Intelligence notes

Kill Chain

5 min read

Kill Chain

Core Definition (BLUF)

A Kill Chain is a phased, systemic model used to conceptualise and operationalise the sequential stages of an attack, from initial reconnaissance to the final engagement of a target. Its primary strategic purpose is twofold: for the attacker, it provides a structured methodology to ensure mission success; for the defender, it offers an analytical framework to identify vulnerabilities in the adversary’s process, allowing for the disruption of an attack by breaking a single link in the sequence.

Epistemology & Historical Origins

Originating in mid-20th-century conventional military doctrine, the concept initially described the procedural steps required to successfully engage an enemy asset. The traditional kinetic model evolved into the F2T2EA framework (Find, Fix, Track, Target, Engage, Assess), which was heavily utilised by the United States Department of Defense for dynamic targeting during the Global War on Terror. In 2011, Lockheed Martin adapted the concept for the digital domain, formalising the Cyber Kill Chain. This adaptation marked a critical epistemological shift, transferring physical targeting principles into network defence and Information Security, thereby universalising the concept across multi-domain operations and making it a foundational element of modern threat intelligence.

Operational Mechanics (How it Works)

The mechanics vary depending on the operational domain, but they fundamentally rely on sequential progression.

  • Kinetic Model (F2T2EA):

    • Find: Identifying a potential target through ISR (Intelligence, Surveillance, and Reconnaissance) apparatus.
    • Fix: Positively identifying the target and determining its exact spatial location.
    • Track: Maintaining continuous surveillance and custody of the target as it moves.
    • Target: Selecting the appropriate weapon system and allocating operational resources to engage.
    • Engage: Applying force (kinetic or non-kinetic) to the target.
    • Assess: Conducting Battle Damage Assessment (BDA) to determine the efficacy of the strike and deciding if a re-engagement is necessary.

  • Cyber Model (Lockheed Martin Cyber Kill Chain):

    • Reconnaissance: Harvesting intelligence on the target (e.g., email addresses, network topology, identifying vulnerabilities).
    • Weaponisation: Coupling a cyber exploit with a backdoor into a deliverable payload.
    • Delivery: Transmitting the weapon to the target environment (e.g., via spear-phishing, compromised USBs, or watering hole attacks).
    • Exploitation: Triggering the exploit’s code on the victim’s operating system or application.
    • Installation: Installing malware or persistent backdoors on the asset.
    • Command and Control (C2): Establishing a secure communication channel for remote manipulation by the attacker.
    • Actions on Objectives: Accomplishing the original strategic goal (e.g., data exfiltration, deploying ransomware, network sabotage).

Modern Application & Multi-Domain Use

  • Kinetic/Military: Modern forces attempt to accelerate their own kill chain while simultaneously disrupting the adversary’s. This increasingly involves the integration of Artificial Intelligence, Machine Learning, and autonomous systems to drastically reduce the temporal gap between ‘Find’ and ‘Engage’, transitioning away from a linear chain towards a highly dynamic and distributed Kill Web.
  • Cyber/Signals: Defensive cyber operations utilise the kill chain primarily as a diagnostic and mitigative tool. By deploying countermeasures and sensors at specific stages (e.g., DNS sinkholing to disrupt C2, or advanced email filtering to halt Delivery), network defenders can neutralise Advanced Persistent Threats (APTs) before actions on objectives are realised.
  • Cognitive/Information: Applied to Cognitive Warfare and Information Operations, the kill chain models the systematic deployment of disinformation. Stages include audience reconnaissance (identifying psychological vulnerabilities or societal fissures), narrative weaponisation (crafting tailored propaganda), delivery via algorithmic amplification or bot networks, and the resulting action on objectives (e.g., societal polarisation, institutional distrust, or electoral interference).

Historical & Contemporary Case Studies

  • Case Study 1: Operation Desert Storm (1991) - The United States military demonstrated an overwhelmingly rapid kinetic kill chain against the Iraqi Armed Forces. By achieving absolute air superiority and utilising advanced ISR platforms like JSTARS, Coalition forces compressed the time required to find, fix, and engage Iraqi armour and command nodes, functionally paralysing the adversary’s decision-making cycle (the OODA Loop) and rendering their defensive doctrine obsolete.
  • Case Study 2: Stuxnet Operation (circa 2010) - A premier and highly sophisticated application of the cyber kill chain. The bespoke malware conducted extensive reconnaissance on Iranian nuclear infrastructure, was weaponised specifically for Siemens SCADA systems, was delivered via physically compromised USB drives to bypass air-gapped networks, and successfully executed its actions on objectives by covertly destroying centrifuges at Natanz whilst simultaneously sending normalised operational readouts to the plant operators to delay the ‘Assess’ phase of the Iranian defence.

Intersecting Concepts & Synergies

Live Case Studies (Vault)

Graph View

Backlinks