Why Attack Models Matter
Attacks aren't lightning strikes. They're processes — multi-step campaigns that take days, weeks, or months. Understanding the steps lets you build controls at each stage, so you don't have to catch the attacker on their first move (you usually won't).
The original Lockheed Martin Cyber Kill Chain has been around since 2011. It's been supplemented by MITRE ATT&CK (much more detailed) and the Diamond Model (more analytical), but the kill chain remains the cleanest mental model for explaining "how a breach works" to a non-specialist audience.
Stages 1–2: Reconnaissance & Weaponization
Reconnaissance. The attacker researches the target — LinkedIn profiles, exposed services, leaked credentials, GitHub repos. What helps defenders here: attack-surface monitoring, removing unnecessary public services, restricting employee oversharing.
Weaponization. The attacker builds the payload — a phishing lure, a poisoned document, an exploit chain. You can't really detect this — it happens on the attacker's infrastructure. Your job is to make the next stage harder.
Stages 3–4: Delivery & Exploitation
Delivery. The payload reaches the victim — usually email, sometimes USB, watering-hole websites, or supply chain. Defenses: email security, web filtering, removable-media policies, SaaS allowlisting.
Exploitation. The payload triggers — a clicked link, an opened doc, an unpatched vulnerability. Defenses: patching, endpoint hardening, browser isolation, application allowlisting.