A kill chain is a term used by the US military to describe the steps or stages an adversary takes to attack you. The fascinating paperIntelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains by Lockheed Martin applies the same concept but to cyber security, a Cyber Kill Chain. By breaking down into steps how an adversary attacks you, an organization can better plan how to break that process and slow down or stop the attack. Organizations around the world have adopted this model to help them better defend against more advanced / targeted threats. However one thing that organizations have failed to do is leverage their employees to break the Cyber Kill Chain. To date, every diagram or paper I have seen on a Cyber Kill Chain leverages technology to stop attackers, from firewalls and anti-virus to HIDS and SIEMs. Do not forget people, they are a powerful resource to help you and your team. Here is how your employees can help break a Cyber Kill Chain.


  • Reconnaissance: The first step most advanced attackers take is research. Their goal is to learn more about who they want to target and how. Employees often make this too easy by posting a huge amount of information about themselves, including hobbies, travel schedule and their network of family and friends. Quite often the information they post in only small snippets, but when aggregated together, bad guys can build an entire dossier on their targets. Teach people, especially those that are targeted, to limit what they post. Every new item they share makes it that much easier for bad guys. In addition social media alone is not the only resource bad guys leverage. Teach employees the proper destruction of information (kill the impact of dumpster diving) and effective use of encryption. The harder we make information to find, the more likely we break this stage.
  • Weaponization: This is where bad guys develop their attack/payload, not much we can do here.
  • Delivery: Lockheed Martin identified the three most common delivery methods as email attachments, websites and US removable media. Train staff to identify, stop and report phishing. Train people on the proper usefor USB media (such as only using authorized devices). The more you train people on all the different methods of social engineering attacks, the more likely they can identify and stop the delivery of these attacks.
  • Exploitation: Even if people fall victim to an attack, their behaviors can stop actual exploitation. First, by keeping systems patched and current employees make it that much harder for any exploits to work. This is not just for work computers but mobile devices or even their computers at home (who says APT can’t target people on their personal computers). In addition, even if attackers are successful, what if people detect the exploit and quickly report it. By creating Human Sensors you can react and stop an intrusion before an attacker can moves onto other stages.
  • Installation: Same as exploitation, if your devices are patched and properly secured, this can go far in stopping an exploit from installing any malware. Once again, teach employees indicators of compromise AND how to report them, building out your network of Human Sensors.
  • Command / Control: Not much employees can do to prevent this stage, but once again if we develop the Human Sensor they can identify and report this stage.
  • Actions on Objectives: There are so many behaviors that employees can follow that help break this stage including; proper use of encryption, destruction of data, unique passwords for all accounts, using only proper systems for sensitive data, and secure use of Cloud. Finally, at the risk of sounding like a broken record, develop that Human Sensor.

There is no single solution when dealing with targeted attacks. However, by leveraging people, you can increase your chances of breaking the Cyber Kill Chain at numerous stages.


Original Post: https://securingthehuman.sans.org/blog/2016/01/12/leveraging-the-human-to-break-the-intrusion-kill-chain/