Home / Blog / Cyber Attacks / How Hackers Breach Defences: the Stages of a Cyber Attack

December 16, 2022

For most people, the risk posed by cyber attacks is abstract.

They’ve heard about popular techniques—ransomware, phishing, hacking, DDoS, web application attacks, and more—but have little idea how they work. This makes it hard to understand which cybersecurity controls are most important in the context of their needs.

This article will cover the simplest way to understand cyberattacks—theoretical models—and how well they translate into the real world.

The Stages of a Cyber Attack

The simplest way to describe a cyberattack is using a model. And when it comes to models, the Lockheed Martin Cyber Kill Chain is the most widely recognised.

The Kill Chain breaks down a cyberattack into seven stages:

  1. Reconnaissance. Understanding the target, e.g., harvesting email addresses for a phishing campaign.
  2. Weaponisation. Turning an attack vector (e.g., an exploit) into a deliverable payload.
  3. Delivery. Delivering the payload to the target (e.g., via a phishing email).
  4. Exploitation. Exploiting a vulnerability to run code on the target system.
  5. Installation. Installing the payload (e.g., ransomware) on the target system.
  6. Command and Control (C2). Communication between the infected system and infrastructure owned by the attacker (e.g., to allow the attacker to control an infected machine remotely).
  7. Action on Objectives. Completing the attacker’s ultimate goal (e.g., stealing sensitive information or extorting the target organisation).

Notice how the attacker can only achieve its objectives after all six other stages have been completed. If an organisation can disrupt the Kill Chain at any point before stage seven, it can avoid the worst outcome.

Many other organisations have developed their own models for understanding cyberattacks. The UK National Cyber Security Centre (NCSC) uses a simplified version of the Kill Chain:

  1. Survey. Investigating and analysing available information about the target to identify potential vulnerabilities.
  2. Delivery. Getting to the point in a system where a vulnerability can be exploited.
  3. Breach. Exploiting the vulnerability/vulnerabilities to gain some form of unauthorised access.
  4. Affect. Carrying out activities within a system that achieve the attacker’s goal.

This simplified model is sufficient for a typical organisation—particularly an SME. Disrupting an attack during the Kill Chain’s Reconnaissance and weaponisation stages is likely to be out of reach for all but the largest and most highly funded organisations. Once again, disrupting any stage of an attack is usually enough to protect against the worst outcomes—and the four stages listed in the NCSC are far more accessible for a typical organisation.

How Realistic Are These Models?

These models (and others) are a reasonably good way to understand cyberattacks. However, as with most theories, they don’t cover everything you need to know. For instance, there are at least two common attack components that aren’t directly mentioned:

  • Expansion. After successfully exploiting a vulnerability, hacking groups frequently devote time to expanding their access and presence across the target network. This process increases the impact of a successful attack, e.g., allowing an attacker to steal more sensitive information. Expansion fits to some degree into the C2 stage of the Cyber Kill Chain; however, it does not always rely on remote infrastructure.
  • Obfuscation. Sophisticated cyberattacks almost always take steps to hide their presence and activities. While some models list obfuscation as its own stage, it typically happens throughout an attack—particularly during the C2, Expansion, and Action on Objectives stages.

This begs the question: if we add these two components to the Cyber Kill Chain model, does it now accurately describe cyberattacks? The answer is a resounding… sort of.

In practice, few cyberattacks progress precisely in line with either the Kill Chain or NCSC model. Those that do are most likely to be the work of a sophisticated hacking group that conducts its own reconnaissance—possibly over an extended period—develops its own attack tools, and conducts the attack itself. Attacks like this make up a relatively small percentage of cyberattacks.

To show how attacks might diverge from the models we’ve described above, below are two (very) common types of cyberattacks:

Business Email Compromise

In a Business Email Compromise attack (also known as a CEO scam), there is no payload—the attack includes only a handful of steps:

Reconnaissance—identifying the contact details of payments staff within a target organisation.

Weaponisation—creating a convincing email (or SMS, voicemail, etc.) to exploit the human vulnerability.

Delivery—transmitting the scam email to the target.

Since there is no payload, the exploitation, installation, and C2 stages are all skipped—and, in a successful attack, the action on objectives is completed by the victim, not the attacker.


Most ransomware attacks technically go through all of the stages described in Lockheed Martin’s Kill Chain. However, in many cases, several stages happen automatically—and weaponisation is rarely completed by the group responsible for an attack.

Instead, most active ransomware trojans are developed by specialist groups and then distributed by affiliates. The developers (sometimes known as ‘operators’) usually take a cut of earnings made using their trojans and even offer customer service to the affiliate groups responsible for conducting attacks. This business model is known as Ransomware-as-a-Service.

The Kill Chain for a typical attack of this type looks something like this:

Reconnaissance—compiling a list of business email addresses.

Weaponisation—completed by the developer.

Delivery—usually a mass phishing campaign, which is sometimes even written by the developer.



Command and Control (C2)—automated or completed by the developer.

Action on Objectives—communicating ransom demands to the victim, sometimes with support from the developer.

From the affiliate’s perspective, the only relevant stages are Reconnaissance, Delivery, and Action on Objectives.

So… How DO Cyber Attacks Work?

What can we learn from this?

While models like the Kill Chain are a useful tool, they aren’t enough to bestow a genuine understanding of how cyber attacks work. In addition to the model, you need to understand the specifics of how hacking groups conduct different real-world attacks in practice.

In future articles, we’ll take an in-depth look at different types of cyberattacks, including:

  • How they are conducted from end-to-end
  • Why they are so popular (and effective)
  • Real-world examples

For now, if you’re concerned about the risk posed by cyber attacks—or you’re unsure if your organisation has adequate protections in place—get in touch today to speak with one of our experts.