Intelligence-Driven User Awareness

“You don’t have a malware problem. You have an adversary problem.” – Crowdstrike VP of Intelligence, Adam Myers

It makes a difference whether you believe ‘malware targets organizations’ or ‘people target people.’

A ‘malware’ view of the world is in bits and bytes, ones and zeroes. Even if that malware is driven by computer machine-learning, it cannot adapt and think like a human being. 

So when ‘people target people,’ something else happens. Phishing emails look and feel like they come from your coworker down the hall. Vishing calls sound like they’re really from Microsoft tech support. And ransomware provides better customer service than your bank.

Threat intelligence analysts understand this: they do not stop investigation or analysis at an IP address or a malware signature. In fact, they have a token chart for doing quite the opposite, called the pyramid of pain…

Pain Pyramid.png
 

Up top you can see that an adversary’s tactics, techniques and procedures (TTPs) are the most challenging to identify, but become the most effective methods of tracking a (human) threat once found. As the threat landscape shifts and evolves, intelligence traces its grooves and fissures.  

Let’s rewind back a few years to explore this in theory. Without intelligence, you might have believed that 2016 would trend very much like 2015 in terms of the quantity and quality of ransomware families, for example. Evaluating only your assumptions about the previous year, your predictions would project linear growth.

But when ransomware families grew seven-fold the following year, your security team would have been in reaction-mode and your users unprepared for the fight.  

 https://www.helpnetsecurity.com/2017/03/02/ransomware-spiked/

https://www.helpnetsecurity.com/2017/03/02/ransomware-spiked/

 https://www.cloudsec.com/2017/01/02/next-tier-8-security-predictions-2017/

https://www.cloudsec.com/2017/01/02/next-tier-8-security-predictions-2017/

Here’s the point. In its most basic form, the current disconnect between threats and user awareness looks something like this:

  Figure 4: The prevalence of a given threat (blue) with the prevalence of its corresponding user awareness training (gray).

Figure 4: The prevalence of a given threat (blue) with the prevalence of its corresponding user awareness training (gray).

 

In blue, you can see the prevalence of a given threat over time; in gray, the frequency of user awareness training for that given threat over the same period of time. This is, of course, an oversimplified model. But in large part, you are likely to have experienced this phenomenon in the form of the same tired security awareness advice…

  • “think before you click”

  • “make strong passwords”

  • “watch out for phishy links”

… when users really need to adapt to current and emerging threats by way of intelligence-driven security content. For example:

  • An uptick in CEO-fraud emails becomes a new awareness tip for the finance department and the c-suite.

  • A decrease in Nigerian prince scams leads to a relative de-emphasis of spotting grammatical errors as a red flag for phish education.

  • A new vulnerability that exploits ICS/SCADA Human-Machine Interfaces (HMIs) becomes a learning module for industrial employees within a training platform.  

To hammer this home, one of our clients recently contracted us to perform an Olympic-themed vishing assessment for their organization. Instead of executing a traditional social-engineering assessment, we created custom scenarios that mimicked real-life attacks we were seeing targeting their industry.

The return on investment (ROI) for this training is enormous, and the correlation of this type of threat-to-awareness-training looks something more like this:

  Figure 5: Trending the prevalence of a threat (blue) with its corresponding user awareness training (gray).

Figure 5: Trending the prevalence of a threat (blue) with its corresponding user awareness training (gray).

 

Threat intelligence has taken flak for being the shiny new industry buzzword, but practiced rightly, it can be responsible for evaluating data in such a way as to produce insight. A mature intelligence program “seeks strategic insight into the threat landscape to enhance context around phishing, assess the effectiveness of existing defenses, and evaluate the potential damage of a successful campaign… promoting enterprise-wide awareness of phishing and increasing employees’ knowledge of the threat and how to combat it.” This is not a static risk picture.

If you take away one thing, it’s that high impact training content sits dead-center at the intersection of threat intelligence and user awareness. There, intelligence becomes the driver for organizations to keep pace with (trend) – and, at times, outpace (predict) – unique threats to the integrity of their mission.

Come check out our escape rooms at BSides Austin and InfoSec World over the next couple weekends! We’d be glad to talk shop…

Graham Westbrook