In our recent article, we highlighted that every significant and public attack exploited people to either get an initial foothold in a target organization or as the entire attack vector. These attacks highlight the need for awareness as a top concern of security programs.
However the reality is that generic awareness materials are of little use. Just saying that you have an awareness program, with standard content, does little good in taking advantage of the exposure the ongoing attacks are generating within your organization and the general public. Awareness programs should incorporate Threat Intelligence, which provides digestable products of continuous adversary monitoring, organized research, and threat analysis. The result is timely and actionable information about the likely attack vectors and targets of your potential and actual attackers. This intelligence can be made compelling and relatable to audiences seeing similar attacks in the news.
For example, when IDG, the parent company was attacked by the Syrian Electronic Army, Threat Intelligence predicted the attacks, defined the attack vectors, and identified the countermeasures that should be implemented. Generic posters, videos, or other content would not have been impactful or ultimately successful in getting users to react appropriately.
Security Awareness teams need to make their materials and focus relatable and directly relevant in order for them to be useful. Threat Intelligence, as described above, details the most useful information, while balancing nascence, relevance, and timeliness of the data. The following recommendations provide some high level guidance on how to integrate Threat Intelligence into your awareness programs.
Detail, within reason, real or imminent attacks against your organization
One of the most frustrating aspects of implementing awareness programs is that many people seem to believe that their organization is an unlikely or uninteresting target, has a sufficient security program in place that they don't have to worry about potential attacks, or that it simply won't happen to them. Therefore, security policies and guidelines are more of a nuisance than a valuable business function. While your intent should not be to scare people, there has to be an effort to communicate that there are issues that need to and can be addressed. With that realization, people should hopefully believe that it can happen to them, and be motivated to take the right actions.
Use news events when you don't have your own incidents to detail
Hacks like Anthem, Sony, Google, CENTCOMM, and just about any other newsworthy event seems to demonstrate time and time again that hacks are ongoing, and the direct result of a failure on a human level. You can highlight that all of these organizations never thought it would happen to them, but they all became the victims of highly public and embarrassing attacks, which cost the organizations tens of millions of dollars.
The point to get across is that attacks that exploit the end users are ongoing and pervasive. They all represent that the threat is imminent.
Detail what to look out for
When you inform people that there is a likely threat, which provides the motivation to take action, you need to similarly inform them specifically about what they should be looking for. If an attack is imminent, such as the Syrian Electronic Army attack previously mentioned, you can inform your users that they should be on the lookout for phishing messages. You can tell them the type of messages to expect and provide examples of messages that have been previously employed by the attackers.
Also, many people were victimized by the Anthem hack. Those victimized by or aware of the compromise need to be made aware that they should expect phishing email messages taking advantage of the hack. This leverages the incident to increase overall user awareness.
Whatever the likely attack vector is, the information should be detailed with the employees in mind.
Specify how to react
Telling people what to look for does little more than promote annoyance or generate fear. Providing people with the actions to take if they perceive themselves to be under attack gives them control. The threat, actualization, and prescribed actions should be specific and should include how to prevent the attack and who to report the potential incident to.
Clearly you need to tell people what to do or not to do, however that just prevents the attack from being successful against that individual. However even a minimally committed attacker will move on to the next potential victim. When someone reports the attack in progress, the security team can then take actions to prevent the attack from being successful against less aware individuals.
For example, if there is a phishing message involved, the security team can delete copies of messages to other individuals off of the email server. If you know that people are being sent to a specific domain, you can block the domain. You can also send out a more specific message to all people informing them of the specific nature of the actual attack, which also helps people realize that attacks against your organization are real.
Ensure the security team is aware of the intelligence and recommended actions
You should not take for granted that the security team might not be fully aware of the issues and how to respond. Too frequently there is an inaccurate assumption that people know how to respond and react correctly. The "security team" should be broadly defined to include the Help Desk (or whomever receives security-related calls), email administrators, web administrators, physical security, and any other group that might be responsible for taking an action if there is a potential attack.
These people need to know specifically what their responsibilities are. They need to know how to respond to users reporting potential attacks. They should know the specific actions to take in response to the pending attacks. Again, their actions depend upon their roles and responsibilities, but they should be well defined in advance. The last thing you want is for a user to properly respond to and report an incident, and then the people contacted do not know what to do.
Creating a culture of awareness, action, and communication improves both incident detection and response. Your user base becomes aware and active when it comes to potential attacks. This increases the effectiveness of the security team, exponentially growing its capacity to detect and respond to attacks.
In the ideal world, people should be constantly on the alert for potential attacks and know how to respond. Again, that is not what we experience in the real world. While we don't wish that any organization should be targeted, the fact is that just about every organization is the potential victim of many ongoing attacks. The phishing scams resulting from the Anthem hack made many organizations a potential targets, and this attack is in no way unique.
However, these potential and actual attacks can be outstanding catalysts for making your awareness programs incredibly effective. Don't squander these ongoing, incredible opportunities.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.