Ethical Hacking Lesson 5 – Cyber Kill Chain | Dataplexa

Ethical Hacking

I. Foundations & Hacking Mindset
1. What is Ethical Hacking 2. Hacker Types & Motivations 3. Legal & Ethical Considerations 4. Hacking Methodologies 5. Cyber Kill Chain 6. Footprinting & Reconnaissance 7. Passive vs Active Recon 8. Information Gathering Tools 9. Hacking Lab Setup 10. Kali Linux Overview
II. Reconnaissance & Scanning
11. DNS Enumeration 12. Whois & Network Enumeration 13. Google Dorking 14. Nmap Scanning 15. Port Scanning 16. Service Enumeration 17. Vulnerability Scanning 18. Nessus & OpenVAS 19. Banner Grabbing 20. Recon Best Practices
III. System & Network Attacks
21. Password Cracking 22. Brute Force Attacks 23. Credential Harvesting 24. Exploiting Misconfigurations 25. Linux System Attacks 26. Windows System Attacks 27. Privilege Escalation 28. Malware Concepts 29. Backdoors & Trojans 30. Network Sniffing 31. MITM Attacks 32. DoS Attacks 33. Wireless Attacks 34. Covering Tracks 35. Attack Mitigation
IV. Web Hacking & Real World
36. Web Architecture 37. OWASP Top 10 38. SQL Injection 39. Cross-Site Scripting (XSS) 40. Authentication Attacks 41. Session Hijacking 42. File Upload Vulnerabilities 43. API Security 44. Tools Summary 45. Mini Project – Ethical Hacking Lab
Foundations & Hacking Mindset · Lesson 5

Cyber Kill Chain

Real attacks don't happen in a single moment. They unfold in stages — and each stage gives a defender a chance to stop the whole thing. The Cyber Kill Chain is the framework that maps out every step of an attack so you know exactly where to look and when to intervene.

A military concept applied to cybersecurity

The term "kill chain" originally came from the military. It described the sequence of steps an enemy takes to successfully carry out an attack — from identifying a target all the way through to the strike itself. The idea was simple: disrupt any single link in that chain and the entire attack fails.

In 2011, defence company Lockheed Martin adapted this concept for cybersecurity. They observed that digital attacks follow a remarkably consistent pattern regardless of the attacker or the target. Ransomware gangs, nation-state groups, opportunistic hackers — they all move through the same fundamental stages, just with different tools and different levels of patience.

The Cyber Kill Chain gives defenders a shared language and a structured lens for understanding attacks. Instead of reacting to incidents after the damage is done, security teams can map observed activity to a specific stage and predict what comes next — then act before it does.

The seven stages of every attack

Lockheed Martin defined seven distinct stages. An attacker must pass through all of them to successfully complete their objective. The further along the chain they get before being detected, the harder and more expensive the remediation becomes.

CYBER KILL CHAIN — ALL SEVEN STAGES
1

Reconnaissance

The attacker researches the target before touching anything. This includes scanning public websites, LinkedIn profiles, company registration records, job postings that reveal technology stacks, and any data leaked in previous breaches. The goal is to build a detailed picture of the target with zero risk of detection.

2

Weaponisation

The attacker prepares their attack tool — pairing a piece of malware with a delivery mechanism. A common example is embedding malicious code inside a Word document or PDF that looks legitimate. At this stage, nothing has touched the target yet. The weapon is being built off-site.

3

Delivery

The weaponised payload is sent to the target. Email phishing is by far the most common delivery method — a convincing message with a malicious attachment or link. Other delivery vectors include USB drops, compromised websites, and third-party software updates.

4

Exploitation

The payload triggers. A vulnerability in software, a human clicking a link, a misconfigured server — something fails and the attacker's code executes on the target system. This is the moment the breach technically begins. Everything before this point was preparation.

5

Installation

The attacker installs a backdoor or remote access tool to ensure they can return to the system even if the initial vulnerability is patched. This is persistence — the ability to survive reboots, credential changes, and basic remediation attempts by the target's IT team.

6

Command and control (C2)

The installed backdoor connects back to an attacker-controlled server. From that point forward, the attacker can issue commands to the compromised machine remotely — move files, run tools, escalate privileges, or pivot to other systems on the same network — all without being physically present.

7

Actions on objectives

The attacker achieves their goal. For a ransomware gang, this means encrypting files and dropping a ransom note. For an espionage group, it means exfiltrating sensitive documents. For a hacktivist, it might mean defacing a website. The objective differs by actor — but reaching this stage means the attack succeeded.

The key insight here is that stage seven — the actual damage — only happens after the attacker successfully completes the first six stages. Every single stage is an opportunity to detect and stop them. The earlier you catch it, the cheaper and less damaging the response.

Seeing all seven stages in a single visual

Here is the complete chain mapped out as a flow. Each stage connects directly to the next — and a break at any point stops the attack from progressing further.

Recon

Stage 1

Weaponise

Stage 2

Deliver

Stage 3

Exploit

Stage 4

Install

Stage 5

C2

Stage 6

Objectives

Stage 7

Break any link in this chain and the attack stops. Every stage is a detection opportunity.

Notice the chain moves left to right — but defenders work right to left in terms of priority. Stopping an attacker at stage one is ideal. Stopping them at stage six is still a win, even if more expensive. Reaching stage seven means the damage is done.

A real attack mapped across all seven stages

Theory lands better with a concrete example. Here is a realistic ransomware attack mapped stage by stage through the Kill Chain — the kind of incident a pen tester is hired to simulate and a security team is paid to prevent.

CASE STUDY — Ransomware Attack Mapped to Kill Chain Real-world pattern
Stage Activity in this attack
Reconnaissance The attacker finds the target company on LinkedIn, identifies employees in finance, and notes that their job postings mention Microsoft 365. They look up previously leaked credentials from old data breaches.
Weaponisation They create a convincing invoice document in Word format with a malicious macro embedded. The document is designed to look like it came from a known supplier.
Delivery A phishing email lands in the accounts payable inbox. Subject line: "Invoice #4821 — Payment Required." The attachment looks completely normal.
Exploitation An employee opens the document and enables macros when prompted. The macro executes and downloads a second-stage payload from an attacker-controlled server.
Installation A remote access trojan installs itself and adds a registry key to survive reboots. The employee's machine is now under attacker control — silently.
Command and control The trojan calls home to the attacker's server. The attacker begins mapping the internal network, escalating privileges, and moving laterally to the file server where sensitive data is stored.
Actions on objectives Ransomware is deployed across the network. Files are encrypted. A ransom note appears on every screen. The entire process from the first phishing email took 72 hours.

72 hours. That is a realistic timeline for a ransomware attack against an organisation with no behavioural monitoring in place. Each of those stages had a detection opportunity. The attacker succeeded because none of them were caught in time.

Defender actions at each stage

The Kill Chain is not just an attacker's map — it is a defender's checklist. For every stage an attacker goes through, there is a corresponding defensive control that can detect or stop them. Understanding this mapping is one of the most practically useful things you can take from this lesson.

Attack stage Defender's response Tools and controls
Reconnaissance Reduce your public attack surface OSINT audits, limiting exposed data, employee awareness
Weaponisation Harden software to reduce exploitable surface Patch management, disabling macros by default
Delivery Block malicious content before it reaches users Email filtering, web proxies, phishing training
Exploitation Prevent code execution on vulnerable systems Endpoint protection, DEP, application whitelisting
Installation Detect and block persistence mechanisms EDR solutions, registry monitoring, file integrity checks
Command and control Block outbound connections to attacker infrastructure DNS filtering, network monitoring, threat intel feeds
Actions on objectives Contain damage and recover Incident response plan, offline backups, network segmentation

Notice that the controls in the early stages — recon, weaponisation, delivery — are mostly preventive. The controls in the later stages — C2, actions on objectives — are mostly about containment and recovery. The goal is always to push detection as early in the chain as possible.

Where the Kill Chain fits into a pen test

As an ethical hacker, the Kill Chain serves two purposes. First, it gives you a framework for planning an attack simulation — you know which stages to execute in which order and what each one should achieve. Second, it gives you a language for your report — you can tell the client exactly which stages of the Kill Chain their current defences would and would not detect.

A well-written pen test report doesn't just list vulnerabilities. It maps findings to Kill Chain stages and tells the client: your defences stopped us at stage four, but if we had reached stage five, here is what would have happened next. That context turns a list of findings into a story the client can act on.

The Kill Chain is not the only framework

MITRE ATT&CK is a more detailed framework that expands the Kill Chain into hundreds of specific techniques and sub-techniques used by real threat actors. It is the industry standard for threat intelligence and advanced red team operations. The Kill Chain gives you the high-level map. MITRE ATT&CK fills in every detail on that map. You will encounter both throughout your career — the Kill Chain for client communications, MITRE ATT&CK for technical planning and threat intel work.

Teacher's Note: When you write your first real pen test report, map every finding to a Kill Chain stage. It forces you to think about the full attack path rather than isolated vulnerabilities, and it gives the client a much clearer picture of their actual exposure.

Practice questions

Scenario:

A company's security team discovers that several employees received an email last Tuesday containing a PDF attachment. The PDF contained a hidden exploit but nobody opened it — the email was caught by a spam filter before any of the recipients clicked it. The attacker had already built and tested the malicious PDF days earlier. At which stage of the Kill Chain was this attack successfully stopped?


Scenario:

During a red team engagement, your team successfully exploits a vulnerability on a target server and installs a lightweight backdoor that survives a reboot. You then attempt to connect the backdoor to your command server — but the client's DNS filtering system blocks the outbound connection. The attack cannot progress any further. At which stage of the Kill Chain did the client's control successfully intervene?


Scenario:

An attacker spends two weeks studying a target company's public LinkedIn profiles, their corporate website, and job postings. They build a list of employee names, email formats, the software the company uses, and identify three employees who recently posted about working late on a new product launch. No connection has been made to the company's systems yet. Which stage of the Kill Chain is the attacker currently in?


Quiz

Scenario:

During a red team engagement, your team has successfully exploited a web server and gained initial access. Your next step is to drop a small backdoor into a startup folder and add a registry key so your access survives if the server is rebooted or if someone changes the password on the account you used to get in. Which Kill Chain stage does this activity belong to?

Scenario:

A CISO asks your team: "If we can only invest in hardening one stage of the Kill Chain against phishing-based attacks, which stage gives us the highest return?" Your team discusses the options. Which stage is the most effective single point of intervention against a phishing-led attack chain?

Scenario:

Two pen test teams submit reports to the same client after separate engagements. Team A lists fifteen vulnerabilities with CVSS scores. Team B lists the same fifteen vulnerabilities but also maps each one to a Kill Chain stage, explains which stage the client's defences successfully stopped them at, and describes what would have happened if the attack had progressed further. The client's CISO says Team B's report was far more useful. What specifically made it better?

Up Next · Lesson 6

Footprinting & Reconnaissance

Stage one of every real engagement — learn exactly what a professional pen tester collects before a single scan runs.

← Previous Course Index Next →