In our recent article, we highlighted that every significant and public attack exploited people to either get an initial foothold in a target organization or as the entire attack vector. These attacks highlight the need for awareness as a top concern of security programs.
However the reality is that generic awareness materials are of little use. Just saying that you have an awareness program, with standard content, does little good in taking advantage of the exposure the ongoing attacks are generating within your organization and the general public. Awareness programs should incorporate Threat Intelligence, which provides digestable products of continuous adversary monitoring, organized research, and threat analysis. The result is timely and actionable information about the likely attack vectors and targets of your potential and actual attackers. This intelligence can be made compelling and relatable to audiences seeing similar attacks in the news.
For example, when IDG, the parent company was attacked by the Syrian Electronic Army, Threat Intelligence predicted the attacks, defined the attack vectors, and identified the countermeasures that should be implemented. Generic posters, videos, or other content would not have been impactful or ultimately successful in getting users to react appropriately.
Security Awareness teams need to make their materials and focus relatable and directly relevant in order for them to be useful. Threat Intelligence, as described above, details the most useful information, while balancing nascence, relevance, and timeliness of the data. The following recommendations provide some high level guidance on how to integrate Threat Intelligence into your awareness programs.
Detail, within reason, real or imminent attacks against your organization
One of the most frustrating aspects of implementing awareness programs is that many people seem to believe that their organization is an unlikely or uninteresting target, has a sufficient security program in place that they don’t have to worry about potential attacks, or that it simply won’t happen to them. Therefore, security policies and guidelines are more of a nuisance than a valuable business function. While your intent should not be to scare people, there has to be an effort to communicate that there are issues that need to and can be addressed. With that realization, people should hopefully believe that it can happen to them, and be motivated to take the right actions.
Use news events when you don’t have your own incidents to detail
Hacks like Anthem, Sony, Google, CENTCOMM, and just about any other newsworthy event seems to demonstrate time and time again that hacks are ongoing, and the direct result of a failure on a human level. You can highlight that all of these organizations never thought it would happen to them, but they all became the victims of highly public and embarrassing attacks, which cost the organizations tens of millions of dollars.
The point to get across is that attacks that exploit the end users are ongoing and pervasive. They all represent that the threat is imminent.
Detail what to look out for
When you inform people that there is a likely threat, which provides the motivation to take action, you need to similarly inform them specifically about what they should be looking for. If an attack is imminent, such as the Syrian Electronic Army attack previously mentioned, you can inform your users that they should be on the lookout for phishing messages. You can tell them the type of messages to expect and provide examples of messages that have been previously employed by the attackers.
Also, many people were victimized by the Anthem hack. Those victimized by or aware of the compromise need to be made aware that they should expect phishing email messages taking advantage of the hack. This leverages the incident to increase overall user awareness.
Whatever the likely attack vector is, the information should be detailed with the employees in mind.