The cyber-attack chain (also referred to as the cyber kill chain) is a way to understand the sequence of events involved in an external attack on an organization’s IT environment. Understanding the cyber-attack chain model can help IT security teams put strategies and technologies in place to “kill” or contain the attack at various stages, and better protect the IT ecosystem.

The Lockheed Martin Cyber Kill Chain and the BeyondTrust Cyber-Attack Chain

The cyber kill chain was initially developed by Lockheed Martin, which co-opted the term “kill chain”, used to break down the structure of a military attack (either offensive or defensive) into a pattern composed of identifiable stages.

Lockheed Martin’s cyber kill chain breaks down an external-originating cyberattack into 7 distinct steps:


Intruder picks a target, researches it, and looks for vulnerabilities


Intruder develops malware designed to exploit the vulnerability


Intruder transmits the malware via a phishing email or another medium


The malware begins executing on the target system


The malware installs a backdoor or other ingress accessible to the attacker

Command and Control

The intruder gains persistent access to the victim’s systems/network

Actions on Objective

Intruder initiates end goal actions, such as data theft, data corruption, or data destruction

While the original cyber kill chain model as envisioned by Lockheed Martin is a helpful starting point in trying to model and defend against attacks, as with any security model, keep in mind that every IT deployment is unique, and intrusion attacks do not, as a rule, have to follow the steps in the model.

Over the years, the attack landscape has shifted, and many have argued that the cyber kill chain, while helpful, needed to be updated to accommodate the reality that the traditional perimeter has shifted—some even say it has, in many cases, vanished.

Modern Cyberattacks: Focusing on Privilege & Vulnerabilities

According to Forrester Research, approximately 80% of security breaches today involve privileged credentials. To better illustrate the privilege threat component of modern cyber-attacks, in 2017, BeyondTrust published an updated model of the cyber-attack chain, along with guidance on how to dismantle an attack each step of the way.

Here are the key parts of the BeyondTrust Cyber-Attack Chain model, along with tactics to disrupt the attack at each phase.

Step One: Perimeter Exploitation

These are the early attempts to gain access to an IT organization systems and data. Typical techniques include:

How to dismantle or contain an attack at this phase:

Step Two: Privilege Hijacking and Escalation

This stage is where an attacker looks to escalate privileges, and hijack other privileged passwords/accounts.

How to dismantle or contain an attack at this phase:

Step Three: Lateral Movement and Exfiltration

Here, the hacker attempts to move through the system by acquiring more privileges/privileged accounts, and to find other exploits and weaknesses. Ultimately, the intruder zig-zags through the network, user accounts, data, and systems as necessary to achieve their goal(s).

How to dismantle or contain an attack at this phase:

How Applying the Cyber Kill Chain Model Improves an Organization’s Security

Although the cyber-attack / cyber kill chains aren’t the only way to understand attack vectors and security risks, these models do provide useful frameworks for reducing cyber exposures. By applying the right layering of cybersecurity controls, organizations can get better at preventing attacks altogether, disrupting in-progress attacks, and minimizing the impact of a breach should one occur.