Human Disruption - Breaking the Cyber Kill Chain
A brief overview of the importance of the human element in disrupting cyber kill chains.
Contents
What is the Cyber Kill Chain Model?
The ‘kill chain’ concept is a borrowed military term that outlines the stages of an adversary’s attack methodology. Intercepting attackers at multiple points increases the likelihood of disrupting the threat or forcing the adversary to take more detectable actions.
The prevailing application of kill chain models focuses on technology and often overlooks the human element. Incorporating human aspects, like security awareness and end-user education, isn’t just another security control; it’s a unique approach to managing the fallibility humans introduce into any system or process.
Kill chain models focus on technology and overlook the human element. Incorporating the human aspects, like end-user education is more than just another security control.
Applying the Human Element to Cyber Kill Chains
Distilling a kill chain into its constituent steps is often highly context-dependent. In general, however, it can be conceptualised into the following categories:
Reconnaissance
Weaponisation
Delivery
Exploitation
Persistence
Command and Control
Actions on objectives
The following will briefly consider the human element at each step and how it can disrupt or detect an attack.
Reconnaissance
The threat actor conducts preliminary information gathering.
Understanding their role as potential targets, an informed workforce or user base can significantly reduce information leakage by exercising caution on social media, verifying identities over the phone, and securely disposing of sensitive documents. While not a strategy that can mitigate the risk completely, these practices can impede an attacker’s reconnaissance efforts.
Weaponisation
The threat actor prepares appropriate tactics, techniques, and tools without direct contact with the target.
Limited security measures can disrupt this phase, except where a threat actor conducts preliminary testing on the target. In this case, an informed user base can act as additional “sensors” of Indicators of Compromise (IoCs).
Delivery
The threat actor launches the attack against the target.
While technical solutions strive to block this phase, human intuition and adaptability can also be crucial. People are often the first line of defence in recognising and countering attacks, especially those involving social engineering. Regular training and awareness programs can significantly enhance this human firewall.
Highly observant technical staff with a natural sense of curiosity and a keen eye for detail can also be invaluable. Take, for example, the case of a Microsoft Engineer who noted a few subtle but odd symptoms around a sub-component of a Linux package. After investigating, it ultimately led to the identification that the upstream packages had been backdoored.
Exploitation
The threat actor executes the attack by, for example, exploiting vulnerabilities.
Educated users are more likely to maintain updated systems and use security software, reducing the chances of successful exploitation. Awareness about phishing, suspicious links, and attachments can prevent many exploitation attempts.
Installation (Persistence)
The threat actor establishes persistence to a compromised target.
If an attack has reached this stage, technical solutions are arguably the best line of defence, but humans can still play a crucial role. With their daily interaction with systems, users are ideally positioned to notice anomalies in performance or behaviour that could be symptomatic of an attack. Encouraging users to report unusual activities can lead to early detection.
Command & Control (C2)
Compromised systems contact the threat actor’s external infrastructure for further instructions.
Proactive threat hunting aims to identify suspicious communications. Educated users who understand the importance of network hygiene and the signs of a compromised system can contribute by reporting unusual outbound traffic or behaviours.
Actions on Objectives
The threat actor pursues their ultimate goal within the compromised network.
Users' security-conscious behaviours—such as using strong passwords and scrutinising login activities—can complicate attackers’ efforts, enhancing the organisation’s detection capabilities and delaying lateral movement, data exfiltration, or privilege escalation. Encouraging a culture of security and vigilance can significantly disrupt an adversary’s ability to achieve their objectives.
Conclusion
Breaking a cyber kill chain is not solely the domain of technological solutions. Organisations can create a more robust defence against cyber threats by incorporating the human element at each stage. Security awareness and end-user education are critical components that enhance the overall security posture, making it more difficult for attackers to succeed.