{
    "slug": "attack_chain",
    "term": "Attack Chain / Cyber Kill Chain",
    "category": "security",
    "difficulty": "advanced",
    "short": "A sequential model of cyberattack stages from reconnaissance to exfiltration — used to identify optimal detection and disruption points.",
    "long": "The Cyber Kill Chain (Lockheed Martin) and MITRE ATT&CK model attacks as sequences: Reconnaissance, Weaponisation, Delivery, Exploitation, Installation, Command & Control, then Actions on Objectives. Understanding the chain helps defenders identify the earliest disruption point — blocking delivery via a WAF is far cheaper than responding to active exfiltration. For PHP web applications, a typical chain runs: automated scanner reconnaissance, SQLi or file upload exploitation, webshell installation, reverse shell C2, then database dump. Defence-in-depth aims to break the chain at multiple simultaneous stages.",
    "aliases": [
        "exploit chain",
        "kill chain",
        "attack sequence"
    ],
    "tags": [
        "threat-modelling",
        "red-team",
        "security-concepts"
    ],
    "misconception": "Fixing one vulnerability in a chain prevents the full attack. Attackers pivot — removing one step forces them to find an alternative, but a four-step chain with one step removed is still a three-step attack.",
    "why_it_matters": "Real attacks rarely exploit a single vulnerability — they chain low-severity issues into high-impact compromise. Treating vulnerabilities in isolation understates the actual risk.",
    "common_mistakes": [
        "Accepting low CVSS scores as low risk without considering chain potential with other issues.",
        "Fixing a high-severity step in a chain while ignoring enabling vulnerabilities that still allow reconstitution.",
        "Threat modelling single vulnerabilities rather than attacker goals and multi-step paths to achieve them.",
        "Not considering that information disclosure findings enable injection or authentication attacks downstream."
    ],
    "when_to_use": [
        "Use attack chain thinking during threat modelling to evaluate how low-severity findings combine into critical paths — a finding that seems minor in isolation may be the missing link in a chain.",
        "Apply it when triaging security reports: trace each finding backward (what does an attacker need first?) and forward (what does this enable next?)."
    ],
    "avoid_when": [
        "Do not dismiss individual low-severity findings without checking whether they are part of a chain — information disclosure + IDOR + privilege escalation can each be \"low\" severity individually."
    ],
    "related": [
        "defence_in_depth",
        "threat_intelligence",
        "penetration_testing",
        "incident_response"
    ],
    "prerequisites": [
        "threat_modelling",
        "broken_access_control",
        "information_disclosure"
    ],
    "refs": [
        "https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html"
    ],
    "bad_code": "// Information disclosure enables the chain:\nheader('X-Debug-Info: DB_HOST=db.internal DB_PASS=s3cr3t'); // Step 1: leaks creds\n// Attacker uses creds to access admin endpoint:\n// GET /admin/export?table=users — no auth check (Step 2: privilege escalation)",
    "good_code": "# Attack chains combine individually low-severity issues into critical impact\n\n# Example: Stored XSS + CSRF bypass + privilege escalation\n# Step 1: Attacker stores XSS in profile bio (stored XSS — Medium)\n# Step 2: Admin views profile — XSS fires in admin session\n# Step 3: XSS POSTs to /admin/create-user with admin role (CSRF — Medium)\n# Result: Attacker has admin account (Critical)\n\n# Defence: each layer stops the chain\n# Input sanitisation → stops Step 1\n# CSP → stops Step 2 even if Step 1 slips through\n# SameSite=Strict → stops Step 3 even if Steps 1+2 succeed\n\n# In threat modelling: trace multi-step attack paths, not just single issues",
    "example_note": "The bad example leaks internal host and credentials in a debug header — trivial on its own, but it provides the reconnaissance step that makes a subsequent SSRF or credential-stuffing attack trivially easy.",
    "quick_fix": "Think in chains: an information disclosure (stack trace) that reveals a path, combined with an LFI, becomes a full compromise — fix low-severity findings that could be combined with others",
    "severity": "high",
    "effort": "medium",
    "created": "2026-03-15",
    "updated": "2026-03-31",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/attack_chain",
        "html_url": "https://codeclaritylab.com/glossary/attack_chain",
        "json_url": "https://codeclaritylab.com/glossary/attack_chain.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[Attack Chain / Cyber Kill Chain](https://codeclaritylab.com/glossary/attack_chain) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/attack_chain"
            }
        }
    }
}