Kill Chain Phase

In cybersecurity, particularly in attack path analysis and intelligence, a Kill Chain Phase is a single, interconnected stage in the logical progression of a cyberattack. The "Kill Chain" model, popularized initially by Lockheed Martin, treats a cyber intrusion as a linear sequence of events.

The core principle is that for an attack to succeed, the adversary must complete each phase in order. Conversely, if a defender can "break the chain" by stopping the attacker at any single phase, the entire attack path collapses.

The Standard Phases of the Cyber Kill Chain

The traditional model consists of seven distinct phases, each representing a hurdle the attacker must overcome:

1. Reconnaissance

This is the preliminary stage where the attacker scopes the target. They gather information to identify vulnerabilities and weak points.

• Activities: Harvesting email addresses, social media research, and scanning for open ports or unpatched software.

• Goal: To find the path of least resistance into the organization.

2. Weaponization

The attacker uses information gathered during the reconnaissance phase to prepare a "payload."

• Activities: Coupling a remote access trojan with an exploit and packaging it into a deliverable format, such as a PDF or a Microsoft Office document.

• Goal: To create a tool capable of executing malicious code once it reaches the target.

3. Delivery

This phase involves transmitting the weaponized payload to the victim.

• Activities: Sending a spear-phishing email with a malicious attachment, hosting a "watering hole" website, or using an infected USB drive.

• Goal: To initiate the first point of contact with the target’s infrastructure.

4. Exploitation

Once the payload is delivered, it must be triggered. Exploitation occurs when the malicious code takes advantage of a specific vulnerability in a system or application.

• Activities: Triggering a buffer overflow or exploiting a browser vulnerability when a user clicks a link.

• Goal: To "break in" and gain initial execution on the target host.

5. Installation

After the successful exploit, the attacker must establish a permanent presence.

• Activities: Installing a "backdoor" or registry key that ensures the malware remains active even if the computer is rebooted.

• Goal: Maintain persistence so the attacker does not have to re-exploit the system to regain access later.

6. Command and Control (C2)

With a permanent foothold established, the compromised system must be able to communicate with the attacker.

• Activities: The malware connects to an external server to receive instructions, or "call home."

• Goal: To give the attacker manual or automated control over the compromised environment.

7. Actions on Objectives

In the final phase, the attacker carries out their primary mission.

• Activities: Data exfiltration (stealing files), encrypting data for ransom, or destroying system backups.

• Goal: To achieve the "impact" stage of the attack path.

The Role of Kill Chain Phases in Attack Path Intelligence

In advanced threat intelligence, identifying which phase an attacker is currently in allows for a more proactive defense.

• Left of Boom vs. Right of Boom: "Boom" is the moment of exploitation. Everything to the left (Recon, Weaponize, Deliver) is preventive. Everything to the right (Install, C2, Action) is about mitigation and response. Attack path intelligence seeks to move defenses as far "left" as possible.

• Detecting Choke Points: Many different attack paths often converge at a single phase or asset. These are known as Choke Points. If you can identify a common "Delivery" method used by multiple threat actors, you can secure that single point to break dozens of potential attack chains.

• Resource Optimization: Security teams cannot protect everything equally. By understanding which kill chain phases are most vulnerable in their specific environment, they can use their budget more effectively—for example, investing in email security to break the "Delivery" phase.

Common Questions About Kill Chain Phases

How is the Kill Chain different from the MITRE ATT&CK framework?

The Kill Chain is a high-level, linear model (the "strategy"). MITRE ATT&CK is a more granular matrix of specific techniques (the "tactics") used within those phases. Think of the Kill Chain as the map of the journey and ATT&CK as the specific turns taken along the way.

Can a phase be skipped?

Generally, no. An attacker cannot exfiltrate data (Action) without first being on the network (Delivery/Exploit). However, sophisticated actors can move through the early phases very quickly or use pre-compromised accounts to bypass the "Exploitation" phase.

Does the Kill Chain apply to insider threats?

Traditional Kill Chain models were designed for external actors. For insider threats, the "Reconnaissance" and "Delivery" phases look very different, as the actor already has legitimate access. Modern versions of the model often include internal "Lateral Movement" and "Privilege Escalation" phases.

In cybersecurity, Kill Chain Phases represent the strategic stages an adversary must complete to conduct a successful attack, ranging from initial discovery to final impact. ThreatNG disrupts these phases by providing a purely external, "outside-in" view of the attack surface, transforming fragmented findings into actionable narratives.

The following sections detail how ThreatNG identifies and breaks the Kill Chain through its core capabilities and collaboration with complementary security solutions.

External Discovery of Kill Chain Entry Points

The Kill Chain begins with Reconnaissance, where attackers identify targets. ThreatNG automates this phase by performing purely external, unauthenticated discovery to map an organization's entire internet-facing footprint without requiring internal agents.

• Shadow IT Identification: ThreatNG uncovers unmanaged cloud instances, forgotten subdomains, and temporary development environments that often serve as initial footholds for attacks.

• Domain and Brand Presence: The platform discovers registered and available domain permutations (typosquatting) and Web3 domains (e.g., .eth or .crypto), which adversaries use as initial delivery vectors for phishing.

• Asset Correlation: It identifies domains, IPs, and cloud buckets, establishing the foundational knowledge attackers seek during the early phases of the Kill Chain.

External Assessment and DarChain Narrative Mapping

ThreatNG’s DarChain (Digital Attack Risk Contextual Hyper-Analysis Insights Narrative) is the primary engine for disrupting the Kill Chain. It chains disparate technical, social, and regulatory findings into a structured threat model, revealing the precise "chained relationships" an adversary would exploit.

Detailed Examples of Assessment via DarChain

• The Phishing-to-Credential Theft Narrative: DarChain might identify a registered lookalike domain with an active mail record. It chains this with leaked executive profiles found on LinkedIn and a subdomain missing a Content Security Policy (CSP). This reveals a scenario in which an attacker uses a believable persona to trick an employee into providing credentials harvested via the vulnerable subdomain.

• The Subdomain Takeover Narrative: ThreatNG identifies a "dangling DNS" record pointing to an inactive service. DarChain explains how an attacker can claim that resource to host malicious scripts. Because the script is on a legitimate subdomain, it bypasses security controls to steal user session cookies during the Delivery and Exploitation phases.

• The Regulatory Disclosure Narrative: The platform mines SEC 8-K filings and correlates disclosed risks with technical vulnerabilities. If a company discloses a specific risk but has an unpatched "Critical" vulnerability in that area, DarChain flags it as a high-priority path, since attackers use public disclosures to validate their targets.

Investigation Modules for Granular Phase Analysis

ThreatNG includes specialized investigation modules that allow analysts to deep-dive into specific "Step Actions" within a Kill Chain phase.

Detailed Examples of Investigation Modules

• Sensitive Code Exposure: This module scans public repositories such as GitHub for leaked API keys, cloud credentials, and Jenkins passwords. Finding a hardcoded secret provides a validated step for an Unauthorized Access narrative, moving the attacker past the Exploitation phase.

• Dark Web Presence (DarCache Rupture): This module monitors hacker forums for brand mentions and compromised credentials. An investigation might reveal attackers discussing a specific unpatched vulnerability, marking the Post-Exploitation and Impact phase as an imminent risk.

• Social Media and Reddit Discovery: These modules turn "conversational risk" into intelligence. If an employee asks for online technical help with server configuration, an attacker can use that information to build a technical blueprint for a targeted Social Engineering tactic.

Intelligence Repositories (DarCache)

The DarCache suite of intelligence repositories provides real-world context for prioritizing Kill Chain disruptions. It integrates data from the KEV catalog to confirm active exploitation, EPSS to predict future likelihood, and verified Proof-of-Concept (PoC) Exploits to demonstrate precisely how a vulnerability can be weaponized. ThreatNG also tracks over 70 ransomware gangs, allowing organizations to prioritize the specific techniques used by active threat actors.

Reporting and Continuous Monitoring

To maintain a proactive defense, ThreatNG provides:

• Continuous Monitoring: The platform continuously rescans the external attack surface and digital risks to ensure Kill Chain maps remain current as the landscape evolves.

• Actionable Reporting: ThreatNG delivers technical workbooks and executive reports that pinpoint "Attack Path Choke Points"—critical vulnerabilities where multiple potential attack chains intersect. Fixing a choke point collapses dozens of potential adversarial narratives simultaneously.

Cooperation with Complementary Solutions

ThreatNG provides the external "outside-in" intelligence that triggers and enriches the workflows of internal security tools to dismantle adversary narratives at multiple stages.

• Identity and Access Management (IAM): When ThreatNG uncovers leaked API keys or credentials in public code, it feeds this data to IAM platforms to trigger immediate key rotation or password resets, effectively ending an identity-based attack phase.

• Security Orchestration, Automation, and Response (SOAR): High-priority alerts from a "Subdomain Takeover" narrative can trigger automated SOAR playbooks to delete dangling DNS records or block malicious IP addresses at the perimeter firewall.

• Vulnerability Management and EDR: ThreatNG identifies the specific "Tech Stack" and external assets an attacker is targeting. This allows internal vulnerability scanners to prioritize those assets and enables Endpoint Detection and Response (EDR) tools to increase monitoring sensitivity on the servers identified in a potential attack path.

Common Questions About Kill Chain Phases and ThreatNG

How does ThreatNG define a Kill Chain phase differently from a technique?

A phase is a high-level strategic stage (e.g., Reconnaissance). A technique is the specific method or "how" used to achieve that stage (e.g., Subdomain Enumeration).

What is an "Attack Path Choke Point" in the Kill Chain?

A choke point is a critical vulnerability or asset that appears in multiple different attack narratives. Securing a choke point is the most efficient use of resources because it disrupts the most significant number of potential adversarial movements at once.

Can non-technical events be part of a Kill Chain phase?

Yes. ThreatNG treats organizational instability—such as layoff chatter or lawsuits—as a core part of its intelligence, recognizing that these events provide the psychological "hook" used for Reconnaissance and Social Engineering phases.