Most organizations undertake Security Awareness Training in some form or another with varying levels of commitment. For some, it is a matter of ticking boxes to meet some form of compliance. This can range from a parent organization to PCI-DSS requirements to ensuring employees are aware of the importance of handling cardholder data. For others, the entire month of October (due to Cyber Security Awareness Month) is marked by a barrage of emails and posters bombarding everyone within the company.
One thing remains consistent: while research shows that the more an organization participates in the discussion about risk, a greater percentage of employees respond appropriately to both real and perceived threats. So why do employees continue to fall victim to phishing attacks, watering hole attacks and phone scams? The fact is that we are all human, and humans make mistakes. While we can accept that as fact, we as a community can also continue to evolve – and improve our organizational cybersecurity posture.
What if we could really capture our audience’s attention? Over time, it has become clear that when it comes to awareness training, when individuals can put themselves in the victim’s shoes and hear a compelling story, it becomes more than a theoretical scenario, and a real problem they may face. have to deal with. day. This is where threat intelligence comes into play.
Senior Intelligence Operations Analyst, Centripetal.
What is threat intelligence?
There are two types of threat intelligence that most security professionals are aware of. The first is operational threat intelligence and the other is traditional threat intelligence, which is the more common of the two. But what is the difference?
Operational threat intelligence is often used to proactively defend a network or organization by recording indicators of compromise in a firewall, threat intelligence gateway, secure email gateway, or other device. By operationalizing threat intelligence, an organization can limit a threat actor or cybercriminal’s ability to interact with devices or services in a meaningful way. While there are many challenges for most companies in implementing operational threat intelligence at scale, it is a highly effective method for minimizing the initial risks that an employee may initially perceive.
Traditional threat intelligence is where many professionals have historically lived. They are long reports that often read like a post-mortem of an attack. They are a cautionary tale of what happens when you don’t patch a system, forget to perform your monthly audit of firewall ACLs, or somehow succumb to another attack. These reports typically contain a plethora of indicators of compromise, but they can provide much more value, and that is the story they tell.
Luckily, we don’t expect non-technical employees to try to understand either of these, but how can we weave those same reports into a tool that better suits our audience?
Getting more value from threat intelligence
So you’ve read through all the reports, reminded IT staff to be extra careful when reviewing firewall policies, made sure your GPO is enforcing the new password policy, scheduled your next phishing exercise for next quarter, and now it’s time to give your employees their annual security awareness training.
Reminding employees that everyone is a target is always a good first step. Except: what should the social media manager be concerned about? Being able to quote sources directly from threat intelligence can help people across departments understand why their positions might be valuable to attackers and get their initial attention, but it doesn’t stop there. You have to weave the whole story into a story that feels personal.
Expand on the role of social media and remind them of the types of data they have access to. Do they have access to upcoming announcements regarding the implementation of intellectual property? Perhaps they are in email chains about upcoming mergers and acquisitions? By leveraging traditional threat intelligence, IT teams can personalize the threat and make it clear how much value the information really has and how much effort an adversary will go to to gain access to it.
Here are some examples of different departments and the information they may hold that could be valuable to an attacker:
Human Resources: Passports and travel documents, company rosters, department organization, various disability-related accommodations for employees (which can be used to victimize employees through extortion).
Marketing: Upcoming feature implementations and focus on sales goals, strategic messaging from the C-Suite, partnership announcements.
Legal: Pending litigation, employee investigations, ransomware negotiation status, pending patent applications and supporting documentation, mergers and acquisitions, contractual obligations.
Research and development: Status of intellectual property developments, feature requests from partners, limitations of the technology, known vulnerabilities and bugs.
Security and Operations: Current security policies, security software in place, roles and permissions for different users and other roles.
Traditional threat intelligence is full of cautionary tales to demonstrate the value of every individual in an organization. These stories need to be told in a way that employees can internalize and take home a valuable lesson. For example, the Uber breach reports can be used to teach employees the importance of multi-factor authentication, proper use, and proper procedures for reporting anomalies in the service, which can lead to a discussion about multi-factor authentication (MFA) attacks of fatigue.
Where can you find threat information?
The first place to look is internally. Has there been a recent breach within your own organization that can be openly discussed? There is often a stigma attached to admitting our own mistakes, but perhaps this is the answer to demonstrating both the risk and direct impact of threats! Additionally, checking the websites of various cybersecurity vendors will likely provide enough information to get even the greenest organizations up and running. While some details may be scarce for victim protection, even anonymized information can be incredibly valuable.
The next step could be through a threat intelligence partner, from whom operational intelligence is purchased. Commercially obtained assays may have control limitations that require further discussion, but may already be available through an existing subscription. If not, creating your own training and purchasing reports may be another option.
Finally, most employees respond better when a third party gives a passionate presentation about cybersecurity. There are many benefits to hiring an outside entity to provide the training, including experience working with threat intelligence, personalized war stories from organizations that have been breached, the emotions of those involved, and an outside perspective that will seem new. At a higher level, decision makers are more likely to invest in the same funding requests if there is a third party advocating for the same recommendations that internal employees are advocating for.
Making it personal
The importance of security awareness training has been at a critical level for over two decades. Bringing it all together in a common language, not that of the security industry, can be difficult. IT professionals spend their entire workday working with security policies and procedures. While the gap in knowledge and practice needs to be closed, the best way to do that is through organization-wide buy-in.
Threat intelligence is just one of the very valuable tools we need to make the training feel real, be engaging, and still convey the same points discussed ad nauseum. Once people recognize that they are a target, see the value they provide, and then finally hear a compelling story about how attackers manipulate unsuspecting victims, it becomes something a person can relate to.
We have the best cloud antivirus.
This article was produced as part of Ny BreakingPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of Ny BreakingPro or Future plc. If you are interested in contributing, you can read more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro