The structure of cyber-attacks has been defined by Lockheed Martin researchers using the Cyber Kill Chain intrusion model.

The intrusion model consists of the following steps: reconnaissance, weaponization, delivery, exploitation, installation, command and control and action on objective. Under the terms used to describe the attack on a cyber-infrastructure or to spy traffic from a computer network, the above steps consist of:

• Reconnaissance – research, target identification and selection: it may be looking for e-mail addresses, social relationships, or data about a particular technology, information displayed on various websites;
• Weaponization – making a malware application (for example, a computer trojan) that, combined with an exploitable security breach, allows remote access. Moreover, PDF (Portable Document Format) files or Microsoft Office suite-specific files can be regarded as weapons available to the attacker;
• Delivery – transmitting the weapon to the target environment. The main ways of transport are e-mails (attachment of infected files), web platforms (running malware scripts), or removable USB memories;
• Exploitation – after the weapon is delivered to the victim, follows the targeting of an application or vulnerability of the operating system. The infected file can be used by the self-execution facility to launch the malware code, or it can be executed by the user himself;
• Installation – infecting a victim system with a computer trojan, backdoor or other malware application of this type that ensures the attacker’s presence in the target environment;
• Command and control – usually an infected host must be accessible outside of the local network to establish a command and control channel between the victim and the attacker. Once this bidirectional communication has been made, an attacker has access inside the target environment and can usually control the activity by manually launching commands;
• Action on objective – after the first six phases, an attacker can act to achieve the goals. These actions typically consist of collecting information, modifying data integrity, or attacking the availability of services and devices, but the victim system can also be used as a starting point for infecting other systems or for expanding access to the local network.

The Cyber Kill Chain intrusion model is a new way of analysis used by security analysts to understand what information is available to perform defensive actions.