The Cyber Kill Chain framework was developed by Lockheed Martin to identify the actions required for adversaries to successfully exploit their targets:

There are three phases that are comprised of seven steps in this framework:

• Phase 1: Preparation: The adversary is looking for the soft spots in your organization and figuring out a way to exploit a vulnerability:
  1. Reconnaissance
  2. Weaponization
• Phase 2: Intrusion: The adversary has found a vulnerability to exploit, a means to deliver it, and needs their target to take the bait so that it can begin taking control of targeted systems:
  1. Delivery
  2. Exploitation
  3. Installation
• Phase 3: Breach: The adversary has control and is now taking follow-on steps to maintain and improve their position on the network for other malicious actions:
  1. Command and Control
  2. Actions on Objective

The framework helps contextualize the steps that are taken from the viewpoint of an advanced persistent threat (APT) and similar variations of these steps are performed by penetration teams globally. The idea is to be able to understand these steps, identify where a particular threat is within the chain, and stop it. As each organization is different in executing their business process, APTs, hacktivists, and script kiddies have their own. This would be referred to as the techniques, tactics, and procedures of the specific threat. By understanding that different threats have TTPs, through cyber intelligence we can begin to attribute specific actions or behaviors to threats.