on Cloud Identity Attacks
Golden SAML, OAuth abuse, token replay — modern APT29 tradecraft has no place to sit in a Lockheed-era diagram. The Unified Kill Chain closes some of this; MITRE ATT&CK for Cloud closes more.
gap: cloud-native TTPs
No Monetisation Phase
For financially-motivated actors, converting stolen data into cash is a distinct operation with its own indicators. Some practitioners now add an 8th phase — Monetisation — for this reason.
ext: 8-phase modern variant

Section 14

Practical Exercise — Map a News Story to the Chain

The single best way to internalise the Kill Chain is to grab any recent breach news story and reconstruct the seven phases from what is publicly reported. Here is a worked walkthrough on a second real case for practice.

Worked Example — Colonial Pipeline (May 2021)

Phase Colonial Pipeline Facts (per FBI & congressional testimony)
Recon The DarkSide ransomware group operated as a "ransomware-as-a-service" affiliate model. Affiliates scanned continuously for exposed VPNs and public services. Colonial was one target of many.
Weaponisation DarkSide's affiliate configured a bespoke ransomware build with an embedded encryption key and per-victim ransom note. No custom exploit needed — the entry required just a password.
Delivery The attackers logged into a legacy Colonial VPN account. The account was inactive but had not been decommissioned. Its password appeared in a batch of leaked credentials on the dark web. The VPN had no MFA.
Exploitation No CVE. No exploit. Just a valid password on a legacy account. This is the modern reality: "exploitation" often means "logged in with someone else's credentials."
Installation Attackers moved laterally through Colonial's IT network (not OT — the pipeline control network remained uncompromised). Deployed DarkSide ransomware payload onto business systems.
C2 DarkSide's affiliate used standard tooling (likely Cobalt Strike) with HTTPS beacons. Also used their own leak site (hosted on the dark web) to negotiate.
Actions on Objectives On May 7, 2021, ransomware detonated. Colonial shut down its 5,500-mile pipeline as a precaution — the largest fuel pipeline in the US. Fuel shortages hit the east coast. Colonial paid $4.4 million in Bitcoin. The FBI later recovered ~$2.3M of it. Reported extensively by The New York Times, Reuters, and Bloomberg.
🛠️
The One Missing Control

Colonial's entire attack chain — pipeline shutdown, gas panic, $4.4M ransom, congressional hearings, presidential executive order — hinged on one legacy VPN account without MFA. Adding MFA on that single account would have broken the chain at Phase 3 (Delivery). Every incident, every breach, has a moment like this. Your job as a defender is to find those moments before the attackers do.


Section 15

Newspaper & Reference Coverage

Case Publication Contribution
Target Breach (2013) KrebsOnSecurity (Brian Krebs) December 18, 2013 — first to publicly break the Target breach, a day before Target's official announcement. Continuous follow-up coverage of technical details.
Wall Street Journal (Danny Yadron, Paul Ziobro, Devlin Barrett) "Target Warned of Vulnerabilities Before Data Breach" — February 14, 2014
Bloomberg BusinessWeek (Michael Riley, Ben Elgin, Dune Lawrence, Carol Matlack) "Missed Alarms and 40 Million Stolen Credit Card Numbers" — March 13, 2014. The definitive account of Target's ignored FireEye alerts.
Reuters (Jim Finkle, Mark Hosenball) "Exclusive: More Well-Known U.S. Retailers Victims of Cyber Attacks" — January 12, 2014. Established this was a wider campaign, not a Target-only event.
US Senate Committee "A 'Kill Chain' Analysis of the 2013 Target Data Breach" — March 26, 2014. The formal congressional report that made the kill-chain framing famous.
Aorato / Tal Be'ery Technical decomposition of the 11 attacker steps inside Target's network — August 2014.
Colonial Pipeline (2021) The New York Times (David Sanger, Nicole Perlroth) Extensive coverage of the shutdown, ransom payment, and Biden administration response — May 2021.
Reuters / Bloomberg Reporting on the missing-MFA VPN account and the FBI's partial recovery of the ransom.
Framework Lockheed Martin — Hutchins, Cloppert, Amin "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains" — original 2011 paper.
Paul Pols "The Unified Kill Chain" — 2017 master's thesis extending Lockheed's model to 18 phases.
MITRE MITRE ATT&CK Canonical adversary behaviour knowledge base; industry standard for detection engineering.
MITRE D3FEND Companion knowledge base mapping defensive countermeasures to attacker techniques.

Section 16

Golden Rules

🏆 Hacking-as-a-Process — Non-Negotiable Takeaways
1
Hacking is a process, not an event. Every intrusion moves through seven phases in order. The moment you internalise this, cybersecurity stops being a mystery and becomes a workflow you can defend against, phase by phase.
2
The attacker must win every round. You need to win just one. This is the single most important asymmetry in the defender's favour. Do not throw it away by concentrating all your controls at the perimeter.
3
Reconnaissance is free intelligence for attackers — and for you. What are your marketing team, your GitHub repos, and your job ads telling attackers? Perform OSINT on yourself quarterly. If you don't, an attacker will.
4
Assume delivery will succeed. Phishing works. Zero-days exist. VPN accounts get reused. Your architectural bet must be that malicious content will reach an endpoint — and your defence must catch it downstream, not at the gate.
5
MFA everywhere is the single highest-value control. It breaks the chain at Phases 3 and 4 simultaneously. Colonial Pipeline, SolarWinds, Twitter's 2020 breach — every headline breach of the past five years had a missing MFA control at its root.
6
Detection without response is not detection. Target had FireEye. FireEye caught BlackPOS being installed. Nobody acted on the alert. Detection tools are worthless without a rehearsed process for what happens when they scream.
7
Egress filtering matters as much as ingress. Attackers have to phone home eventually. If your payment segment cannot open outbound FTP, C2 breaks. Very few organisations enforce this rigorously.
8
Segment your crown jewels. A flat network turns Phase 5 into "attacker owns everything." Target's HVAC vendor should never have been able to reach a POS terminal. Micro-segmentation is not optional for organisations processing regulated data.
9
Your suppliers are part of your attack surface. Fazio Mechanical Services was Target's real breach. Colonial's legacy VPN was Colonial's real breach. Third-party risk management is now a Board-level concern, not a procurement checkbox.
10
Post-mortem in public, learn in private. Every breach that becomes public teaches the whole industry something. Read the Senate Target report. Read the CISA advisories. Every "someone else's disaster" is a live-fire exercise for your defence. Study them relentlessly.
🌟
Closing Thought

Fifteen years after Lockheed Martin drew the first version of the Cyber Kill Chain, its central insight has aged beautifully: attacks are sequences, not events, and every sequence has weak links. The frameworks around it have grown — MITRE ATT&CK, the Unified Kill Chain, cloud-specific extensions — but the fundamental discipline has not changed. Understand the phases. Build a control at each phase. Test your controls with real adversary simulation. Break the chain, every time, at whichever link you can. That is the entire job.