During which phase of the Lockheed Martin cyber kill chain is persistent access typically established?

The establishment of persistent access occurs during the Installation phase of the Lockheed Martin cyber kill chain. During this phase, the adversary implements their malicious code or tools onto the target system after successfully exploiting a vulnerability. This step is crucial as it not only allows the attacker to maintain access, but it also prepares the ground for further exploitation or lateral movement within the network.

Following exploitation, which involves taking advantage of a vulnerability to gain control over the system, the next logical step is to install software that ensures the attacker can return to the compromised system whenever necessary. The tools used during this phase are often designed to create backdoors or hidden entrances into the system, enabling the attacker to maintain their foothold despite potential detection or remediation efforts by defenders.

The other phases, such as Delivery and Weaponization, focus on initial steps like sending malware payloads or preparing exploits, respectively, but do not involve the actual establishment of persistent access on the target system. Therefore, Installation is the key phase where persistent access is secured.