Cyber kill chain is another way to look at the incident response process. Think from the attacker perspective.There are 7 Phases in this model:
1) Reconnaissance: Gather information about the organization by using all the tools at disposal. Other hard to detect and distinguish from the normal user activity.
2) Weaponization: In this phase an adversary will decide things like what malware to use, word doc or something else, shell code or power-shell script, etc.
3) Delivery: The intruder will decide how to deliver the payload for example phishing or not phishing, exploiting some vulnerability etc.
4) Exploitation: In this phase, the software, human or hardware vulnerabilities are exploited
5) Installation: The adversary will establish the foothold in this phase by moving laterally and establishing persistence etc.
6) Command and Control: The communication channel will be established between the payload and the control channel.
7) Action on Objective: The intruder will execute his/her objective. It may be data exfiltration, it may be denial of service etc.
mnemonic: Rob wrestled Dave everyday in the common area