Making security awareness training impactful using threat intelligence

An abstract image of digital security.
(Image credit: Shutterstock) (Image credit: Shutterstock)

Most organizations take on Security Awareness Training in one form or another with varying levels of commitment. For some, it is a tick-in-the-box exercise to satisfy some form of compliance. This can range from a parent organization to the PCI-DSS obligations of making sure employees are aware of the importance of handling cardholder data. For others, the entire month of October (due to Cyber Security Awareness month) gets chalked up to a barrage of emails and posters bombarding everyone within the company.

One thing that remains consistent is that while evidence shows the more an organization participates in the discussion of risk, a higher percentage of employees respond appropriately to both real and perceived threats. How is it then that we continue to have employees falling victim to phishing attacks, watering hole attacks, and phone scams? The fact of the matter is that we’re all human, and humans make mistakes. While we can accept that as a fact, we as a community can also continue to evolve – and improve our organizational cybersecurity posture.

What if we were able to truly capture our audience’s attention? Over time it has become evident that, when it comes to awareness training, when individuals can put themselves in the shoes of the victim and hear a compelling story, it becomes more than a theoretical scenario, and a real problem they may have to face one day. This is where threat intelligence comes into play.

Matt Sparrow

Senior Intelligence Operations Analyst, Centripetal.

What Is threat intelligence?

There are two types of threat intelligence that most security professionals are aware of. The first is operational threat intelligence and the other is traditional threat intelligence, which is the more common of the two. But what’s the difference?

Operational threat intelligence is often used to proactively defend a network or organization by ingesting indicators of compromise into a firewall, threat intelligence gateway, secure email gateway, or other device. By operationalizing threat intelligence, an organization is able to limit a threat actor or cybercriminal’s ability to interact with devices or services in a meaningful way. While many challenges exist in implementing operational threat intelligence at scale for most companies, it’s a very effective method of minimizing the initial risks that an employee may observe in the first place.

Traditional threat intelligence is where many professionals have lived historically. They are long reports that often read like a post-mortem of an attack. They’re a cautionary tale of what happens when you don’t patch a system, forget to conduct your monthly audit of firewall ACLs, or somehow succumb to another attack. These reports typically contain a plethora of indicators of compromise of course, but much more value can come from them, and that’s the tale that they tell.

Fortunately, we don’t expect non-technical employees to try and understand either of these, but how can we weave those same reports into a tool to better suit our audience?

Getting more value from threat intelligence

So, you’ve read through all the reports, reminded the IT staff to be extra diligent in reviewing firewall policies, made sure your GPO enforced the new password policy, scheduled your next phishing exercise for the next quarter, and now is the time to give your employees their annual security awareness training.

Reminding employees that everyone is a target is always a good first step. Except, what does the social media manager have to worry about? Being able to cite sources directly from threat intelligence can hook the people within various departments of why their positions can be valuable to attackers and get their initial attention, but it doesn’t stop there. You need to weave the whole story into a tale that feels personal.

Continuing with the role of social media, remind them of the types of data that they have access to. Do they have access to upcoming announcements regarding intellectual property implementations? Maybe they’re on email chains regarding upcoming mergers and acquisitions? By using traditional threat intelligence, IT teams can personalize the threat and drive home how much value information truly has and the lengths an adversary will go through to get access to it.

Some examples of various departments and the information they may hold that could prove valuable to an attacker include:

Human Resources: Passports and travel documentation, company rosters, departmental organization, various disability related accommodations made for employees (which can be used to victimize employees through extortion). 

Marketing: Upcoming feature deployments and focus of sales targeting, strategic messaging from the C-Suite, partnership announcements. 

Legal: Ongoing litigation, employee investigations, ransomware negotiation status, pending patent filings and supporting documentation, mergers and acquisitions, contractual obligations. 

Research and Development: Status of intellectual property developments, partner feature requests, limitations of technology, known vulnerabilities and bugs. 

Security and Operations: Current security policy, security software in place, roles and permissions for various users and other roles.

 

Traditional threat intelligence is laden with cautionary tales to demonstrate the value of every individual in an organization. These stories need to be told in a way that staff can internalize and bring home a valuable lesson. For example, using the Uber breach reports can be used to teach employees the importance of multi-factor authentication, proper usage, and the proper procedures for reporting anomalies in the service which can lead to a discussion about multi-factor authentication (MFA) fatigue attacks.

Where to find threat intelligence

The first place to look is internally. Has there been a recent breach at your own organization that can be openly discussed? There’s often a stigma associated with admitting our own faults, but maybe this is the answer to showing both the risk and direct impact of threats! Additionally, checking various cybersecurity vendor’s websites will likely yield enough information to get even the greenest organizations started. While some details may be sparse for the protection of victims, even anonymized information can be incredibly valuable.

The next step might be through a threat intelligence partner, where operational intelligence is being purchased from. Commercially acquired analysis may come with control restrictions which need to be further discussed but might already be available through an existing subscription. If not, creating your own training and purchasing reports could be another option.

Finally, most employees respond better when a third party is giving a passionate presentation about cybersecurity. Hiring an external entity to provide the training has many benefits including experience working with threat intelligence, personalized war stories of organizations who have been breached, the emotions of those who were involved, and an outside perspective that will seem fresh. At a higher level, decision makers are more likely to invest in the same funding requests when there’s a third party advocating for the same recommendations internal staff have been advocating for.

Making it personable

The importance of security awareness training has been at critical levels for over two decades now. Bringing everything together in common language, not that of the security industry, can be difficult. IT professionals work with security policy and procedures for the entirety of their workday. While the gap in knowledge and practice needs to be closed, the best way to do so is through organization-wide buy-in.

Threat intelligence is just one very valuable vehicle we have to make the training feel real, be engaging, and still convey the same points that have been discussed ad-nauseum. Once the people acknowledge they are a target, see the value they provide, then finally hear an engaging story of how attackers manipulate unsuspecting victims, it becomes something that a person can identify with.

We feature the best cloud antivirus.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Matt Sparrow, Senior Intelligence Operations Analyst, Centripetal.