Skip to main content

CTI Kill Chain: An Analyst Guide With Real-World Evidence

Cover image

Article Metadata

Ecosystem Fit

This page mirrors the original Medium article into the 1200km.com Docusaurus ecosystem. The original article flow, images, screenshots, infographics, and technical blocks are preserved from the export.

Mapping adversary behavior from preparation to impact without overstating the evidence

Article image

Executive Summary

This is an analyst guide, not a formal CTI report. It does not answer a single priority intelligence requirement, grade sources formally, or produce an adversary-specific assessment. Its purpose is narrower: show how a CTI analyst can use the Cyber Kill Chain to organize public evidence from real APT and complex intrusion reporting without overstating what the evidence proves.

The Cyber Kill Chain was developed by Lockheed Martin as part of Intelligence Driven Defense and describes adversary activity from preparation through weaponization, delivery, exploitation, installation, command and control, and actions on objectives (Lockheed Martin, Cyber Kill Chain;Hutchins, Cloppert, and Amin, 2011).

The model is useful only when analysts preserve uncertainty. Many public reports describe what responders observed after compromise. They do not always directly show reconnaissance, weaponization decisions, or adversary intent. This guide therefore labels examples as:

  • **Observed:**directly reported technical behavior or artifact.

  • **Reported:**stated by a cited source but not independently verified here.

  • **Assessed:**analytic judgment made by the cited source.

  • **Inferred:**reasonable analyst interpretation from public evidence, but not directly observed.

  • **Caveat:**limitation, ambiguity, or alternate explanation.

Confidence language in this article is plain-language only:

  • **High confidence:**multiple credible sources or direct technical evidence.

  • **Moderate confidence:**credible reporting but incomplete visibility.

  • **Low confidence:**plausible inference from limited public evidence.

This is not a formal source-grading model. Operational CTI should separately evaluate source reliability, information credibility, collection visibility, corroboration, and whether the source had direct telemetry, reverse-engineering access, victim access, or only secondhand reporting.

**Scope note on attribution:**This guide is TTP-focused. Where established government or multi-vendor attribution exists for a case, it is noted briefly. Attribution analysis — confidence assessment, clustering methodology, indicator-based vs. infrastructure-based vs. behavioral evidence — is treated as out of scope for the main body and would require a separate product type.

Table of Contents

What Is the Attack Kill Chain?

  • Reconnaissance and Precursors

  • Weaponization

  • Delivery

  • Exploitation

  • Installation

  • Command and Control

  • Actions on Objectives

  • Cross-Case Pattern Matrix

  • ATT&CK Mapping Table

  • How CTI Analysts Should Use the Kill Chain

  • Practical Analyst Template

  • Conclusion

  • References

What Is the Attack Kill Chain?

Article image

The Attack Kill Chain is a structured way to describe how an adversary moves from intent to impact. Instead of treating an intrusion as a flat list of alerts, malware names, domains, and indicators, the Kill Chain asks the analyst to place evidence into a sequence of adversary activity. This helps defenders identify where the operation could have been detected, disrupted, or better understood.

The classic seven-step model is:

  • **Reconnaissance and Precursors:**The adversary researches, selects, and prepares for the target. This can include victim research, infrastructure preparation, credential collection, supplier analysis, lure development, or operational planning. In public reporting, this phase is often inferred from victimology, lure quality, or later intrusion behavior rather than directly observed.

  • **Weaponization:**The adversary creates or prepares the capability that will be used later. This may be malware, an exploit chain, a malicious document, a trojanized software update, a credential-harvesting page, or an OT-specific payload.

  • **Delivery:**The adversary moves the weaponized capability to the target. Delivery can occur through phishing, software updates, exposed services, removable media, watering holes, supplier channels, or automated worm propagation.

  • **Exploitation:**The adversary obtains execution or access by abusing a vulnerability, user action, identity trust, exposed service, misconfiguration, or trusted process.

  • **Installation:**The adversary places malware, persistence, tooling, accounts, scheduled tasks, services, web shells, wipers, or other mechanisms into the environment.

  • **Command and Control:**The adversary communicates with compromised systems to send instructions, receive results, stage tools, change behavior, or maintain operational control.

  • **Actions on Objectives:**The adversary executes the purpose of the operation. This may be espionage, data theft, disruption, encryption, destructive wiping, industrial process manipulation, public leaking, or long-term access preparation.

For CTI work, the Kill Chain is not a claim that every intrusion is perfectly linear. Real operations loop, skip visible phases, reuse access, blend delivery with exploitation, and sometimes execute objectives through hardcoded payload logic without active command and control. The value of the model is analytic discipline: it helps the analyst say what is observed, what is inferred, what is missing, and what defenders can do at each phase.

1. Reconnaissance and Precursors

Article image

Reconnaissance and precursors include target selection, business research, credential collection, infrastructure preparation, supplier research, and operational planning. Public reporting often gives only indirect visibility into this phase. Victimology can support an assessment of deliberate targeting, but it does not prove the exact reconnaissance methods used.

Example 1: APT1 victimology supports deliberate target selection

  • **Evidence type:**Reported and inferred.

  • **Confidence:**Moderate — single primary source (Mandiant, February 2013); victim-sector alignment is an analyst inference, not direct observation of reconnaissance activity.

  • **Source:**Mandiant reported that APT1 compromised 141 organizations across 20 major industries and that victim sectors aligned with Chinese strategic priorities (Mandiant, APT1 report).

This supports an assessment of deliberate campaign-level target selection. It does not directly show how APT1 performed reconnaissance before each compromise. The correct CTI wording is: victimology supports a target-selection assessment; specific reconnaissance activity remains a collection gap.

Alternative hypothesis exercise:

  • **H1 (primary):**APT1 conducted deliberate strategic target selection aligned with Chinese national priorities, as indicated by the consistent sector profile across 141 victims over several years.

  • **H2 (alternative):**Some portion of the victim set reflects opportunistic access — compromising organizations with weaker defenses that happened to fall within target sectors — rather than deliberate individual selection of each organization.

  • **Discrimination:**H1 is supported if victim selection shows signs of pre-compromise research (e.g., industry-specific lures, individualized spearphishing, evidence of prior supplier or partner reconnaissance). H2 gains weight if victims show high variance in security maturity and if initial access vectors are generic rather than individualized. The Mandiant report notes that APT1 used both generic and tailored phishing, which is consistent with a mixed opportunistic-deliberate approach. H1 remains the better-supported assessment for the campaign as a whole; H2 is more applicable at the individual-intrusion level.

Example 2: APT28 targeting patterns suggest intelligence-driven preparation

  • **Evidence type:**Assessed by source.

  • **Confidence:**Moderate — based on FireEye/Mandiant assessment; independently corroborated by subsequent government reporting but relies on behavioral and infrastructure evidence, not direct intelligence-collection confirmation.

  • **Source:**FireEye assessed that APT28 most likely had a Russian government sponsor and targeted information useful to a government, including material related to governments, militaries, and security organizations (Google Cloud / Mandiant, APT28).

The evidence supports likely intelligence-driven target selection. It should not be stated as proven “state-directed” activity unless the article mirrors the source’s confidence language.

Example 3: Ukraine grid operations imply pre-attack operational preparation

  • **Evidence type:**Reported and inferred.

  • **Confidence:**Moderate — MITRE ATT&CK campaign-level characterization draws on multiple vendor reports; the specific inference about pre-attack preparation of ICS environments is an analyst judgment, not directly documented in public reporting.

  • **Source:**MITRE ATT&CK describes Sandworm’s December 2015 Ukraine electric power attack using BlackEnergy3 and KillDisk against Ukrainian transmission and distribution substations (MITRE ATT&CK, C0028).

The public evidence supports that the operation affected utility environments and involved operationally relevant actions. It is an analyst inference, not direct public proof, that the actor had studied operator workflows, remote access paths, and recovery dependencies before execution.

2. Weaponization

Article image

Weaponization is the creation, selection, modification, or staging of a capability for later use. This may be malware, an exploit chain, a phishing document, a trojanized update, or an OT-specific payload.

Example 1: Stuxnet encoded target-specific industrial logic

  • **Evidence type:**Reported technical analysis.

  • **Confidence:**High — Symantec reverse-engineering dossier provides extensive technical documentation corroborated by subsequent government and academic analysis of the same samples.

  • **Source:**Symantec’s Stuxnet dossier documents Windows propagation, rootkit behavior, command-and-control components, and Siemens Step7/PLC-specific payload behavior. The linked copy is an archival mirror of the Symantec report, used because the original vendor PDF is not consistently available (Symantec, W32.Stuxnet Dossier archival mirror via National Security Archive).

Stuxnet is a strong weaponization example because the malware was not generic enterprise malware. Its functionality included logic relevant to a specific industrial control environment.

Example 2: SUNSPOT weaponized the SolarWinds Orion build process

  • **Evidence type:**Reported technical analysis.

  • **Confidence:**High — independently corroborated by CrowdStrike technical analysis, CISA advisory AA20–352A (discovered December 2020), and Microsoft incident reporting.

  • **Source:**CrowdStrike reported that SUNSPOT monitored SolarWinds build processes and replaced a source file to insert SUNBURST into Orion software packages (CrowdStrike, SUNSPOT).

This is one of the cleanest weaponization examples in the article. The adversary capability was designed around the software build environment, not only the eventual victim environment.

Example 3: GRIZZLY STEPPE reporting describes phishing payload preparation

  • **Evidence type:**Reported, with caveat.

  • **Confidence:**Moderate — government reporting construct with broad actor scope; useful for tradecraft characterization, not precise single-actor clustering.

  • **Source:**DHS/FBI reporting on GRIZZLY STEPPE describes Russian malicious cyber activity involving spearphishing, malicious links, credential harvesting, and malware delivery. The Public Intelligence link is an archival mirror of DHS/FBI material; the CISA PDF is used where available as the government source (DHS/FBI GRIZZLY STEPPE archival mirror;CISA enhanced analysis PDF).

Use this source cautiously. GRIZZLY STEPPE is a broad U.S. government reporting construct covering Russian malicious cyber activity and multiple actor labels. It is useful for broad tradecraft examples, not precise actor clustering.

3. Delivery

Article image

Delivery is how an adversary capability reaches a target. Delivery may use email, links, software updates, removable media, watering holes, exposed services, or partner and supplier channels. In worm activity, delivery and exploitation can be tightly coupled.

Example 1: APT1 used spearphishing as an access path

  • **Evidence type:**Reported by source.

  • **Confidence:**High — Mandiant APT1 report (February 2013) provides extensive documentation; delivery mechanisms described are consistent with subsequent incident reporting over the following decade.

  • **Source:**Mandiant reported that APT1 commonly used spearphishing emails with malicious attachments or links to gain access to victim networks (Mandiant, APT1 report).

For CTI, delivery evidence should connect the lure, sender infrastructure, attachment or URL, victim, and resulting execution path.

Example 2: SolarWinds delivered SUNBURST through trusted software updates

  • **Evidence type:**Reported technical and government analysis.

  • **Confidence:**High — corroborated by CISA advisory AA20–352A and CrowdStrike SUNSPOT technical analysis from independent telemetry; the code-signing certificate point is confirmed by multiple sources and is the analytically significant detection-defeat mechanism.

  • **Sources:**CISA stated that a malicious version ofsolarwinds.orion.core.businesslayer.dllwas signed with a legitimate SolarWinds code-signing certificate and inserted into the SolarWinds software lifecycle — this signing is what allowed the malicious DLL to bypass signature-based controls in victim environments (CISA AA20-352A). CrowdStrike reported how SUNSPOT manipulated the build process to insert SUNBURST (CrowdStrike, SUNSPOT).

This delivery mechanism matters because trusted update channels can bypass assumptions built around phishing, perimeter filtering, and user suspicion.

Example 3: WannaCry propagated through SMB exposure (May 2017)

  • **Evidence type:**Reported technical analysis.

  • **Confidence:**High — corroborated by Mandiant technical analysis and multiple independent incident response reports from the May 2017 global outbreak.

  • **Source:**Mandiant reported that WannaCry propagated over SMBv1/TCP 445 and used EternalBlue against MS17–010 (Mandiant, SMB Exploited;Mandiant, WannaCry malware profile).

**Attribution note (Reported, Moderate confidence):**The U.S. government formally attributed WannaCry to North Korea (DPRK) in a December 2017 public statement, with Lazarus Group identified as the responsible cluster by multiple vendors. This attribution context is noted here; the TTP analysis below applies regardless of attribution.

Caveat: WannaCry is not a clean single-phase delivery example. The same SMB mechanism supported propagation and exploitation. In worm cases, Kill Chain phases can collapse into one automated behavior.

Alternative hypothesis exercise:

  • **H1 (primary):**WannaCry was a state-directed DPRK destructive and/or revenue-generation operation that deliberately included ransomware payment infrastructure.

  • **H2 (alternative):**The ransomware payment mechanism was functional but operationally secondary; the primary objective was destructive effect, and the payment component was either a cover story or an underdeveloped secondary capability that was never designed to scale.

  • **Discrimination:**H1 gains weight if the kill-switch registration was an operational error rather than a designed feature, and if payment infrastructure was actively monitored by operators. H2 gains weight if the Bitcoin wallets were rarely or never emptied (reported: minimal payments were processed before the kill switch was activated), and if victim selection prioritized disruptive targets over financially capable ones. Public evidence supports questioning pure financial motivation, but does not conclusively resolve whether disruption, revenue generation, or both were intended. The kill-switch domain registration by a security researcher before significant payments were processed is the strongest discriminating evidence available.

4. Exploitation

Article image

Exploitation is the point where the adversary obtains execution or access by abusing a vulnerability, identity trust, user action, or trusted process.

Example 1: WannaCry exploited MS17–010 via EternalBlue

  • **Evidence type:**Reported technical analysis.

  • **Confidence:**High — Mandiant technical analysis corroborated by independent vendor reports from the May 2017 outbreak; the vulnerability and exploit are confirmed at the technical level.

  • **Source:**Mandiant tied WannaCry exploitation and propagation to EternalBlue/MS17–010 over SMBv1/TCP 445 (Mandiant, SMB Exploited).

The exploitation evidence is clear: vulnerable SMB services enabled remote compromise and automated spread.

Example 2: NotPetya reportedly used the M.E.Doc update channel and credential-based lateral movement (June 2017)

  • **Evidence type:**Reported and assessed.

  • **Confidence:**Moderate — Microsoft and Cisco Talos provide corroborating but independently sourced reporting; the initial vector is qualified by both sources and should retain source-hedged language.

  • **Source:**Microsoft wrote that NotPetya appeared to arrive through the M.E.Doc update service and then used credential theft and lateral movement techniques to spread inside networks (Microsoft, NotPetya technical analysis). Cisco Talos separately reported that the actor manipulated the M.E.Doc update server to proxy connections to actor-controlled infrastructure (Cisco Talos, The MeDoc Connection).

**Attribution note (Reported, Moderate confidence):**The United States, United Kingdom, European Union, and multiple vendors have formally attributed NotPetya to Sandworm, a Russian GRU-associated actor. This attribution context is noted here; the TTP analysis applies regardless of attribution.

The wording matters. “Appeared to arrive” or “reported initial vector” is more accurate than saying the initial vector was conclusively proven in this article.

Example 3: APT28/APT29 exploited identity trust through phishing and credential theft

  • **Evidence type:**Reported, with caveat.

  • **Confidence:**Moderate — broad government reporting construct; supports tradecraft characterization, not fine-grained actor clustering.

  • **Source:**DHS/FBI GRIZZLY STEPPE reporting describes spearphishing, credential harvesting, and fake webmail infrastructure used in Russian malicious cyber activity. The Public Intelligence link is an archival mirror of DHS/FBI material (DHS/FBI GRIZZLY STEPPE archival mirror).

Credential capture is exploitation of identity trust. The caveat is that GRIZZLY STEPPE is broad reporting; it should not be used by itself to make fine-grained actor-clustering claims.

5. Installation

Article image

Installation is the process of placing malware, persistence mechanisms, tooling, accounts, web shells, scheduled tasks, services, wipers, or other access mechanisms into the environment.

Example 1: APT1 installed backdoors for access maintenance

  • **Evidence type:**Reported by source.

  • **Confidence:**High — Mandiant APT1 report (February 2013) is a single primary source with extensive host-level evidence; no independent government or secondary-vendor corroboration is cited here; analysts should treat this as strong single-source technical reporting.

  • **Source:**Mandiant described APT1 maintaining access through deployed malware families and backdoors across victim environments (Mandiant, APT1 report).

For analysts, installation evidence should include paths, services, registry keys, scheduled tasks, process names, persistence methods, and host scope.

Example 2: NOBELIUM used GoldMax, GoldFinder, and Sibot for layered post-compromise activity

  • **Evidence type:**Reported technical analysis.

  • **Confidence:**High — Microsoft technical analysis corroborated by CrowdStrike StellarParticle reporting and CISA advisory AA20–352A; multiple sources with independent telemetry.

  • **Source:**Microsoft described GoldMax, GoldFinder, and Sibot as NOBELIUM tools used for layered persistence and post-compromise activity after access through compromised credentials or the SolarWinds binary (Microsoft, GoldMax, GoldFinder, and Sibot).

**Vendor label note:**NOBELIUM is Microsoft’s designation for this intrusion cluster. The broader intelligence community has associated this activity with APT29/Cozy Bear, though cross-vendor clustering requires independent confidence assessment; analysts should not treat NOBELIUM and APT29 as interchangeable without reviewing the supporting evidence.

Do not collapse these tools into SUNBURST. They belong to the broader NOBELIUM/SolarWinds ecosystem, but they represent later-stage tooling and persistence activity.

Example 3: Ukraine 2015 attackers deployed BlackEnergy3 and KillDisk

  • **Evidence type:**Reported by MITRE.

  • **Confidence:**High — MITRE ATT&CK campaign-level characterization draws on multiple vendor reports including Dragos and ESET; destructive effect is operationally confirmed.

  • **Source:**MITRE states that Sandworm used BlackEnergy3 and KillDisk in the December 2015 Ukraine electric power attack (MITRE ATT&CK, C0028).

This installation example includes both access-supporting malware and destructive tooling. Installation is not always about quiet persistence; it can include staging payloads for disruption.

6. Command and Control

Article image

Command and control, or C2, is how the adversary communicates with compromised systems. C2 evidence can include domains, IP addresses, protocols, timing, staging servers, legitimate-service abuse, decoy traffic, or high-reputation infrastructure.

Example 1: SUNBURST initial backdoor C2 used stealth and delayed activation

  • **Evidence type:**Reported technical/government analysis.

  • **Confidence:**High — corroborated by CISA AA20–352A, Microsoft GoldMax/GoldFinder/Sibot analysis, and CrowdStrike StellarParticle reporting from independent telemetry; SUNBURST dormancy period of approximately 12–14 days before initial C2 beacon is documented across multiple sources.

  • **Sources:**CISA documented the malicious SolarWinds binary and associated APT activity (CISA AA20–352A). Microsoft separately analyzed later NOBELIUM tools, while CrowdStrike reported related StellarParticle observations (Microsoft, GoldMax, GoldFinder, and Sibot;CrowdStrike, StellarParticle observations).

Precision matters:

  • SUNBURST: initial SolarWinds backdoor and early C2 activity; included a dormancy period of approximately 12–14 days before beaconing to reduce detection risk during the initial post-installation window.

  • GoldMax/GoldFinder/Sibot: later NOBELIUM post-compromise tooling.

  • StellarParticle: CrowdStrike’s name for related follow-on intrusion activity.

Do not treat those labels as interchangeable malware families.

Example 2: APT29 HAMMERTOSS abused public web services for stealthy C2

  • **Evidence type:**Reported technical analysis.

  • **Confidence:**High — Mandiant technical report provides detailed behavioral documentation; the public-service C2 mechanism is technically specific and directly documented in the analysis.

  • **Source:**Mandiant described HAMMERTOSS as an APT29 tool using public web services and time-based logic to retrieve C2 instructions (Mandiant, HAMMERTOSS).

The defensive lesson is that a trusted web service can still be part of adversary C2 when behavior, timing, and content patterns are suspicious.

Example 3: Stuxnet contained hardcoded ICS payload logic that operated without active C2 contact after staging

  • **Evidence type:**Reported technical analysis.

  • **Confidence:**High — Symantec reverse-engineering dossier documents both C2 components and PLC payload behavior in technical detail; the hardcoded nature of the centrifuge-manipulation logic is a specific technical finding, not an inference.

  • **Source:**Symantec documented Stuxnet C2 components and industrial payload logic. The linked copy is an archival mirror of the Symantec report (Symantec, W32.Stuxnet Dossier archival mirror via National Security Archive).

Stuxnet’s PLC manipulation logic was hardcoded to target a specific industrial configuration — it did not require active C2 contact to execute against target ICS environments after initial staging. This is analytically distinct from adaptive or fully autonomous operation: the adversary made payload decisions at weaponization time, not through runtime C2 direction. The practical implication for incident response is that absence of observable C2 traffic during a forensic window does not rule out adversary capability execution in environments where hardcoded ICS payloads are deployed.

7. Actions on Objectives

Article image

Actions on objectives are what the adversary ultimately sought to do: steal data, encrypt systems, disrupt operations, manipulate industrial processes, publish stolen material, maintain espionage access, or prepare future access.

Example 1: APT1 conducted long-term data theft

  • **Evidence type:**Reported by source.

  • **Confidence:**High — Mandiant APT1 report (February 2013) documents multi-year intrusion timelines and exfiltration volume from incident response engagement data; single primary source with extensive host-level evidence.

  • **Source:**Mandiant reported that APT1 stole hundreds of terabytes of data over years of intrusions (Mandiant, APT1 report).

The objective was not malware execution. Malware was a means to strategic data theft.

Example 2: NotPetya caused destructive disruption under ransomware-like cover (June 2017)

  • **Evidence type:**Reported and assessed.

  • **Confidence:**High for destructive effect — operationally confirmed across multiple victim organizations globally. Moderate for specific intent — whether the ransomware presentation was deliberate cover story, operational decision, or an uncontrolled secondary effect is assessed, not observed.

  • **Source:**Microsoft described NotPetya’s destructive behavior and enterprise spread beginning from the Ukrainian software ecosystem (Microsoft, NotPetya technical analysis).

The ransom note alone should not determine objective. CTI should evaluate behavior, payment mechanics, recovery feasibility, targeting, and operational effect.

Alternative hypothesis exercise:

  • **H1 (primary — assessed):**NotPetya was a deliberately destructive operation by a state actor (attributed to Sandworm/Russia by U.S., UK, and EU governments) using ransomware aesthetics as a cover to provide deniability and attribution confusion.

  • **H2 (alternative):**The destructive scale of NotPetya was partly unintended — a wiper designed to affect Ukrainian targets propagated globally through supply chain and network trust relationships beyond the operator’s planned target set, producing broader destruction than intended.

  • **Discrimination:**H1 gains weight if: the M.E.Doc initial vector was chosen specifically because it would limit initial infection to Ukraine-relevant organizations; the payment infrastructure was intentionally non-functional (broken Bitcoin address logic is documented); and the timing relative to Ukrainian political events is factored in. H2 gains weight if: operators had reason to prefer containment to Ukraine but the propagation mechanism (credential theft and lateral movement across trusted networks) inherently crossed organizational boundaries; and if the global victims (Maersk, Merck, FedEx) were not necessary to the apparent Ukraine-focused objective, while still producing coercive, disruptive, or signaling value. Current public evidence does not definitively resolve this. Both the “deliberate global” and “inadvertent spread” interpretations are consistent with documented technical behavior. H1 is preferred by most public attribution assessments, but analysts should flag H2 as an unresolved alternative.

Example 3: Separate Ukraine 2015 from CRASHOVERRIDE/Industroyer

  • **Evidence type:**Reported technical analysis.

  • **Confidence:**High — MITRE ATT&CK and Dragos provide corroborated analysis distinguishing the two incidents by time, malware family, and operational context.

  • **Sources:**MITRE tracks the December 2015 Ukraine electric power attack as Sandworm activity using BlackEnergy3 and KillDisk (MITRE ATT&CK, C0028). Dragos analyzed CRASHOVERRIDE as malware designed to affect electric grid operations and associated it with later Ukraine grid activity in December 2016 (Dragos, CRASHOVERRIDE;Dragos CRASHOVERRIDE PDF via National Security Archive).

These should be separated:

  • **2015 Ukraine (December 2015):**BlackEnergy3, KillDisk, and operational disruption of distribution substations.

  • **2016 Ukraine / CRASHOVERRIDE or Industroyer (December 2016):**malware framework designed for electric-grid operations.

Both are relevant to actions on objectives, but they are not the same incident or malware family.

Cross-Case Pattern Matrix

Article image

ATT&CK Mapping Table

This table is not a complete detection plan. It maps selected behaviors to ATT&CK techniques where the public reporting supports a reasonable mapping. When the public source describes a broad malware role rather than a specific behavior, the table marks the mapping as artifact-dependent instead of forcing precision.

Article image

How CTI Analysts Should Use the Kill Chain

1. Separate fact from assessment

Use explicit labels:

  • Observed: “Endpoint telemetry shows process X created file Y.”

  • Reported: “Mandiant reported APT1 used spearphishing.”

  • Assessed: “FireEye assessed APT28 was most likely Russian government-sponsored.”

  • Inferred: “Victimology suggests deliberate target selection.”

  • Gap: “Specific reconnaissance methods were not observed.”

2. Track skipped or unseen phases

If C2 is discovered first, do not invent delivery evidence. Mark delivery as unknown and create a collection requirement.

3. Avoid malware-family and campaign conflation

SUNBURST, GoldMax, Sibot, and StellarParticle are related to the broader SolarWinds/NOBELIUM reporting ecosystem, but they are not interchangeable. Likewise, Ukraine 2015 BlackEnergy/KillDisk and CRASHOVERRIDE/Industroyer must be separated by time, malware family, and operational context.

4. Use Kill Chain for defensive questions

  • Reconnaissance: what exposure makes us targetable?

  • Weaponization: what malware, exploit, or payload classes matter?

  • Delivery: which channels need control and monitoring?

  • Exploitation: which vulnerabilities, credentials, or trust paths were abused?

  • Installation: what persistence and staging artifacts should hunters search for?

  • C2: what traffic behaviors and infrastructure patterns should detection teams model?

  • Actions on objectives: what data, systems, or operations need protection and recovery planning?

5. Generate and test alternative hypotheses

For every primary assessment, name at least one alternative and identify the evidence that would discriminate between them. If no discriminating evidence exists in the available collection, that is itself an important analytic finding — it means the primary assessment is poorly constrained. Document both the alternative and the gap.

6. Combine with Diamond Model and ATT&CK carefully

The Kill Chain gives sequence. The Diamond Model gives event structure: adversary, capability, infrastructure, victim. ATT&CK gives technique vocabulary. But technique mapping should include evidence, confidence, and caveats. T1210 (Lateral Movement) and T1190 (Initial Access) are not interchangeable even when the same exploit is used, because the ATT&CK tactic context determines how the mapping informs detection and hunt priorities.

Practical Analyst Template

Intrusion:
Primary intelligence requirement:
Analyst:
Date:
Evidence labels used:
-
 Observed:
-
 Reported:
-
 Assessed:
-
 Inferred:
-
 Collection gap:
1.
 Reconnaissance and Precursors
-
 Evidence:
-
 Evidence label:
-
 Assessment:
-
 Confidence (with basis):
-
 Collection gaps:
2.
 Weaponization
-
 Evidence:
-
 Evidence label:
-
 Assessment:
-
 Confidence (with basis):
-
 Collection gaps:
3.
 Delivery
-
 Evidence:
-
 Evidence label:
-
 Assessment:
-
 Confidence (with basis):
-
 Collection gaps:
4.
 Exploitation
-
 Evidence:
-
 Evidence label:
-
 Assessment:
-
 Confidence (with basis):
-
 Collection gaps:
5.
 Installation
-
 Evidence:
-
 Evidence label:
-
 Assessment:
-
 Confidence (with basis):
-
 Collection gaps:
6.
 Command and Control
-
 Evidence:
-
 Evidence label:
-
 Assessment:
-
 Confidence (with basis):
-
 Collection gaps:
7.
 Actions on Objectives
-
 Evidence:
-
 Evidence label:
-
 Assessment:
-
 Confidence (with basis):
-
 Collection gaps:
Alternative hypotheses:
-
 H1 (primary): [assessment] [evidence supporting]
-
 H2 (alternative): [what else could explain the observed evidence]
-
 Discrimination: [what evidence would distinguish H1 from H2, and whether that evidence exists]
-
 Preferred assessment and why:
Defensive recommendations:
-
 Tactical:
-
 Operational:
-
 Strategic:

Conclusion

The Kill Chain is not a checklist that every intrusion follows cleanly. It is a discipline for asking better questions. The strongest use of the model is not “placing every famous case into a box.” The strongest use is identifying what is observed, what is reported, what is assessed, what is inferred, and what remains unknown — and then asking what else could explain the same evidence.

The revised examples show the tradecraft standard a CTI analyst should hold:

  • APT1 is strong evidence for long-term espionage and useful victimology, but victimology alone does not prove reconnaissance methods, and individual-intrusion opportunism cannot be excluded.

  • APT28 reporting should mirror source confidence: likely Russian government-sponsored, not definitively state-directed.

  • SolarWinds requires precision across SUNSPOT, SUNBURST, GoldMax, Sibot, and StellarParticle — and NOBELIUM should be identified as a Microsoft vendor designation associated with APT29 in broader community usage.

  • WannaCry shows that worm behavior combines delivery, exploitation, and propagation — and that T1190 (Initial Access) and T1210 (Lateral Movement) serve different phases even when the same exploit is used.

  • Ukraine 2015 BlackEnergy/KillDisk must be separated from CRASHOVERRIDE/Industroyer by time, malware family, and operational context.

  • NotPetya’s destructive intent is an assessed judgment: the alternative that global scale was an unintended consequence of propagation mechanics cannot be excluded from public evidence alone.

  • Stuxnet’s PLC payload logic was hardcoded, not C2-directed — that distinction matters for how incident responders model the threat and how detection teams scope forensic windows.

Used this way, the Kill Chain helps analysts produce better collection requirements, better detection priorities, and better defensive recommendations without overstating the evidence.

References

Follow for practical cybersecurity research

If you’re interested in**Offensive security,**AI security, real-world attack simulations, CTI, and detection engineering— this is exactly what I focus on.

Stay connected:

Subscribe on Medium:medium.com/@1200kmConnect on LinkedIn:andrey-pautovGitHub — tools & labs:github.com/anpa1200Contact:1200km@gmail.com