Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter I - Foundation / 07. The Killchain

Introduction

Usually, this is the chapter in which most beginner cybersecurity courses start (and sometimes finish).

Before reaching this point, we have already spent considerable time building a foundation in operating systems, virtualization, networking, web technologies, programming and debugging. That knowledge is what allows us to approach cybersecurity from a different perspective.

Traditionally, the kill chain is presented as a long sequence of stages such as reconnaissance, scanning, exploitation, lateral movement and privilege escalation. While these distinctions are useful, I don't necessarily like that design and my personal view is that most attacks can be simplified into a repeating cycle:

  1. Enumerate the current scope and identify the next target.
  2. Prepare or weaponize an attack.
  3. Execute the attack and acquire new access.

Once new access is obtained, the scope expands and the process begins again.

TheThreeStep

For example, an attacker may enumerate a public-facing website, identify a vulnerable component and exploit it to gain access to the underlying host. They may then enumerate that host, discover a misconfigured privileged service and exploit it to obtain higher privileges. The same cycle repeats, often dozens of times, until the final objective is achieved.


What is the Kill Chain?

The term Kill Chain refers to the sequence of actions an attacker performs while attempting to compromise a target.

Killchain

Although different organizations define the stages slightly differently, the underlying concept remains the same: successful intrusions rarely occur through a single action. Instead, they are usually the result of multiple steps that build upon one another.

For example, an attacker may:

  1. Discover a company's public infrastructure.
  2. Scan for exposed services.
  3. Enumerate users, shares and applications.
  4. Obtain valid credentials.
  5. Gain initial access to a system.
  6. Exploit a vulnerability or misconfiguration.
  7. Escalate privileges.
  8. Ensure stable remote access.
  9. Continue expanding their access.

One of the most important lessons in cybersecurity is that attacks are rarely isolated events. A vulnerability that appears insignificant on its own may become critical when combined with other weaknesses.