Explain the Lockheed Martin Cyber Kill Chain and how a blue team uses it.
Short answer
The Cyber Kill Chain models an intrusion as seven sequential stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control (C2), and actions on objectives. Defenders map detections and controls to each stage; because the stages are sequential, breaking any single link — blocking the phishing email, killing C2 — disrupts the whole attack. It pushes you to detect early rather than only at the final breach.
The Cyber Kill Chain, from Lockheed Martin, gives the blue team a shared vocabulary for where in an intrusion they are detecting and where they could intervene. Interviewers use it to see whether you think about attacks as a process with many interruption points, not a single moment of "getting hacked."
The seven stages
- Reconnaissance — the attacker researches the target (OSINT, scanning, employee lists).
- Weaponization — they pair an exploit with a payload, e.g. a malicious macro in a document.
- Delivery — they transmit it: phishing email, watering-hole site, USB.
- Exploitation — the payload executes by abusing a vulnerability or tricking a user.
- Installation — malware establishes persistence on the host.
- Command and Control (C2) — the implant calls back to the attacker for instructions.
- Actions on Objectives — the attacker achieves their goal: data theft, encryption, sabotage.
How defenders use it
Map a control and a detection to each link: email filtering and user training disrupt delivery; patching and exploit mitigations disrupt exploitation; EDR and application allow-listing catch installation; DNS and egress filtering break C2. Because the stages are sequential, breaking any one link stops the attacker from reaching their objective — and the earlier you break it, the cheaper the response.
Why this matters
The kill chain is intentionally simple, which is its strength and its critique: it is linear and very malware/perimeter-focused, so many teams pair it with MITRE ATT&CK for granular techniques. A strong answer recites the stages, explains "defense in depth = a chance to break the chain at every stage," and acknowledges the model's limits.
Likely follow-ups
- Why is detecting at the delivery or exploitation stage better than at actions on objectives?
- What are the main criticisms of the kill chain compared to MITRE ATT&CK?
- Where would an EDR most likely catch an attacker in this chain?