The Cyber Kill Chain model is one of the models that's used to represent the phases that an attack moves through to obtain their objective. The phases, derived from the Lockheed Martin and military models, are reconnaissance, weaponization, delivery, exploitation, installation, command and control (C2), and actions on objectives.

Reconnaissance is about information gathering. This might be about the system in general, but is more likely to be targeted at areas with known vulnerabilities. This can reveal information about the attacker or groups that are involved.

Weaponization is where the attacker links the information that's gathered during reconnaissance with known vulnerabilities and exploits.

The delivery phase aims to get the tools to the right location to enact the exploit. This is often an email or a physical delivery (for example, a USB drop).

Exploitation is where the tool is launched against the perceived vulnerability. This opens an entry point for the attacker to launch the next phase.

During installation, the attacker aims to make the breach persistent. This can include reinforcing the exploit, opening up new entry points, or amassing tools inside the system.

In command and control, the adversary attempts to gain hands-on-keyboard access inside the system. They may need to pivot and move laterally to a more capable position, escalate their privileges, and coordinate their activities.

The final stage of the Cyber Kill Chain is actions on objectives. Here, the attacker may extract data, amend or delete it, or deny access to other services. 

The Cyber Kill Chain model appears to be linear, but this is not always the case. Some extensions and amendments have been suggested, including spiral, tree, and unified models, among many others. Regardless of the model(s) that is (are) chosen and used, the ability to identify the stages of an attack allow the defender to predict future actions, conduct retrospective analysis on probable prior actions, and contain, delete, and mitigate all of these.