analyzing-cyber-kill-chain

# Analyzing Cyber Kill Chain ## When to Use Use this skill when: - Conducting post-incident analysis to determine how far an adversary progressed through an attack sequence - Designing layered defensive controls with the goal of interrupting attacks at the earliest possible phase - Producing threat intelligence reports that communicate attack progression to non-technical stakeholders **Do not use** this skill as a standalone framework — combine with MITRE ATT&CK for technique-level granularity beyond what the 7-phase kill chain provides. ## Prerequisites - Complete incident timeline with forensic artifacts mapped to specific adversary actions - MITRE ATT&CK Enterprise matrix for technique-level mapping within each kill chain phase - Access to threat intelligence on the suspected adversary group's typical kill chain progression - Post-incident report or IR timeline from responding team ## Workflow ### Step 1: Map Observed Actions to Kill Chain Phases The Lockheed Martin Cyber Kill Chain consists of seven phases. Map all observed adversary actions: **Phase 1 - Reconnaissance**: Adversary gathers target information before attack. - Indicators: DNS queries from adversary IP, LinkedIn scraping, job posting analysis, Shodan scans of organization infrastructure **Phase 2 - Weaponization**: Adversary creates attack tool (malware + exploit). - Indicators: Malware compilation timestamps, exploit document metadata, builder artifacts in malware samples **Phase 3 - Delivery**: ...