Kill chain

From Wikipedia, the free encyclopedia

The term kill chain is a military concept which identifies the structure of an attack. It consists of:

Conversely, the idea of "breaking" an opponent's kill chain is a method of defense or preemptive action.[2]



One military kill chain model is the "F2T2EA", which includes the following phases:

  • Find: Identify a target. Find a target within surveillance or reconnaissance data or via intelligence means.
  • Fix: Fix the target's location. Obtain specific coordinates for the target either from existing data or by collecting additional data.
  • Track: Monitor the target's movement. Keep track of the target until either a decision is made not to engage the target or the target is successfully engaged.
  • Target: Select an appropriate weapon or asset to use on the target to create desired effects. Apply command and control capabilities to assess the value of the target and the availability of appropriate weapons to engage it.
  • Engage: Apply the weapon to the target.
  • Assess: Evaluate effects of the attack, including any intelligence gathered at the location.

This is an integrated, end-to-end process described as a "chain" because an interruption at any stage can interrupt the entire process.[3][4]

Previous terminology[edit]

The "Four Fs" is a military term used in the United States military, especially during World War II.[citation needed]

Designed to be easy to remember, the "Four Fs" are as follows:

  • Find the enemy – Locate the enemy.
  • Fix the enemy – Pin them down with suppressing fire.
  • Fight the enemy – Engage the enemy in combat or flank the enemy – Send soldiers to the enemy's sides or rear.
  • Finish the enemy – Eliminate all enemy combatants.[citation needed]

Proposed terminology[edit]

The "Five Fs" is a military term described by Maj. Mike "Pako" Benitez, an F-15E Strike Eagle Weapons Systems Officer who served in the United States Air Force and the United States Marine Corps.

Designed to update the Kill Chain to reflect updated, autonomous and semi-autonomous weapon systems, the "Five Fs" are described in "It's About Time: The Pressing Need to Evolve the Kill Chain"[5] as follows:

  • Find encapsulates the unity of effort of Joint Intelligence Preparation of the Operating Environment, matching collection assets to commander's intent and targeted areas of interest. This inevitably leads to detections, which may be further classified as an emerging target if it meets the intent.
  • Fix is doctrinally described as "identifying an emerging target as worthy of engagement and determines its position and other data with sufficient fidelity to permit engagement."
  • Fire involves committing forces or resources (i.e., releasing a munition, payload, or expendable)
  • Finish involves employment with strike approval authorities (i.e., striking a target/firing directed energy/destructive electronic attack). This is similar to a ground element executing maneuvers to contact but then adhering to prescribed rules of engagement once arriving at the point of friction?
  • Feedback closes the operational OODA Loop[6] with an evaluative step, in some circumstances referred to as "Bomb Damage Assessment".

North Korean nuclear capability[edit]

A new American military contingency plan called "Kill Chain" is reportedly the first step in a new strategy to use satellite imagery to identify North Korean launch sites, nuclear facilities and manufacturing capability and destroy them pre-emptively if a conflict seems imminent. The plan was mentioned in a joint statement by the United States and South Korea.[7][8]


Intrusion kill chain for information security[9]

Attack phases and countermeasures[edit]

More recently, Lockheed Martin adapted this concept to information security, using it as a method for modeling intrusions on a computer network.[10] The cyber kill chain model has seen some adoption in the information security community.[11] However, acceptance is not universal, with critics pointing to what they believe are fundamental flaws in the model.[12]

Computer scientists at Lockheed-Martin corporation described a new "intrusion kill chain" framework or model to defend computer networks in 2011.[3] They wrote that attacks may occur in phases and can be disrupted through controls established at each phase. Since then, the "cyber kill chain" has been adopted by data security organizations to define phases of cyberattacks.[13]

A cyber kill chain reveals the phases of a cyberattack: from early reconnaissance to the goal of data exfiltration.[14] The kill chain can also be used as a management tool to help continuously improve network defense. According to Lockheed Martin, threats must progress through several phases in the model, including:

  1. Reconnaissance: Intruder selects target, researches it, and attempts to identify vulnerabilities in the target network.
  2. Weaponization: Intruder creates remote access malware weapon, such as a virus or worm, tailored to one or more vulnerabilities.
  3. Delivery: Intruder transmits weapon to target (e.g., via e-mail attachments, websites or USB drives)
  4. Exploitation: Malware weapon's program code triggers, which takes action on target network to exploit vulnerability.
  5. Installation: Malware weapon installs an access point (e.g., "backdoor") usable by the intruder.
  6. Command and Control: Malware enables intruder to have "hands on the keyboard" persistent access to the target network.
  7. Actions on Objective: Intruder takes action to achieve their goals, such as data exfiltration, data destruction, or encryption for ransom.

Defensive courses of action can be taken against these phases:[15]

  1. Detect: Determine whether an intruder is present.
  2. Deny: Prevent information disclosure and unauthorized access.
  3. Disrupt: Stop or change outbound traffic (to attacker).
  4. Degrade: Counter-attack command and control.
  5. Deceive: Interfere with command and control.
  6. Contain: Network segmentation changes

A U.S. Senate investigation of the 2013 Target Corporation data breach included analysis based on the Lockheed-Martin kill chain framework. It identified several stages where controls did not prevent or detect progression of the attack.[9]


Different organizations have constructed their own kill chains to try to model different threats. FireEye proposes a linear model similar to Lockheed-Martin's. In FireEye's kill chain the persistence of threats is emphasized. This model stresses that a threat does not end after one cycle.[16]

  1. Reconnaissance: This is the initial phase where the attacker gathers information about the target system or network. This could involve scanning for vulnerabilities, researching potential entry points, and identifying potential targets within the organization.
  2. Initial Intrusion: Once the attacker has gathered enough information, they attempt to breach the target system or network. This could involve exploiting vulnerabilities in software or systems, utilizing social engineering techniques to trick users, or using other methods to gain initial access.
  3. Establish a Backdoor: After gaining initial access, the attacker often creates a backdoor or a persistent entry point into the compromised system. This ensures that even if the initial breach is discovered and mitigated, the attacker can still regain access.
  4. Obtain User Credentials: With a foothold in the system, the attacker may attempt to steal user credentials. This can involve techniques like keylogging, phishing, or exploiting weak authentication mechanisms.
  5. Install Various Utilities: Attackers may install various tools, utilities, or malware on the compromised system to facilitate further movement, data collection, or control. These tools could include remote access Trojans (RATs), keyloggers, and other types of malicious software.
  6. Privilege Escalation / Lateral Movement / Data Exfiltration: Once inside the system, the attacker seeks to elevate their privileges to gain more control over the network. They might move laterally within the network, trying to access more valuable systems or sensitive data. Data exfiltration involves stealing and transmitting valuable information out of the network.
  7. Maintain Persistence: This stage emphasizes the attacker's goal to maintain a long-term presence within the compromised environment. They do this by continuously evading detection, updating their tools, and adapting to any security measures put in place.


Among the critiques of Lockheed Martin's cyber kill chain model as threat assessment and prevention tool is that the first phases happen outside the defended network, making it difficult to identify or defend against actions in these phases.[17] Similarly, this methodology is said to reinforce traditional perimeter-based and malware-prevention based defensive strategies.[18] Others have noted that the traditional cyber kill chain isn't suitable to model the insider threat.[19] This is particularly troublesome given the likelihood of successful attacks that breach the internal network perimeter, which is why organizations "need to develop a strategy for dealing with attackers inside the firewall. They need to think of every attacker as [a] potential insider".[20]

Unified kill chain[edit]

The unified kill chain consists of 18 unique attack phases that can occur in advanced cyber attacks.

The Unified Kill Chain was developed in 2017 by Paul Pols in collaboration with Fox-IT and Leiden University to overcome common critiques against the traditional cyber kill chain, by uniting and extending Lockheed Martin's kill chain and MITRE's ATT&CK framework (both of which are based on the "Get In, Stay In, and Act" model constructed by James Tubberville and Joe Vest). The unified version of the kill chain is an ordered arrangement of 18 unique attack phases that may occur in end-to-end cyberattack, which covers activities that occur outside and within the defended network. As such, the unified kill chain improves over the scope limitations of the traditional kill chain and the time-agnostic nature of tactics in MITRE's ATT&CK. The unified model can be used to analyze, compare, and defend against end-to-end cyber attacks by advanced persistent threats (APTs).[21] A subsequent whitepaper on the unified kill chain was published in 2021.[22]


  1. ^ "Kill Chain Approach". Chief of Naval Operations. April 23, 2013. Archived from the original on June 13, 2013.
  2. ^ Jonathan Greenert; Mark Welsh (May 17, 2013). "Breaking the Kill Chain". Foreign Policy. Archived from the original on December 9, 2022. Retrieved June 30, 2016.
  3. ^ a b "Lockheed-Martin Corporation-Hutchins, Cloppert, and Amin-Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains-2011" (PDF). Archived (PDF) from the original on 2021-07-27. Retrieved 2021-08-26.
  4. ^ John A. Tirpak (July 1, 2000). "Find, Fix, Track, Target, Engage, Assess". Air Force Magazine.
  5. ^ Benitez, Mike (May 17, 2017). "It's About Time: The Pressing Need to Evolve the Kill Chain". War on the Rocks. Archived from the original on June 8, 2020. Retrieved April 28, 2020.
  6. ^ "The OODA Loop: How Fighter Pilots Make Fast and Accurate Decisions". March 15, 2021. Archived from the original on September 27, 2023. Retrieved September 10, 2023.
  7. ^ Sanger, David E. (July 6, 2017). "Tiny Satellites From Silicon Valley May Help Track North Korea Missiles". The New York Times. Archived from the original on July 7, 2017. Retrieved July 7, 2017.
  8. ^ "06/30/17 - Joint Statement between the United States and the Republic of Korea | U.S. Embassy & Consulate in Korea". U.S. Embassy & Consulate in Korea. 2017-06-30. Retrieved 2017-07-07.[permanent dead link]
  9. ^ a b "U.S. Senate-Committee on Commerce, Science, and Transportation-A "Kill Chain" Analysis of the 2013 Target Data Breach-March 26, 2014" (PDF). Archived from the original (PDF) on October 6, 2016.
  10. ^ Higgins, Kelly Jackson (January 12, 2013). "How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack". DARKReading. Archived from the original on 2024-01-19. Retrieved June 30, 2016.
  11. ^ Mason, Sean (December 2, 2014). "Leveraging The Kill Chain For Awesome". DARKReading. Archived from the original on 2024-01-19. Retrieved June 30, 2016.
  12. ^ Myers, Lysa (October 4, 2013). "The practicality of the Cyber Kill Chain approach to security". CSO Online. Archived from the original on March 19, 2022. Retrieved June 30, 2016.
  13. ^ Greene, Tim (5 August 2016). "Why the 'cyber kill chain' needs an upgrade". Archived from the original on 2023-01-20. Retrieved 2016-08-19.
  14. ^ "The Cyber Kill Chain or: how I learned to stop worrying and love data breaches". 2016-06-20. Archived from the original on 2016-09-18. Retrieved 2016-08-19.
  15. ^ John Franco. "Cyber Defense Overview: Attack Patterns" (PDF). Archived (PDF) from the original on 2018-09-10. Retrieved 2017-05-15.
  16. ^ Kim, Hyeob; Kwon, HyukJun; Kim, Kyung Kyu (February 2019). "Modified cyber kill chain model for multimedia service environments". Multimedia Tools and Applications. 78 (3): 3153–3170. doi:10.1007/s11042-018-5897-5. ISSN 1380-7501.
  17. ^ Laliberte, Marc (September 21, 2016). "A Twist On The Cyber Kill Chain: Defending Against A JavaScript Malware Attack". DARKReading. Archived from the original on 2023-12-13.
  18. ^ Engel, Giora (November 18, 2014). "Deconstructing The Cyber Kill Chain". DARKReading. Archived from the original on 2023-12-15. Retrieved June 30, 2016.
  19. ^ Reidy, Patrick. "Combating the Insider Threat at the FBI" (PDF). BlackHat USA 2013. Archived (PDF) from the original on 2019-08-15. Retrieved 2018-10-15.
  20. ^ Devost, Matt (February 19, 2015). "Every Cyber Attacker is an Insider". OODA Loop. Archived from the original on August 26, 2021. Retrieved August 26, 2021.
  21. ^ Pols, Paul (December 7, 2017). "The Unified Kill Chain" (PDF). Cyber Security Academy. Archived (PDF) from the original on May 17, 2021. Retrieved May 17, 2021.
  22. ^ Pols, Paul (May 17, 2021). "The Unified Kill Chain". Archived from the original on May 17, 2021. Retrieved May 17, 2021.