Ever watched one of those hacker movies and wondered what the hacker is really doing in front of that black terminal filled with green code? With just a few keystrokes, they seem to take control of a nuclear power plant. But what if I told you that real-world cyber attacks follow a series of well-defined steps — a kind of "recipe" that hackers use to execute their plans?

The Unified Kill Chain (UKC) is a cyber defence framework, essentially a "cookbook" designed to help cybersecurity professionals understand the phases of a cyber attack and how to mitigate the risks at each stage.

What Is the Unified Kill Chain?

The term "kill chain" has its origins in military strategy, and like many terms in cybersecurity, it's been adapted to describe the path an attack takes from start to finish. If you don’t understand the general procedure of an attack, you won’t be able to perform comprehensive threat modeling to identify potential attack surfaces and how these systems may be exploited.

The UKC was created by Paul Pols during his master’s thesis. It was designed to complement other defense frameworks like MITRE’s ATT&CK or Lockheed Martin’s. One of the key advantages of the UKC over other kill chain frameworks is its modern approach and extensive detail. Unlike other frameworks that may only include a few phases, the UKC outlines 18 distinct phases.

For those seeking a detailed overview, it is recommended to read his white paper, which covers everything from initial reconnaissance to data exfiltration across 18 phases. In this blog, I’ll highlight some key phases across three major areas:

Step 1: Gaining the Initial Foothold (Breaking In)

The first step for any hacker is getting inside the network. A hacker will employ numerous tactics to investigate the system for potential vulnerabilities that can be exploited to gain a foothold.

Social Engineering (MITRE Tactic TA0001)

In many cases, the weakest link in a system isn’t the software or the hardware — it’s the people. The hacker manipulates employees through techniques like phishing to gain initial access.

Examples:

• Convincing a user to open a malicious email attachment.
• Setting up a fake login page to steal credentials.

Persistence (MITRE Tactic TA0003)

Once the hacker gains access, he wants to ensure they can maintain that foothold. This could mean installing a backdoor or adding the system to their Command & Control (C2) network, allowing them to return anytime.

Examples:

• Creating services on the target system to re-enter later.
• Connecting the target system to a C2 server for remote command execution.

Step 2: Network Propagation (Moving Through the System)

After establishing an initial foothold, the hacker will aim to spread throughout the network, gaining deeper access to critical systems and data.

Pivoting (MITRE Tactic TA0008)

The hacker uses the technique of "pivoting" to move from a compromised system to other internal systems not directly exposed to the internet. This allows them to access more sensitive data or poorly secured systems.

Example:
Compromising a public-facing web server and using it as a gateway to access internal systems within the same network.

Privilege Escalation (MITRE Tactic TA0004)

To maximize their control, the hacker will often try to elevate their access privileges, using vulnerabilities and misconfigurations to gain administrative or higher-level access.

Examples:

• Gaining admin or root account access.
• Using a user account with elevated privileges.

Step 3: Action on Objectives (Taking it out)

The final stage of an attack is where the hacker achieves his ultimate goal, which could range from stealing sensitive data to disrupting operations. Typically, these objectives focus on compromising the core pillars of security: confidentiality, integrity, and availability (the CIA triad).

Exfiltration (MITRE Tactic TA0010)

The hacker will begin stealing valuable data. They often use encryption and compression to avoid detection. The command-and-control (C2) channel and tunnel established during earlier stages will be crucial for executing this phase smoothly.

Objectives

With full access to the network, the hacker is now in a position to achieve their strategic goal — whether that’s financial gain, reputational damage, or something else entirely.

Examples:

• Ransomware attacks, where the hacker demands payment to release encrypted data.
• Publicly releasing sensitive data to damage a company’s reputation.