Humans Are More Important Than Hardware

"Humans are more important than hardware" is the first of the SOF Truths, and for a good reason.

With security becoming more and more important across all industries, people are putting a lot of effort into finding ways to automate what’s needed to help defend our networks, clouds, servers, applications, and data.

Automation is good, it helps remove errors or omissions introduced by humans from repetitive activities, and also helps in the collection and, to some extent, the analysis of data to detect any signs of compromise. Add to this the ever increasing use of AI analysis, and you get a lot of data being thrown at software using specific logic in order to understand whether there is a problem or not.

This is all good for the usual suspects, but breaching into systems is not the goal of most adversaries. Most of them use breaching and hacking as means to a very specific end, and to understand that end you need people. Automation and AI analysis can help detect the initial intent to bypass controls and defenses, however you need a capable security professional that can connect the dots to try to understand what is the goal of the attack.


There are several end goals that different attackers seek. Each end goal can be considered the exploitation of the asset. Essentially, you find a way “in” in order to exploit the results of your breach. Without that reason, breaching into a system or network is just asking for trouble. Remember, hacking is the means to an end, whether it’s stealing (or encrypting) data to make money, stealing secrets to support a state actor or for blackmail, or as a way to wage digital war (no I won’t use the cyber word…), hacking for the sake of hacking is just amateurish game, specially these days where you can get caught for any careless detail.

Really understanding the exploitation part of a breach is where humans need to focus.

Once you understand this, you can better prepare the technology you have to better serve you, building the right detection and focusing on the right activities.

Time on Target

Adversaries always have the last word, they can choose when and where to attack, however they are bound by the rule of "time on target".

Once they have selected a target, usually adversaries would go through the phases of compromise:

  1. Planning
  2. Reconnaissance
  3. Target Identification and Tool Selection
  4. Execution
  5. Exploitation

There are a few more phases inside “execution” such as creating redundancy, moving laterally further breaching systems, evading detection, and looping between phases 1 and 4 until the goal is reached, but generally speaking these are the phases.

Once the attackers reach Phase 4, execution, that’s when the time on target factor clicks in. Once they breach into the system, they are exposed. No matter how good they are, they will get discovered by a good defense team, so time on target always plays against the adversary. And the sooner they get discovered, the less damage they can cause. Even if they don’t reach the end goal, they can still steal data or damage systems, going down with a fight.

You need to understand this and make it work in your favor.

The Focus

Knowing the two points above gives us a sense of what the focus should be: detection and resiliency.

People focus on technology that tries to prevent attacks. These are good, and they are getting better, but attackers will always try new things since - again - they don’t play by any rules and can adapt, so as much as prevention technology and processes might work with past adversarial tactics, there is always something new that can’t be prevented. What then? Detection.

Detection is where we need to get very good at. Detection is one of the key elements to invest, get right, and even automate. Detection, however, needs well trained and experienced security professionals that not only understand what they are protecting, but what (and whom) they are protecting it from. Understanding the adversary, how they think, and what their techniques are is key. People are key. On both sides.

Detection should be a key item on any security program.

But here’s the thing, however good detection is, there is always going to be a way around it. And attackers will always succeed. They only need to be good one time, whereas the defenders need to be successful every single time. That’s where resiliency comes into play.

You need to build a way to quickly and securely recover from an attack. Whether it is a complete crash of the system, a data dump on a pastebin, or ransomware, you need to build a way to cut loose the “sick” systems, and bring them back healthy.

The process you should put in place can contain the following steps:

  1. Detect
  2. Assess
  3. Respond
  4. Learn

You have to be able to detect what happened, assess the level of compromise and harm, respond to it to prevent the spread and fix it, and finally learn what happened and how to detect and prevent it again.

Resiliency is about understanding and mitigating risk. That’s it. Choose lower complexity to minimize risk, enhance resiliency, and build better tools for detection.


To end this brain dump, remember that attackers, just like the defenders, have an end goal in mind. This end goal is what may lead them to breach a system or try to bypass any defenses, but that breach is not the final step. Prepare your defense based on that, based on the understanding of the possible targets, on how to detect things deviating from the standard, and how to recover if they get compromised.

But also, as you prepare for all this, understand that automation and AI, as good a tool as they are, are not match for the ability of an experienced security professional connecting the dots. Invest in those professionals, give them the tools they need, and use that automation to augment their power.

Humans are, and will continue to be, more important than hardware.

© 2009-2024 Modern Adversary. No tracking or visit logs.