Logo
TLCTC
Framework / Strategy & Concepts

The Kill Chain Fallacy: Why Process is Not Taxonomy

The Cyber Kill Chain® revolutionized how we analyze incident timelines, but relying on it for Risk Management is a strategic error.

TL
TLCTC Team
4 min read

To understand risk, we must distinguish the "When" (Kill Chain) from the "What" and "Why" (TLCTC).

For over a decade, the Cyber Kill Chain (CKC) has been the de facto standard for describing cyber intrusions. It provides a linear narrative: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, C2, Actions on Objectives. While invaluable for operational incident response, the CKC fails to answer the fundamental question of Risk Management: What is the underlying cause of the compromise?

Within the TLCTC framework, we recognize that the Kill Chain is a process model, not a threat taxonomy. Attempting to use it for categorization creates ambiguity that breaks risk registers and attack path analysis.

1. Why the Kill Chain Fails at Categorization

Effective Risk Management requires clear, non-overlapping categories rooted in causality (Axiom I). The Kill Chain categorizes based on the phase of time an event occurs, not the nature of the vulnerability exploited.

Consider the CKC phase "Exploitation." To a risk manager, this label is insufficient. Exploitation of what?

Cyber Kill Chain View

Phase: Exploitation

The attack is in the "Exploitation" phase. This tells us when it is happening (after delivery, before installation), but nothing about the nature of the threat or the control required.

TLCTC View

Cause: Vulnerability Specific

TLCTC distinguishes what is being exploited:

  • #2 Exploiting Server: A code flaw on the server side.
  • #3 Exploiting Client: A code flaw in the browser/client.
  • #1 Abuse of Functions: Misuse of logic (no code flaw).
The Consequence

If you categorize risks by Kill Chain phases, you cannot align controls. Controls for #2 (WAF, Input Validation) are entirely different from controls for #3 (Browser Isolation, Patching Client Apps) or #1 (Logic constraints). Risk Management requires causal precision, which only TLCTC provides.

Visualizing the Fallacy
Time (Process)
Cause (Taxonomy)
1
Delivery
2
Exploitation
3
Installation
#9 Social Eng.
Human Vulnerability (Phishing)
#3 Client Exp.
Browser/App Vulnerability
#7 Malware
Execution of foreign code

How to read: The top layer shows Time (Process). The bottom layer defines the Reality (Taxonomy).

2. The Problem with Attack Path Notation

The Kill Chain describes a sequence of stages, but modern attacks are sequences of vectors. An attack path notation must describe the mechanics of the hop, not just the fact that a hop occurred.

In the CKC, "Delivery" is a phase. But how was the payload delivered? Was it via email (Human Vulnerability), a USB drive (Physical Vulnerability), or a compromised update (Supply Chain Trust)?

Example: The "Phishing to Ransomware" Path
CKC Description
Delivery → Exploitation → Installation → C2 → Actions on Objectives
TLCTC Notation
#9 → #3 → #7 → #7 → #4 → (#1 + #7)

Why TLCTC is Superior:

  • #9 identifies the root cause: Social Engineering (Human vulnerability).
  • #3 identifies the technical entry: Exploiting Client (e.g., browser vulnerability from the link).
  • #7 identifies the payload: Malware execution.
  • #4 identifies the lateral movement mechanism: Identity Theft (Credential use).
  • #1 + #7 identifies the impact mechanism: Abuse of Functions (encryption) + Malware.

The CKC notation is generic; the TLCTC notation is a precise blueprint for the attack path that maps directly to specific generic vulnerabilities (Axiom II).

3. Integration into Risk Management (The Bow-Tie)

Risk Management relies on the Bow-Tie model: Threat (Cause) → Event → Consequence (Effect).

The Kill Chain mixes these elements. "Actions on Objectives" (Phase 7) is often an effect (e.g., Data Exfiltration), not a threat. "Weaponization" (Phase 2) is an actor activity, not a system risk. "Command and Control" (Phase 6) is a state of connectivity.

TLCTC aligns perfectly with the Left Side (Cause) of the Bow-Tie:

  • For every generic vulnerability, there is ONE threat cluster (Axiom I).
  • This allows for a clean 10x5 Risk Register when mapped to NIST functions (Identify, Protect, Detect, Respond, Recover).

You cannot build a risk register based on "Reconnaissance" because Reconnaissance is an actor behavior (Axiom V), not a vulnerability in your system. You can build a risk register based on #4 Identity Theft or #2 Exploiting Server.

4. The Verdict: Complementary, Not Competitive

Does this mean the Cyber Kill Chain is useless? Absolutely not. We must view them as complementary layers in a comprehensive strategy.

The Synthesis: Use the Cyber Kill Chain for Operational Timeline Analysis and TLCTC for Strategic Threat Categorization and Risk Management.

How they fit together:

Intelligence Driven Defense (IDD): When analyzing a campaign using the Kill Chain, use TLCTC to define the specific mechanics at each phase.

CKC Delivery
Could be #9, #5 (MitM), or #10 (Supply Chain).
CKC Exploitation
Is strictly #2 (Server) or #3 (Client).
CKC Installation
Is strictly #7 (Malware).
CKC Actions on Objectives
Could be #4 (Identity Theft), #1 (Abuse of Functions), or #6 (Flooding).

Key Takeaways for the CISO

  • Stop using the Kill Chain to structure your Risk Register. It describes time, not risk.
  • Start using TLCTC to categorize threats based on the generic vulnerability exploited (Cause-Oriented).
  • Use TLCTC notation (#X → #Y) to map Attack Paths, providing a precise definition of how trust boundaries are crossed.
  • Integrate the two: Use CKC to tell the story of the attack timeline, and TLCTC to define the technical reality of the attack mechanics.

Document References

This analysis is based on and aligns with the concepts defined in TLCTC White Paper Version 1.9.1 (November 2025) and A Threat-Driven Approach to Cyber Security (Lockheed Martin, 2019).