The Cyber Attack Lifecycle

Lockheed Martin published the Cyber Kill Chain in 2011 as part of an intelligence-driven defence paper. The model borrowed the military concept of a kill chain, a sequence that, if broken at any point, prevents the adversary from achieving their objective. The seven phases describe a typical targeted intrusion from the attacker's perspective.

The Kill Chain is deliberately linear. Critics note this underrepresents real intrusions, which often involve multiple delivery attempts, parallel lateral movement threads, and re-entry after partial remediation. The Unified Kill Chain addresses this. However, the linear model is still useful for briefing non-technical stakeholders and for teaching the basic logic of intrusion sequencing.

The Unified Kill Chain (UKC), published by Paul Pols in 2017 and updated in 2021, extends the original model by integrating MITRE ATT&CK and addressing scenarios the seven-phase model cannot represent: insider threats, supply-chain compromises, and multi-wave campaigns where the attacker re-enters after partial eviction. The 18 phases are grouped into three macro-stages.

Stage 1: In (establishing initial foothold). Phases include Reconnaissance, Resource Development, Delivery, Social Engineering, Exploitation, Persistence, Defence Evasion, and Command and Control. This stage ends when the attacker has a stable, hidden presence on at least one internal host.

Stage 2: Through (propagating within the network). Phases include Pivoting, Discovery, Privilege Escalation, Execution, and Credential Access. The attacker uses the initial foothold to map the network, acquire credentials, and move toward higher-value targets. This stage is where most dwell time accumulates. The average dwell time before detection was 16 days globally in 2023, according to Mandiant incident response data, though this varies significantly by region and sector.

Stage 3: Out (achieving objectives). Phases include Collection, Exfiltration, and Impact. In ransomware operations, attackers frequently complete both Exfiltration (for double-extortion pressure) and Impact (encrypting systems) within a short window once they reach this stage. The separation between these phases in a ransomware case can be as short as hours.

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is maintained by the MITRE Corporation as a public knowledge base. ATT&CK for Enterprise currently covers 14 tactic categories: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defence Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact. Each tactic contains multiple techniques, and many techniques have sub-techniques.

Each technique entry in ATT&CK includes: a unique identifier (e.g., T1566 for Phishing), a description of how the technique works, real-world procedure examples from attributed threat actor groups, detection guidance, and mitigation recommendations. Investigators use this to answer two questions: given this artefact, what technique was used; and given this technique, what other artefacts should I look for.

ATT&CK is also the basis for threat intelligence sharing. When a CERT (Computer Emergency Response Team) publishes a report on a threat actor group such as APT29 (attributed to Russian state actors) or Lazarus Group (attributed to North Korean state actors), the reported behaviours are cross-referenced to ATT&CK identifiers. An investigator who finds artefacts matching APT29's known ATT&CK profile can use that profile to guide hunting for other techniques the same group typically uses.

The type and quantity of forensic evidence produced varies significantly across lifecycle phases. Early phases often leave little or no evidence on victim systems because the attacker is operating from outside. Later phases typically leave richer artefacts because the attacker is active inside the environment.

Reconnaissance leaves almost no artefacts on the victim's systems if the attacker uses passive OSINT techniques: browsing public websites, querying WHOIS databases, scraping LinkedIn. Active reconnaissance, such as port scanning, does leave entries in firewall logs and intrusion detection system (IDS) alerts, but these are often dismissed as noise without correlation to subsequent events.

Delivery and Exploitation produce the most time-sensitive artefacts. A phishing email leaves headers in the mail server and a copy in the recipient's mailbox. An exploit executed against a web application leaves entries in web server access logs and potentially a crash dump or application error log on the server. These artefacts are time-bound: mail servers may purge old messages, and web logs may roll over. Forensic preservation at this phase requires prompt action.

Installation and Persistence are the phases best represented in endpoint forensics. Dropped files, registry modifications, new scheduled tasks, new services, and modified startup scripts all leave artefacts in the Windows registry, the filesystem (with MFT timestamps), and event logs (Event IDs 4697 for service installation, 4702 for scheduled task modification, among others). These artefacts survive reboot and are recoverable even from offline forensic images.

Command and Control (C2) evidence lives primarily in network logs: DNS queries to unusual domains, outbound connections on non-standard ports, regular beaconing intervals visible in firewall logs, and SSL certificate anomalies. Memory forensics can recover the injected C2 shellcode or the process tree that shows a browser spawning a command shell (a common sign of exploitation). Fileless malware operating entirely in memory is recoverable only while the system is running, making live forensics critical.

Exfiltration evidence includes unusually large outbound data transfers in flow logs, archived staging directories in temp folders or on a network share, and cloud storage API calls in proxy logs. Ransomware deployment at the Impact phase leaves encrypted files, a ransom note, and Volume Shadow Copy deletion events (Event ID 524 or the execution of vssadmin.exe or wmic.exe with delete arguments), all of which are highly characteristic and recoverable.

The central insight of the Kill Chain model is that disrupting any phase prevents the attacker from advancing. For an investigator engaged in post-breach analysis, this translates into a different question: at which phases did we have an opportunity to detect the attack, and why did we not act on it? This analysis drives remediation and future detection investment.

Detecting at the Reconnaissance phase is rare but possible for active scanning. Rate-limiting or blocking scanning IP ranges, monitoring for credential stuffing attempts against external portals, and reviewing third-party data breach notifications are all early-phase detection opportunities. The threat intelligence feed from a sector-specific ISAC (Information Sharing and Analysis Center) may flag known reconnaissance infrastructure before it is used against a specific target.

Detection at Delivery and Exploitation depends on email gateway filtering, web application firewalls, and endpoint detection tools. These are the most commonly deployed detection layers. However, sophisticated attackers use living-off-the-land techniques (using built-in OS tools such as PowerShell, WMI, or certutil) specifically to evade signature-based detection at these layers.

Detection at Lateral Movement is increasingly the focus of modern detection strategy because it is the phase where most attackers spend time and leave the most varied artefacts. Anomalous authentication events, service account logins at unusual hours, and pass-the-hash artefacts in Windows Security logs are all detectable with properly configured SIEM rules. The network protocols and traffic analysis perspective is essential here: east-west traffic anomalies within a network are often the clearest signal of lateral movement.

Lifecycle analysis is not only a technical tool. It also shapes the legal strategy of a cyber investigation. Identifying which phases occurred, when, and on which systems determines what evidence must be preserved, what warrants or production orders are required, and which jurisdiction has authority over each part of the attack.

In India, cyber offences are prosecuted under the Information Technology Act 2000 (as amended by the IT Amendment Act 2008). Sections 66, 66B, 66C, and 66F address hacking, receiving stolen computer resources, identity theft, and cyber terrorism respectively. Electronic evidence is governed by the Bharatiya Sakshya Adhiniyam 2023 (which replaced the Indian Evidence Act 1872), specifically Sections 61 to 65 on electronic records. The IT (Amendment) Act 2008 also empowers CERT-In to direct organisations to report incidents and preserve logs, making log retention a legal obligation, not merely a best practice.

In the United States, the primary statutes are the Computer Fraud and Abuse Act (CFAA) and the Electronic Communications Privacy Act (ECPA). The CFAA criminalises unauthorised access to protected computers, with penalties scaled to the phase and severity of damage. In the United Kingdom, the Computer Misuse Act 1990 (CMA) covers similar offences, with the Police and Justice Act 2006 strengthening penalties. In the European Union, Directive 2013/40/EU on attacks against information systems harmonises offences across member states, and the Network and Information Security Directive (NIS2, 2022) sets mandatory incident reporting and log retention standards for operators of essential services.

The lifecycle model assists with establishing elements of offences. Proving that an attack reached the Installation phase establishes persistent unauthorised access. Proving the Exfiltration phase provides evidence of data theft. Each phase requires corresponding documentary evidence: server logs, forensic images with verified hash values, and a documented chain of custody. Courts in India, the United States, and the United Kingdom have all addressed the admissibility of electronic evidence; the common requirement is that the investigator can demonstrate integrity of the evidence from collection to presentation.