Digital illustration with the text: Breaking the Cyber Kill Chain: Employees are the key

Breaking the Cyber Kill Chain: Employees are the key

Security Awareness in the Cyber Attack Kill Chain is invaluable. There is no question that technology is very important within this Cyber Kill Chain. However, what is equally true is the undeniable but ever-underestimated role of humans. In this paper, you will experience the Cyber Kill Chain from the human perspective. How can we help break this so-called Cyber Kill Chain? First, you need to understand how each stage works and therefore what we can do in return.

What is the Cyber Kill Chain?

The (Cyber) Kill Chain originated from military operations. So-called ‘kill chains’ describe the various phases and steps an enemy takes to initiate its attack. With a Cyber Kill Chain it’s about the different phases and steps a cyber attacker takes to attack you or your organization.

A digital illustration of a radar scanning for active targets.

The Cyber Kill Chain consists 7 phases:

  1. Reconnaissance
  2. Weaponization
  3. Delivery
  4. Exploitation
  5. Installation
  6. Command & Control (establishing contact from the target with the attacker)
  7. Targeted action (e.g. data theft, hostage taking, etc.)

The Cyber Kill Chain is a godsend for any Threat Intelligence specialist, as this person creates the various attack scenarios based on this same Cyber Kill Chain. These scenarios then result in concrete plans to improve the defense (=security measures) and stop the attacker’s kill chain. Unfortunately, we see that in practice this sticks to the technological measures, which leave human actions out of the equation. It is assumed that employees will not understand it anyway and that we have to use technology to solve everything. Human beings are quickly seen as the weak link here.

Verizon research shows that more than 85% of all attacks rely on human error to be successful. So why not arm our employees to break that Cyber Kill Chain and fend off attackers? At each stage, you can provide employees with the right skillsets to finally make the beloved security technology (and therefore the information security strategy) effective.

1 Reconnaissance

In the reconnaissance stage, an attacker has only one goal: to gather as much information as possible about the target. If this is the attacker’s goal, we need to make sure that there is as little information as possible to be found. Of course, this is easier said than done. Social media and digital connections play a major role: too much is quickly shared. In the process, information security and privacy protection are not daily concerns for most people.

Besides social media, there are plenty of other possible ways for hackers to gather information, such as simple phone campaigns (pretexting), e-mail (phishing) and ransacking garbage containers in search of sensitive information (dumpster diving).

A digital illustration of a hacker behind a desk with a laptop on top, trying to gather as much information as possible about an organization.

At this stage, employees can already make a huge contribution. A few simple tips that you can apply immediately:

  • Always be cautious about what you post on the Internet. Sometimes a short post may seem very innocent on its own, but several posts collected together maybe can do a lot more harm.

  • If you throw away any documents, simply destroy them in the shredder.

  • Use encryption options such as a Virtual Private Network.

  • Never use public WiFi.

  • Never provide sensitive personal information until you have verified the person that receives it.

  • Never reveal more information than necessary. This also applies to IT people who sometimes have no idea how many network systems are unnecessarily accessible from the Internet.

Make sure your digital footprint is as minimal as possible. A well-trained organization does not over-share on social media, recognizes strange phone calls and emails, and deletes/destroys information appropriately.

2 Weaponization

During the phase when the attacker starts working on his arsenal of weapons, many security professionals mention the following: “There is little we can do here.”

If you know the enemy and know yourself, you need not fear the result of a hundred battles.” –Sun Tzu

Teaching employees about the different types of weapons (e.g., ransomware) increases the likelihood that they will recognize attacks and deal with them appropriately. That knowledge can be used to report directly to the security team.

A digital illustration of five different people, each holding a lock icon in front of their face because they have learned how to recognize cyber attacks.

For those who are saying: “You can’t make everyone a security expert, can you? – I hear you. I agree, because you don’t have to. What you can do is minimize the chances of an attacker being successful, and that can be done through training.

3 Delivery

Weaponization is followed by delivery, which is crucial to the success of the entire attack. The response and resilience of employees in this phase are both very important.

The following are some cyber weapons hackers can use:


This is the most commonly used cyber weapon by attackers. It’s easy, cheap and probably the fastest path to success for hackers. If e-mail is a main application that’s used for business operations, you need to make employees resilient. The solution lies in training and simulations.

Teach employees how to recognize phishing and how they need to handle suspicious emails. Simulate phishing attacks to test how employees react to them.


Simply distributing USB drives to penetrate an organization is still an effective method. Technically, one would say that it could be sufficient to disable USB drives for all laptops, but this is not always feasible in practice. In addition, there are groups of people that manage to escape such measures. Think about management, externals, developers and the IT department.

A photo of the hand of a hacker with a USB-stick which is used to infiltrate an organization.

Teach employees that you should never just put a USB drive in your computer and instead deliver it to the security team right away. Make sure there are no exceptions for people accessing the organization’s network and/or data in any way.

4 Exploitation

At this stage, someone has fallen victim to the attack. Someone has clicked on a link, opened an incorrect attachment, inserted a USB stick into their laptop or: things went south! However, employee behavior can still make the difference in this phase. The faster the responsiveness, the less the impact of a successful attack will be.

There are a couple of things that can make an immediate difference here:

    1. Teach employees how to recognize when to report issues to the security team or help desk. For example, (extremely) slow functioning applications, systems which aren’t working or strange notifications.

    1. Make sure employees always have the latest software versions installed on connected devices, including private devices.

    1. Make sure employees store data in appropriate locations. Consider saving sensitive data in encrypted locations and never save (sensitive) company data locally.

    1. Make sure IT teams have always rolled out the right patches on time.

    With the above actions, in addition to technology, you create human sensors that help you prevent an attack from causing further damage.

    5 Installation

    While forms of attack such as CEO fraud and login data theft do not require malicious software to achieve their goal, other forms of attack such as ransomware do. At this stage, the attacker will actually install malicious software on the organization’s systems.

    a 3D image of a computer's hardware with a skull located on the processor taking over the user's system via installed ransomware.

    While it may seem as if an employee hardly plays a role here, the opposite is true. As mentioned earlier, it is very important that employees always have their software updated, in this case mainly the anti-malware software. This way you reduce the chances that malicious software can actually be installed.

    Again, the same basic rules apply as in the previous phase:

    1. Teach employees how to recognize when to report issues to the security team or help desk. For example, in case of (extremely) slow running applications, systems which aren’t working correctly and strange notifications.

    1. Make sure employees always have the latest software versions installed on connected devices, including private devices.

    1. Make sure employees store data in appropriate locations. Sensitive data should be stored in encrypted locations.

    1. Make sure IT teams always have the right patches rolled out on time.

    1. Make sure your backup plan is foolproof so you can use it when needed.

    6 Command & Control (establishing contact from target to attacker)

    It’s indeed true that there is less an employee can do over time. The further a hacker gets in his or her attack plan, the closer the attacker is to his or her target. In the command and control phase, the hacker establishes contact from within the organization.

    a picture of a hacker behind a desk with several computer screens – he is performing a cyber attack.

    The previously installed malicious software contacts the employee to further extend control over the target. The most important thing you can teach employees in this phase is that they learn to recognize abnormal behavior on networks and systems. After all, individuals who work with systems and applications on a daily basis are well able to spot anomalies. Let employees know to report these anomalies to the Security Department.

    7 Targeted action (data theft, hostage-taking, etc.)

In this phase, the attacker wants to achieve an end goal. What this goal is depends heavily on an attacker’s motivations. If the attacker reaches this phase, the success of his/her attack will still depend on human behavior:

  • How well are files encrypted within the organization?

  • How strong are the passwords?

  • How is MFA used (multiple authentication)?

  • How is general authentication – before sensitive data can be shared at all – controlled?

A picture of a hand holding tweezers before a screen to obtain data from a hacked user from an organization. In this case, a stolen password.

Conclusion: Technology and it’s application are equals

Without the help of the correct technology, breaking the Cyber Kill Chain is not feasible. But technology on it’s own isn’t enough. Technology will fail without the proper application of the people who use it. When you educate, train and support the employees in an organization, you increase the chances of breaking the Cyber Kill Chain in a timely manner – and that can save the organization a lot of misery.

A digital illustration of a cross chart that mentions each step of the cyber security killchain and provides a brief explanation of each step.

Remember that a successful attack usually relies on human error. By understanding what employees need to do at what phase of the cyber kill chain, your company can form a line of defense. Recognizing phishing attacks, being cautious about sharing data, updating, handling devices safely on both business and personal levels and reporting suspicious behavior are therefore key elements.

The impact of an attack can be minimized during each phase by training employees on their behavior over an extended period of time. Want to know more about how to tackle? Contact us via our contact form.

[People Improve Security]