The Seven Phases of a Cyberattack: A Detailed Look at the Cyber Kill Chain

In the field of cybersecurity, understanding the methodology used by attackers is essential to anticipate their actions and strengthen defenses. In a context where attacks are not only increasing in volume but also evolving rapidly—thanks to artificial intelligence, automation, and increasingly accessible tools—prevention is far more effective than trying to recover productivity after an incident.

The key to staying ahead lies in understanding the sequence of events that systematically make up a cyberattack—what’s known as the Cyber Kill Chain. This model, developed by Lockheed Martin, outlines the seven phases that typically constitute the lifecycle of a cyberattack, from initial planning to the achievement of the final objective.

Phase 1: Reconnaissance

It all begins with reconnaissance. In this phase, the attacker gathers information about the target—either actively or passively—in order to understand how the organization operates, what technologies it uses, how its network is structured, and who the key employees are. Today, thanks to the abundance of public data and automation through scraping tools and artificial intelligence, this stage is more sophisticated and dangerous than ever.

Reconnaissance techniques include:

• Port and service scanning: Automated detection of active services and open ports to identify potential vulnerabilities.

• Technology fingerprinting: Identification of exposed technologies, frameworks, and versions to correlate with known vulnerabilities.

• Domain information gathering: Analysis of public records (such as WHOIS and DNS) to map the digital infrastructure.

• Passive social engineering: Reviewing public profiles (LinkedIn, GitHub, etc.) to identify staff, used technologies, and possible human weaknesses.

• Corporate email analysis: Identifying patterns in emails, checking for prior breaches, and preparing for potential phishing attacks.

• Cloud exploration: Detecting insecure configurations in cloud environments, such as publicly exposed or poorly protected resources.

Proactive monitoring and specialized external analysis make this phase more difficult and help detect potential signs of ongoing reconnaissance. Many organizations rely on threat intelligence services or offensive simulations to audit this phase from the attacker’s perspective. Additionally, advances in anomaly detection and AI-based analytics are enabling real-time recognition of scanning or data-gathering activity—even before the actual attack unfolds.

Phase 2: Weaponization

Once the necessary information has been gathered, the attacker enters the preparation phase, also known as weaponization. Here, specific tools are crafted and assembled to compromise the target. What stands out today is not only the sophistication of these tools but the high degree of customization they offer—especially thanks to generative AI.

Based on the information collected in the previous phase, the attacker defines the strategy, selects vulnerabilities to exploit, chooses entry channels, and develops or customizes malware to remain undetected in the organization’s environment. The precision of this phase can determine whether the attack succeeds or fails.

Common actions at this stage include:

• Exploit selection and customization: Tailoring known or zero-day exploits to specific software versions using tools like Metasploit or custom-built exploits.

• Creation of obfuscated/polymorphic malware: Developing malware that changes its code to evade antivirus and EDR detection, often aided by AI techniques.

• Designing malicious files: Crafting seemingly legitimate documents (PDFs, Excel, etc.) that execute exploits or download payloads, sometimes even with compromised digital signatures.

• Command and Control (C2) infrastructure: Setting up hidden C2 servers using legitimate services, domain fronting, P2P, or blockchain to avoid tracking.

• Personalized phishing preparation: Crafting deceptive emails with malicious links or attachments based on the reconnaissance information to increase effectiveness.

At this point, attackers no longer operate generically—the attack is designed like a surgical operation. The professionalization of cybercrime-as-a-service means that many actors don’t develop tools themselves; they rent or purchase them on specialized markets, including packaged malware services, C2 servers, and even full attack kits by subscription.

Phase 3: Delivery

With the tools ready, the next step is delivering them to the target. The delivery phase is critical, marking the transition from preparation to action. The goal is clear: introduce the exploit or malware into the target environment without detection.

This phase has evolved significantly thanks to advanced social engineering, automation, and creative use of legitimate channels to mask malicious intent. Attackers also exploit distributed and hybrid environments, where traditional defenses often leave gaps.

Common delivery methods include:

• Spear phishing emails: Personalized, realistic emails—often AI-generated—that mimic internal communications and leverage real-world events.

• Watering hole attacks: Infecting websites frequently visited by the target’s staff to exploit browser or plugin vulnerabilities.

• Infected external devices or IoT gadgets: USB drives, IoT devices, or tampered chargers used to introduce malware—especially in environments with physical access.

• Supply chain attacks: Compromising trusted vendors to insert malicious code into updates or products.

• Malicious links on collaboration platforms: Misuse of tools like Teams, Slack, or cloud services to distribute malicious files or links.

• Exploitation of exposed APIs or services: Using poorly secured cloud endpoints as entry points to execute code or deploy malware.

Today, attack delivery is designed to appear completely harmless. Success depends on the attack going unnoticed until it’s too late. That’s why many organizations are reinforcing this phase with technologies such as sandboxing, behavioral email threat protection, and suspicious activity detection on collaboration platforms.

Phase 4: Exploitation

The exploitation phase is the point of no return: this is where the exploit executes, the vulnerability is triggered, and the attacker gains initial control over the target system. It marks the transition from a potential threat to a real intrusion.

Thanks to more precise delivery methods and tailored exploits, this phase can now be triggered without direct user interaction. Attacks are increasingly silent and harder to detect, often using zero-day vulnerabilities, fileless exploits, or in-memory techniques (living-off-the-land).

Common forms of exploitation include:

• Opening malicious files: Documents exploiting office software vulnerabilities using encrypted macros or hidden functions.

• Clicking malicious links: Redirects to websites that auto-execute exploits in the browser or vulnerable extensions.

• Fileless attacks: Executing code in memory via system tools like PowerShell or WMI, bypassing traditional detection.

• Dynamic payload loading: Files that act as droppers, downloading the actual malware only when conditions are optimal.

• Exploitation of vulnerable services: Using specially crafted packets to trigger buffer overflows or remote code execution in outdated services.

Modern attacks may also detect sandbox or test environments and delay execution until they confirm they’re on a real system. This sophistication reduces the response window for defenders. Without strong behavior detection, network segmentation, and automated response mechanisms, the attacker has already won the first major battle.

Phase 5: Installation

After successful exploitation, many attacks require an installation phase to establish a persistent presence within the compromised system. This allows the attacker to maintain access, escalate privileges, and prepare for advanced actions like data exfiltration, lateral movement, or service disruption.

Not all attacks today require traditional malware installation. Fileless techniques, direct cloud service exploitation, and use of compromised accounts have reduced the need for persistent agents. However, when malware is installed, it’s stealthier, modular, and more adaptive than ever.

Common installation techniques include:

• Backdoors and RATs: Installing encrypted, modular remote access trojans capable of evading analysis and adapting dynamically.

• Hidden persistent accounts: Creating privileged users in AD or local systems disguised as legitimate support or system accounts.

• Living-off-the-land: Using OS tools (PowerShell, WMI, etc.) to execute commands without installing additional malware.

• Persistence in cloud/SaaS environments: Using malicious OAuth apps, altered automations, or persistent tokens to maintain access to platforms like Microsoft 365 or Google Workspace.

• System configuration modification: Registry changes, cron jobs, or hijacking legitimate processes to ensure continuous access (e.g., web shells, injections).

• Defense deactivation: Automatic attempts to disable antivirus, EDR, or firewalls before establishing persistence.

It’s also important to note that not all attacks follow this path. CEO fraud or Business Email Compromise (BEC) attacks don’t require software installation—just access to an email account to manipulate communications and execute fraudulent transfers or steal strategic info. These attacks are harder to detect due to the lack of technical traces and heavy reliance on social engineering.

The greatest risk now is that, once a minimal malicious presence is installed, the attacker can take their time, move slowly, and observe the environment to choose the optimal moment and method to act.

Phase 6: Command and Control

Once the attacker has established an access point within the system, the next step is to set up an external communication channel. This enables them to send instructions, receive stolen data, and operate within the compromised environment with full control. This Command and Control (C2) phase is critical for attack continuity and escalation.

C2 channels are stealthier, more resilient, and harder to detect than ever. They use legitimate protocols, cloud services, and end-to-end encryption to evade traffic inspection. Many attacks also include redundant C2 mechanisms to stay active even if one channel is blocked.

Common characteristics of this phase:

• Advanced encrypted channels: Use of HTTPS, DNS tunneling, WebSockets, MQTT, or gRPC to connect malware to the attacker’s server discreetly.

• Abuse of legitimate services: Hidden communication via platforms like GitHub, Dropbox, Google Sheets, Telegram, or Signal to camouflage traffic.

• Domain fronting and evasion: Traffic redirected to attacker-controlled servers under the guise of legitimate domains like CDNs.

• Event-triggered activation: Malware stays inactive until a condition is met (e.g., opening a file or connecting to a specific network).

• Use of bots and proxy nodes: Indirect communication via compromised devices acting as proxies to hide the attacker’s origin.

• Autonomy and resilience: Malware capable of operating offline temporarily and resynchronizing once the connection resumes.

The big challenge for organizations is that many of these C2 communications go completely unnoticed by traditional controls. That’s why it’s critical to use advanced EDR/XDR, behavioral analysis (UEBA), and continuous monitoring capable of detecting anomalies in encrypted traffic or cloud services.

Phase 7: Actions on Objectives

This is the final phase of the attack chain. At this point, the attacker has access, control, and freedom of movement within the compromised environment and begins executing their true objective. What happens in this stage depends entirely on the attack’s original intent: espionage, economic damage, sabotage, extortion, or even using the environment as a platform for further attacks.

Cyberattackers—whether criminal groups, hacktivists, or state actors—are working with greater precision, automation, and patience. Many remain inside the environment for weeks or months, analyzing internal structures, studying workflows, and waiting for the most critical moment to strike.

Common objectives include:

• Theft of confidential information: Exfiltration of sensitive data (customers, IP, finances, source code) for resale, extortion, or strategic use.

• Ransomware and multi-layer extortion: System encryption combined with leak threats, third-party alerts, or public exposure to force payment.

• Lateral movement and spread: Expanding within the network or to third parties (clients, partners), increasing the attack’s scope.

• Disruption of critical services: System sabotage, infrastructure overload, or induced errors that impact operations and public image.

• Prolonged espionage: Silent presence to collect long-term data, typical of APT groups with strategic goals.

• Data manipulation: Altering key information (financial, operational, reputational) to affect decisions or cause internal chaos.

At this stage, the attacker is no longer hiding—they act with a clear purpose, and the organization’s response options are limited if early detection and containment were not achieved.

That’s why the main strategic goal should not just be to prevent reaching this phase, but to hinder its execution and minimize its impact. This is achieved through containment measures, continuous monitoring, network segmentation, robust backups, and—most importantly—a real early detection capability.

**

Constant Evolution and the Need for Continuous Testing and Audits

In a constantly changing threat landscape, one-time audits are no longer enough. We must move from a static view (“snapshot”) to a dynamic one (“real-time video”), continuously validating that our defenses remain effective.

CTEM: Continuous Threat Exposure Management

Continuous Threat Exposure Management (CTEM) addresses this need with a cyclical, risk-based business approach. It goes beyond identifying vulnerabilities to map the attack surface, assess exploitability, simulate attacks, and coordinate proactive remediation.

Automation and Regulatory Compliance

BAS (Breach and Attack Simulation) platforms validate daily whether controls like firewalls, EDR, or segmentation are working effectively. Moreover, regulations like NIS2, DORA, and ISO/IEC 27001:2022 increasingly demand active security, where compliance is the result of effective risk management.

Conclusion

Understanding the phases of a cyberattack is key to anticipating and minimizing its impact. Cybersecurity is no longer just technical—it is strategic. It’s not enough to prevent; we must constantly detect, validate, and respond. Only organizations that invest in visibility and continuous improvement will be ready for what’s next.

Want to learn more? Join us at our online event: ”The Next Breach: Cybersecurity as a Pillar of Sustainable Growth”.