5 steps to incorporate threat intelligence into your security awareness program

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.csoonline.com/article/2892417/security-awareness/5-steps-to-incorporate-threat-intelligence-into-your-security-awareness-program.html

In our recent article, we highlighted that every significant and public
attack exploited people to either get an initial foothold in a target
organization or as the entire attack vector. These attacks highlight the
need for awareness as a top concern of security programs.

However the reality is that generic awareness materials are of little use.
Just saying that you have an awareness program, with standard content, does
little good in taking advantage of the exposure the ongoing attacks are
generating within your organization and the general public. Awareness
programs should incorporate Threat Intelligence, which provides digestable
products of continuous adversary monitoring, organized research, and threat
analysis. The result is timely and actionable information about the likely
attack vectors and targets of your potential and actual attackers. This
intelligence can be made compelling and relatable to audiences seeing
similar attacks in the news.

For example, when IDG, the parent company was attacked by the Syrian
Electronic Army, Threat Intelligence predicted the attacks, defined the
attack vectors, and identified the countermeasures that should be
implemented. Generic posters, videos, or other content would not have been
impactful or ultimately successful in getting users to react appropriately.

Security Awareness teams need to make their materials and focus relatable
and directly relevant in order for them to be useful. Threat Intelligence,
as described above, details the most useful information, while balancing
nascence, relevance, and timeliness of the data. The following
recommendations provide some high level guidance on how to integrate Threat
Intelligence into your awareness programs.

Detail, within reason, real or imminent attacks against your organization

One of the most frustrating aspects of implementing awareness programs is
that many people seem to believe that their organization is an unlikely or
uninteresting target, has a sufficient security program in place that they
don’t have to worry about potential attacks, or that it simply won’t happen
to them. Therefore, security policies and guidelines are more of a nuisance
than a valuable business function. While your intent should not be to scare
people, there has to be an effort to communicate that there are issues that
need to and can be addressed. With that realization, people should
hopefully believe that it can happen to them, and be motivated to take the
right actions.

Use news events when you don’t have your own incidents to detail

Hacks like Anthem, Sony, Google, CENTCOMM, and just about any other
newsworthy event seems to demonstrate time and time again that hacks are
ongoing, and the direct result of a failure on a human level. You can
highlight that all of these organizations never thought it would happen to
them, but they all became the victims of highly public and embarrassing
attacks, which cost the organizations tens of millions of dollars.

The point to get across is that attacks that exploit the end users are
ongoing and pervasive. They all represent that the threat is imminent.

Detail what to look out for

When you inform people that there is a likely threat, which provides the
motivation to take action, you need to similarly inform them specifically
about what they should be looking for. If an attack is imminent, such as
the Syrian Electronic Army attack previously mentioned, you can inform your
users that they should be on the lookout for phishing messages. You can
tell them the type of messages to expect and provide examples of messages
that have been previously employed by the attackers.

Also, many people were victimized by the Anthem hack. Those victimized by
or aware of the compromise need to be made aware that they should expect
phishing email messages taking advantage of the hack. This leverages the
incident to increase overall user awareness.

Whatever the likely attack vector is, the information should be detailed
with the employees in mind.

Specify how to react

Telling people what to look for does little more than promote annoyance or
generate fear. Providing people with the actions to take if they perceive
themselves to be under attack gives them control. The threat,
actualization, and prescribed actions should be specific and should include
how to prevent the attack and who to report the potential incident to.

Clearly you need to tell people what to do or not to do, however that just
prevents the attack from being successful against that individual. However
even a minimally committed attacker will move on to the next potential
victim. When someone reports the attack in progress, the security team can
then take actions to prevent the attack from being successful against less
aware individuals.

For example, if there is a phishing message involved, the security team can
delete copies of messages to other individuals off of the email server. If
you know that people are being sent to a specific domain, you can block the
domain. You can also send out a more specific message to all people
informing them of the specific nature of the actual attack, which also
helps people realize that attacks against your organization are real.

Ensure the security team is aware of the intelligence and recommended
actions

You should not take for granted that the security team might not be fully
aware of the issues and how to respond. Too frequently there is an
inaccurate assumption that people know how to respond and react correctly.
The “security team” should be broadly defined to include the Help Desk (or
whomever receives security-related calls), email administrators, web
administrators, physical security, and any other group that might be
responsible for taking an action if there is a potential attack.

These people need to know specifically what their responsibilities are.
They need to know how to respond to users reporting potential attacks. They
should know the specific actions to take in response to the pending
attacks. Again, their actions depend upon their roles and responsibilities,
but they should be well defined in advance. The last thing you want is for
a user to properly respond to and report an incident, and then the people
contacted do not know what to do.

Summary

Creating a culture of awareness, action, and communication improves both
incident detection and response. Your user base becomes aware and active
when it comes to potential attacks. This increases the effectiveness of the
security team, exponentially growing its capacity to detect and respond to
attacks.

In the ideal world, people should be constantly on the alert for potential
attacks and know how to respond. Again, that is not what we experience in
the real world. While we don’t wish that any organization should be
targeted, the fact is that just about every organization is the potential
victim of many ongoing attacks. The phishing scams resulting from the
Anthem hack made many organizations a potential targets, and this attack is
in no way unique.

However, these potential and actual attacks can be outstanding catalysts
for making your awareness programs incredibly effective. Don’t squander
these ongoing, incredible opportunities.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!