LSI Learn Splunk India Cyber kill chain

Models

The cyber kill chain, stage by stage.

The kill chain is a model that breaks an intrusion into ordered stages, from an attacker's first research to their final goal. It is not the only model, and it has well-known limits, but it gives a beginner a clear mental map of how attacks unfold — and where a SOC can intervene.

The stages

How an intrusion progresses

1. Reconnaissance The attacker researches the target — people, systems, and exposed services.
2. Weaponisation They prepare the means of attack, such as a malicious document or exploit.
3. Delivery They get it to the target: phishing email, malicious link, infected file.
4. Exploitation The payload runs, taking advantage of a vulnerability or a user action.
5. Installation They establish a foothold so they can return.
6. Command and control The compromised host phones home for instructions.
7. Actions on objectives The attacker pursues the goal: data theft, ransomware, further spread.

Defender's view

Breaking the chain

The core idea

  • An attack must complete every stage to succeed.
  • Defenders only need to break it at one stage.
  • Earlier is better — less damage to undo.

Where the SOC fits

  • Detections aim to catch tell-tale signs at each stage.
  • A command-and-control beacon, for instance, is detectable in logs.
  • The earlier the detection fires, the cheaper the response.

Honest limits

Where the model falls short

The kill chain was shaped around malware-style intrusions and is weaker at describing attacks that rely on stolen credentials or insiders, where there is no obvious "delivery" or "installation". Real attacks also loop and skip stages rather than march neatly in order.

For that reason most SOCs pair it with a more granular framework like MITRE ATT&CK, which catalogues specific techniques rather than broad phases. Use the kill chain for the big-picture story and ATT&CK for the detailed detection mapping. The threat intelligence guide touches on how behaviour-based detection builds on these models.

Using it

In a real investigation

When you investigate an alert, mentally placing the evidence on the kill chain helps you reason about scope: if you are seeing command-and-control traffic, earlier stages already happened, so you go looking for the delivery and exploitation that preceded it. That habit — asking "what must have come before, and what might come next?" — is what separates a checklist follower from an analyst. Practise it on the labs.