Security Awareness in the Cyber Attack Kill Chain is invaluable. There is no question that technology is very important within this Cyber Kill Chain. However, what is equally true is the undeniable but ever-underestimated role of humans. In this paper, we will discuss the Cyber Kill Chain from the human perspective and how we can help break this so-called Cyber Kill Chain. The first step is to understand how each stage
The (Cyber) Kill Chain originated from military operations. So-called ‘kill chains’ describe the various phases and steps an enemy takes to initiate its attack. With a Cyber Kill Chain, it’s about the different phases and steps a cyber attacker takes to attack you or your organization.
The Cyber Kill Chain consists 7 phases:
The Cyber Kill Chain is a godsend for any Threat Intelligence specialist, seeing as this person has to create various attack scenarios based on this same Cyber Kill Chain. These scenarios then result in concrete plans to improve the defense (=security measures) and stop the attacker's kill chain. Unfortunately, we see that in practice the focus often remains on the technological measures, which leave human actions out of the equation. It is assumed that employees will not understand it anyway and that we have to use technology to solve everything. Human beings are quickly seen as the weak link here.
Verizon research shows that more than 85% of all attacks rely on human error to be successful. So why not arm our employees to break that Cyber Kill Chain and fend off attackers? At each stage, you can provide employees with the right skillsets to finally make the beloved security technology (and therefore the information security strategy) effective.
In the reconnaissance stage, an attacker has only one goal: to gather as much information as possible about the target. If this is the attacker's goal, we need to make sure that there is as little information as possible to be found. Of course, this is easier said than done. Social media and digital connections play a major role: too much personal information is easily shared. For most people, information security and privacy protection are not daily concerns.
Besides social media, there are plenty of other possible ways for hackers to gather information, such as simple phone campaigns (pretexting), e-mail (phishing) and ransacking garbage containers in search of sensitive information (dumpster diving).
At this stage, employees can already make a huge contribution. A few simple tips that you can apply immediately:
Make sure your digital footprint is as minimal as possible. A well-trained organization does not over-share on social media, recognizes strange phone calls and emails, and deletes/destroys information appropriately.
During the phase when the attacker starts working on his arsenal of weapons, many security professionals mention the following: "There is little we can do here."
"If you know the enemy and know yourself, you need not fear the result of a hundred battles.” -Sun Tzu
Teaching employees about the different types of weapons (e.g., ransomware) increases the likelihood that they will recognize attacks and deal with them appropriately. That knowledge can be used to report directly to the security team.
For those who are saying: "You can't make everyone a security expert, can you? – I hear you. I agree, because you don't have to. What you can do is minimize the chances of an attacker being successful, and that can be done through training.
Weaponization is followed by delivery, which is crucial to the success of the entire attack. The response and resilience of employees in this phase are both very important.
The following are some cyber weapons hackers can use:
This is the most commonly used cyber weapon by attackers. It’s easy, cheap and probably the fastest path to success for hackers. If e-mail is a main application that’s used for business operations, you need to make employees resilient. The solution lies in training and simulations.
Teach employees how to recognize phishing and how they need to handle suspicious emails. Simulate phishing attacks to test how employees react to them.
Simply distributing USB drives to penetrate an organization is still an effective method. Technically, one would say that it could be sufficient to disable USB drives for all laptops, but this is not always feasible in practice. In addition, there are groups of people that manage to escape such measures. Think about management, externals, developers and the IT department.
Teach employees that you should never just put a USB drive in your computer and instead deliver it to the security team right away. Make sure there are no exceptions for people accessing the organization's network and/or data in any way.
At this stage, someone has fallen victim to the attack. Someone has clicked on a link, opened an incorrect attachment, inserted a USB stick into their laptop or in short: things went south! However, employee behavior can still make the difference in this phase. The faster the responsiveness, the less the impact of a successful attack will be.
There are a couple of things that can make an immediate difference here:
With the above actions, in addition to technology, you create human sensors that help you prevent an attack from causing further damage.
While forms of attack such as CEO fraud and login data theft do not require malicious software to achieve their goal, other forms of attack such as ransomware do. At this stage, the attacker will actually install malicious software on the organization's systems.
While it may seem as if an employee hardly plays a role here, the opposite is true. As mentioned earlier, it is very important that employees always have their software updated, in this case mainly the anti-malware software. This way you reduce the chances that malicious software can actually be installed.
Again, the same basic rules apply as in the previous phase:
It’s indeed true that there is less an employee can do over time. The further a hacker gets in his or her attack plan, the closer the attacker is to his or her target. In the command-and-control phase, the hacker establishes contact from within the organization.
The previously installed malicious software contacts the employee to further extend control over the target. The most important thing you can teach employees in this phase is that they learn to recognize abnormal behavior on networks and systems. After all, individuals who work with systems and applications on a daily basis are well able to spot anomalies. Let employees know to report these anomalies to the Security Department.
In this phase, the attacker wants to achieve an end goal. What this goal is depends heavily on an attacker's motivations. If the attacker reaches this phase, the success of his/her attack will still depend on human behavior:
Without the help of the correct technology, breaking the Cyber Kill Chain is not feasible. But technology on its own isn’t enough. Technology will fail without the proper application of the people who use it. When you educate, train and support the employees in an organization, you increase the chances of breaking the Cyber Kill Chain in a timely manner – and that can save the organization a lot of misery.
Remember that a successful attack usually relies on human error. By understanding what employees need to do at what phase of the cyber kill chain, your company can form a line of defense. Recognizing phishing attacks, being cautious about sharing data, updating, handling devices safely on both business and personal levels and reporting suspicious behavior are therefore key elements.