Delivery in the Cyber Kill Chain
A Practical Look for Security Teams
When talking about how attackers get into a network, it helps to think in stages. The Cyber Kill Chain, a framework created by Lockheed Martin, breaks a cyberattack down into a set of steps that almost every attack follows in some form. These stages include reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. Each phase offers a moment where defenders can detect, block, or slow down an attacker. In this write-up, we’ll focus on the “Delivery” phase, which sits in the middle of the chain and acts as the bridge between external attacker activity and internal compromise. Understanding how attackers use the delivery stage is key to designing real-world defenses that work before serious damage is done.
Understanding CKC Delivery
Before attackers can steal data, lock up systems, or pivot through a network, they need to get their malicious code to a target. That step is delivery. It’s the moment the payload—often malware or a malicious script—is moved from the attacker’s infrastructure into the environment of the target. In the simplest terms, delivery is about how the weapon reaches the victim. It doesn’t matter how good the malware is if it never makes it to the endpoint. Delivery methods depend on the attacker’s goals, the tools they have, and how much they know about the target. They can use phishing emails, infected websites, USB devices, or direct network connections. These tactics vary in complexity, but all aim to get something harmful into a place where it can run.
This stage connects the planning and building part of an attack with the actual compromise. The attacker first picks a delivery method based on the environment and the people inside it. If the target works in a heavily locked-down system with no internet access, physical delivery might be the only option. If the user base is known to click on email links without thinking, phishing becomes the natural choice. If the environment exposes some port to the internet and runs outdated services, the delivery might be as easy as opening a direct TCP connection and pushing the payload that way. In every case, the attacker is looking for the weakest point of entry. They have already spent time in the reconnaissance phase learning about the organization, and in the weaponization phase building or picking a payload. Delivery is where those two come together.
Defenders often see delivery as the first “visible” stage of the attack. While earlier stages involve scanning, researching, or building tools, delivery usually touches the real environment—an email inbox, a website, a download. That contact is what allows for detection. Endpoint protection tools might scan an attachment. Email gateways may block messages. Web proxies can flag drive-by downloads. Still, the delivery stage often slips past defenses, especially if the method blends into normal user behavior. A macro in a resume sent to HR, a PDF invoice to a finance department, or a link to a fake job posting for a recruiter—all look plausible until they’re not. Because delivery touches so many systems—mail, web, USB drives, network ports—it becomes a broad surface for both attackers and defenders to work with.
In the mix…
To show how delivery plays out in real life, consider the 2016 attack on the Ukrainian power grid. That attack had several stages, but the delivery phase stood out because of how well it bypassed initial defenses. Attackers sent emails with malicious Word documents to employees across several energy companies. These emails were crafted to look like legitimate communications from known business contacts. When opened, the documents prompted users to enable macros, claiming that content was blocked for security reasons. Once macros were enabled, the malware launched. The actual payload—a version of BlackEnergy—was now active in the environment, and the attackers moved forward with exploitation and lateral movement.
What makes this example so effective as a case study is how unremarkable the delivery method seemed. Phishing emails with malicious attachments are one of the oldest tricks in the book. What made them work here wasn’t advanced code or unknown zero-days. It was timing, language, and familiarity. The attackers had done their homework. They knew the people, the communication patterns, and the expectations of the employees they were targeting. That’s the delivery phase at its most effective—not flashy, but accurate. It’s about choosing a path that the target doesn’t question.
The Ukrainian attack also shows why this stage matters so much to defenders. Once the payload was delivered, the rest of the attack moved fast. Systems got compromised, and attackers quickly disabled backups and disrupted power systems. But all that only became possible after delivery. If those documents had been blocked, sandboxed, or even ignored by the users, the rest of the chain would have broken. This underlines a hard truth in cybersecurity: many big attacks start with small, boring actions. A file opened at the wrong time. A link clicked without a second thought. That’s delivery.
Learning and moving forward
In closing, delivery may seem like a simple step in the Cyber Kill Chain, but it carries weight. It’s the first real-world contact between attacker and environment. It’s where plans become reality, where tools meet targets. Understanding how delivery works means thinking like an attacker—asking how you would get something dangerous past the people and tools in place. But it also means thinking like a defender—figuring out how to recognize, block, or slow that delivery before anything worse happens. For cybersecurity teams, especially those just getting familiar with CKC, focusing on delivery is a smart place to start. It’s visible. It’s testable. And when done right, it can stop attacks before they ever get off the ground.
Want to learn more? Check out this lecture:
How did you find this article? What are we missing? How does your practice "go further" than what we've laid out today?