MIRcon® 2013 speaker Rohyt Belani is the Co-Founder & CEO at PhishMe, Inc. His presentation, “APT Mitigation: The Human Way” addressed effective ways to train employees that will not only lower an organization’s risk profile, but also turn employees into intrusion detection sensors that save incident response time and limit the damage caused by advanced threats. Below he offers his insights on developing a workforce capable of identifying and reporting cyber-attacks.
Earlier this month I presented at MIRcon 2013. My experience working in the incident response industry helped conceive the idea for PhishMe with Aaron Higbee, so presenting at MIRcon was a great chance to share insights with a community familiar with the problems that PhishMe addresses.
My presentation centered on how advanced threat actors employ social engineering to attack large enterprises, and how security behavior management can make humans a key element to not only defend against threats, but detect them as well.
Beginning with an example of how a spear phishing email with a malicious attachment threatened critical SCADA systems, I presented some general statistics outlining the prevalence of phishing attacks as well as the costs of allowing breaches to go undetected.
To incident response professionals, this probably didn’t come as news, and at this point, some may have been skeptical that users can solve this problem rather than exacerbate it. It’s not as if organizations haven’t tried to train users. But the methods the security industry has used, not the users themselves, are the reason security awareness training has been so ineffective.
When examining how the human brain works, it’s clear why security awareness has failed. Brains are wired to remember emotional events, meaning that an hour long computer-based training is not as memorable as something interactive. Furthermore, our brains retain information through repetition of an activity. Annual training isn’t enough to give our brains a chance to absorb material. Lastly, effective training provides instant feedback about performance, helping to reinforce good habits while discouraging undesired behavior.
Security awareness training has run into problems by overwhelming users with a number of topics. Given that 91 percent of cyber-attacks start with spear phishing focusing on training employees to recognize and avoid spear phishing emails can drastically reduce incidents, while technical fixes for problems such as insecure passwords and careless USB use can address them without relying on employees.
An immersive training experience that provides instant feedback is the cure for ineffective security awareness. Simulating attacks and coupling those with relevant training is an effective method. This should be conducted continuously throughout the year and focus on key topics to lead to better retention and application of the material.
Employees can do more than avoid falling for phishing attacks; they can aid the incident response process by reporting suspicious emails. Once users recognize phishing, they can be trained to report it. The majority of employees who receive phishing emails from PhishMe interact with them within three hours of receiving the phish, meaning that training them to report can reduce the number of incidents, as well as the severity of those that occur. One of PhishMe’s customers recently deployed our Outlook add-in Phish Reporter (http://phishme.com/product-services/phish-reporter/) to 60,000 desktops world-wide and then ran a simulated phishing attack.
The results promise to disrupt the way we think about incident detection; 15 seconds prior to the first victim clicking on the phishing link, another employee alerted the security team using Phish Reporter. Six other employees did the same within 75 seconds of that first victim falling prey (see below). These ‘human sensors’ effectively reduced incident detection times to seconds prior to or after the breach occurring versus the industry accepted days and weeks after the fact.
Figure 1
While some in the security industry are skeptical of attempts to train users, developing a workforce capable of identifying and reporting attacks is not only possible, but crucial to defending against advanced threats.