Despite what you hear in the news or see on social media, cyberattacks don’t happen overnight. Movies like Hackers or BlackHat would have you believe that cyberattacks are executed in seconds with a few keystrokes, but that couldn’t be further from the truth. The reality is that most cyberattacks follow a structured, multi-step process. Understanding this process is key to stopping attacks before they cause damage. One of the most widely recognized models for breaking down cyberattacks is the Cyber Kill Chain, developed by Lockheed Martin.
Originally designed as a military strategy to analyze and disrupt enemy attacks, the Cyber Kill Chain was later adapted for cybersecurity to help organizations understand, detect, and mitigate threats at every stage of an attack. By mapping out the typical steps cybercriminals take—from reconnaissance to execution—this framework allows defenders to identify weak points where an attack can be stopped before it succeeds.
This model applies to all cyber threats, but in keeping with my previous articles, this one will focus specifically on how phishing attacks follow the Cyber Kill Chain. By understanding each stage, you’ll be able to recognize red flags and implement defenses that can stop a phishing attack before it leads to serious consequences.
What is the Cyber Kill Chain?
The Cyber Kill Chain is a seven-stage framework that outlines the steps cybercriminals take to execute an attack. By understanding each phase, security professionals can identify weak points and implement defenses to disrupt an attack before it succeeds.
Here’s a brief overview of each stage:
Reconnaissance – The attacker gathers information about the target, such as email addresses, job roles, and organizational structure, often using social engineering or Open Source Intelligence (OSINT) tools.
Weaponization – The attacker crafts a payload (e.g., phishing email), embedding malicious links or attachments designed to exploit the recipient.
Delivery – The payload (phishing email) is sent to the target, often appearing to come from a trusted source to increase the likelihood of engagement.
Exploitation – The target takes the bait—clicking a link, downloading an attachment, or entering credentials—allowing the attacker to gain access.
Installation – Malware is installed on the victim’s system, or the attacker establishes unauthorized access through stolen credentials.
Command and Control (C2) – The attacker establishes a communication channel with the compromised system, allowing remote control and data exfiltration.
Actions on Objectives – The attacker achieves their goal, whether it’s stealing data, deploying ransomware, or escalating privileges within the network.Each of these stages represents an opportunity for defenders to detect and stop an attack before it progresses. In the next section, we’ll take a deeper look at how phishing attacks follow this chain in real-world scenarios.
- Reconnaissance: Gather Information
Before launching a phishing attack, cybercriminals need to gather intelligence on their target. This stage, known as reconnaissance, is all about research and information gathering—the foundation of a successful attack. The more an attacker knows about their target, the more convincing and effective their phishing email will be.
How Attackers Gather Information
Attackers have a plethora of methods and tools at their disposal to collect information about their targets. Here are just a few examples:
Open Source Intelligence (OSINT) - The process of gathering, analyzing, and sharing publicly available information. Examples include:
Social Media & Professional Networks – Sites such as LinkedIn, Facebook, and other platforms provide cybercriminals with names, job titles, and connections to their targets that can be exploited.
Company Websites & Press Releases – Organizations often list employee information, email formats, and upcoming events, which attackers use for context.
OSINT Tools – Tools like Maltego, theHarvester, and Google Dorking help attackers gather emails, subdomains, and internal resources more precisely.Additionally, cybercriminals can utilize dark web markets to find data breach logs. Previously leaked credentials and emails can be repurposed for phishing attempts.
- Weaponization: Crafting the Attack
Once attackers have gathered enough information during the reconnaissance phase, they will then move on to weaponization. This stage is where an attacker will craft their attack, some examples may include a phishing email or embed malicious elements designed to deceive the target. The goal is to avoid detection so that the attack is delivered to the recipient to take action. How Attackers Create the Attack Cybercriminals will use several techniques to disguise their malware or malicious sites. For the sake of this article we will only focus on phishing emails and how they appear authentic to recipients
How Attackers Create the Attack
Cybercriminals will use several techniques to disguise their malware or malicious sites. For the sake of this article we will only focus on phishing emails and how they appear authentic to recipients. Below are some of the examples:
Email Spoofing – Attackers will forge the “From” address to make the email appear as if it’s coming from a trusted source, such as the CEO or internal personnel. For more on how modern technologies are in place to prevent these attacks check out my post here: DMARC, DKIM and SPF
Compromised Accounts – If an attacker is unable to spoof (copy) a legitimate email the next step an attackers may take is to use legitimate hacked accounts to send phishing emails. This will make them even harder to detect as they are now coming from a trusted source.
Social Engineering Tactics – Lastly, as we've previously discussed, cybersecurity is not strictly based on technology but incorporates a human aspect as well. An attacker may craft a simpler emails that is designed to trigger emotions like urgency, fear, or curiosity, to get the recipient to take action instead.- Delivery: Getting the Phishing Email to the Target
With the phishing email carefully crafted during the weaponization phase, attackers now move to delivery. In this step, the malware is delivered to the target to their target using a variety of method such as email. Their goal is to bypass security filters and come in direct contact with the target, increasing the chances of engagement.
How Malware is Delivered
There are a number of ways attackers can use to deliver malware effectively. However, we will be focusing how it is done through common email strategies.
Mass Phishing Campaigns – In this strategy, emails are sent in bulk to thousands of recipients, hoping that even a small percentage will fall for the scam. Many times, these attacks often require some level of impersonate, (e.g., “Your Netflix account has been suspended!”).
Spear Phishing – Is a more concentrated version of a phishing campaign. This method narrows in on a specific individual rather than an organization or large group of people. In this method, it is more tailored using personal details from reconnaissance to make the email appear legitimate and one that the targeted person would be expecting in some cases. (e.g., an attacker impersonating the victim’s boss requesting an urgent invoice payment).
Business Email Compromise (BEC) – In other cases, attackers can deliver malware using a compromised real email account they have gained access to (often through prior phishing attacks) and send emails from a legitimate corporate domain to request wire transfers, sensitive data, or login credentials.While email is one of the main methods in delivering malware there are several others as well that cybercriminals will use:
Smishing (SMS phishing) – Attackers send malicious links via text messages.
Vishing (voice phishing) – Attackers impersonate a trusted entity over the phone to trick victims into sharing information.
- Exploitation: Triggering the Attack
Once the malicious payload has been delivered, the attacker moves onto the exploitation phase. In this phase, the victim will trigger the malware (often time unknowingly) by interacting with the malicious content. This is the stage where the real damage begins, and the initial foothold is established, allowing the attacker to move deeper into the system.
How Exploitation Happens
At this stage, the attacker relies on human error, software vulnerabilities, or misconfigurations to execute their attack. We will now explore some common scenarios below:
Phishing Clicks & Credential Theft – A victim will click on the malicious link in an email, which will start malware to be installed on their device or redirect them to a fake login page for the victim to unknowingly give their credentials to the attacker.
Malicious Attachments & Drive-By Downloads – Similar to the first scenario, the victim will open an infected file (e.g., PDF, Word document, ZIP file), executing hidden malware that installs on their system.
Exploiting Unpatched Software – Attackers use known vulnerabilities in outdated applications (e.g., browsers, operating systems, VPNs) to inject code remotely.
Weak or Reused Passwords – If an attacker has a list of passwords from a previous attack, they may leverage them to bypass the victim’s interaction and access the account themselves (also known as brute force attack).
- Installation: Establishing a Foothold
Once an attacker successfully exploits a vulnerability or system, the next step is installation, where they establish a persistent foothold in the system. This allows them to maintain access, even if the victim restarts their computer, updates software, or changes credentials. The longer an attacker remains undetected, the greater the potential damage.
How Attackers Establish Persistence
To avoid detection and maintain control, attackers use a variety of stealthy techniques, including:
Malware Installation – Malicious software such as Remote Access Trojans (RATs), keyloggers, or ransomware are enabled on the victim account to continue access and control.
Backdoors & Hidden Scripts – A backdoor is any method by which authorized and unauthorized users can get around normal security measures and gain high-level user access (aka root access) on a computer system, network, or software application.
Registry & System Modifications – Attackers will directly modify system settings or registry keys to launch malware each time the system reboots automatically.
Living off the Land (LotL) Techniques – Instead of installing new software or malware that may be removed, attackers will abuse legitimate system tools (e.g., PowerShell, Windows Management Instrumentation) to execute malicious actions, reducing the chance of detection.
Credential Dumping & Account Hijacking – As explained previously an attacker will use extracted stored passwords or authentication tokens to expand access and install persistence across multiple systems.6 Command and Control (C2): The Attacker Takes Control
Once an attacker has established a persistent foothold through installation, the next step is Command and Control (C2). In this phase, the attacker establishes remote communication with the compromised system. This allows them to issue commands, exfiltrate data, and expand their attack undetected.
How Attackers Establish C2
To maintain persistent control, attackers set up covert communication channels between the infected device and their systems. As we discussed in the previous stage, attackers will have remote access trojans (RATs) established on the victim’s system. With the RAT in place, they are now able to move files, execute commands, and escalate privileges from a remote device.
To ensure they cannot be traced, attackers will disguise their C2 traffic by using legitimate-looking domains (e.g., Google, AWS) or encrypted channels to bypass security filters and IDS scanning for malicious traffic. Some even malware hides C2 traffic within legitimate DNS queries, making detection more difficult.
In addition, instead of using their infrastructure, attackers will abuse services like Dropbox, Google Drive, or Slack to relay commands and exfiltrate data.
7 Actions on Objectives: The Attacker’s Endgame
The final stage is Actions on Objectives. This is where the true impact of the attack is realized, whether it’s data theft, system disruption, financial fraud, or ransomware deployment. The attacker has full control and executes their intended goal.
Common Attacker Objectives
An attacker’s goal can be verified depending on several variables including intent, moral views, financial gain, and motivation. However, we can discuss below some of the more common objectives based on other cyber security attacks
Data Exfiltration & Espionage – The objective for the attacker(s) is to extract sensitive information, such as customer records, intellectual property, or financial data, often selling it on the dark web or using it for further attacks.
Ransomware Deployment – The objective of the attacker is to encrypt the victim's files and demand a ransom payment to restore access. Some ransomware groups also threaten to leak stolen data if payment isn’t made (double extortion).
Account & Identity Theft – The objective of the attacker is to steal login credentials that can be used for another objective such as financial fraud, business email compromise (BEC), or account takeovers across multiple platforms.
Privilege Escalation & Lateral Movement – The objective for the attacker is to move deeper into the network, targeting higher-level accounts, domain controllers, or cloud environments, expanding their reach.
System Sabotage & Destruction – The objective of the attacker is to delete or corrupt critical files, wipe systems, or disable infrastructure to disrupt business operations (wiper malware, insider threats).
Cryptojacking & Resource Hijacking – The objective of the attacker is to hijack the computing power of a victim's system to use for other malicious actions such as mining cryptocurrency or launching Distributed Denial-of-Service (DDoS) attacks. Conclusion
Cyberattacks, almost rarely happen instantly, the majority of them will follow a structured process. By understanding the Cyber Kill Chain, we’ve explored how attackers move through seven key stages, from reconnaissance to execution. In today’s modern age, staying vigilant in your day-to-day job is just as important as having the latest technological defenses. Now that you understand how attackers operate, you are equipped to take a proactive approach to your organizations and your personal cybersecurity. Think twice before clicking an email link, verify sender addresses, and report anything suspicious to your security team. A well-trained, security-conscious workforce is often the first and most important line of defense. For those looking to dive deeper into defensive security strategies, here are some recommended resources:
📖 Lockheed Martin Cyber Kill Chain Overview
📖 MITRE ATT&CK Framework – A more detailed, real-world mapping of attacker tactics and techniques.
📖 CISA Phishing Awareness – Government-backed guidance on identifying and stopping phishing attacks.
📖 NIST Cybersecurity Framework – Best practices for cybersecurity risk management. Cyber threats are evolving, but so can we.
Be proactive, stay informed, and don’t let attackers gain the upper hand! 💡🔒 👉 What’s one security habit you plan to improve after reading this? Let’s discuss this in the comments!
Habitant cumque vivamus ad atque vel penatibus, lobortis nunc, quas massa, expedita quas, voluptatem omnis repudiandae debitis pretium, incidunt voluptates? Conubia molestie, vivamus ex voluptate? Fermentum. Vulputate id exercitationem mattis, aliquip minim elit. Ipsa rerum quo! Nobis parturient, litora dolorem, pede platea commodi pulvinar potenti diam quisquam pellentesque aliquam ullamco, mollis, volutpat molestie porttitor, hic.
Porttitor vulputate consectetuer commodi aliquip dolorem? Curabitur? Diamlorem, reiciendis imperdiet, nascetur nobis elit laoreet pede perspiciatis facilisis nisl, eu tempora sunt tenetur ullamco delectus, nibh soluta cupidatat tempore, tristique! Laoreet nemo fringilla voluptatem laudantium ridiculus architecto mauris asperiores debitis magnam, molestiae maecenas rem! Molestiae sunt? Commodo? Porttitor auctor. Ultrices nibh, tempore platea vero curabitur provident.