Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

5 steps to incorporate threat intelligence into your security awareness program

Ira Winkler, Araceli Treu Gomes | March 6, 2015
In our recent article, we highlighted that every significant and public attack exploited people to either get an initial foothold in a target organization or as the entire attack vector. These attacks highlight the need for awareness as a top concern of security programs.

The point to get across is that attacks that exploit the end users are ongoing and pervasive. They all represent that the threat is imminent.

Detail what to look out for

When you inform people that there is a likely threat, which provides the motivation to take action, you need to similarly inform them specifically about what they should be looking for. If an attack is imminent, such as the Syrian Electronic Army attack previously mentioned, you can inform your users that they should be on the lookout for phishing messages. You can tell them the type of messages to expect and provide examples of messages that have been previously employed by the attackers.

Also, many people were victimized by the Anthem hack. Those victimized by or aware of the compromise need to be made aware that they should expect phishing email messages taking advantage of the hack. This leverages the incident to increase overall user awareness.

Whatever the likely attack vector is, the information should be detailed with the employees in mind.

Specify how to react

Telling people what to look for does little more than promote annoyance or generate fear. Providing people with the actions to take if they perceive themselves to be under attack gives them control. The threat, actualization, and prescribed actions should be specific and should include how to prevent the attack and who to report the potential incident to.

Clearly you need to tell people what to do or not to do, however that just prevents the attack from being successful against that individual. However even a minimally committed attacker will move on to the next potential victim. When someone reports the attack in progress, the security team can then take actions to prevent the attack from being successful against less aware individuals.

For example, if there is a phishing message involved, the security team can delete copies of messages to other individuals off of the email server. If you know that people are being sent to a specific domain, you can block the domain. You can also send out a more specific message to all people informing them of the specific nature of the actual attack, which also helps people realize that attacks against your organization are real.

Ensure the security team is aware of the intelligence and recommended actions

You should not take for granted that the security team might not be fully aware of the issues and how to respond. Too frequently there is an inaccurate assumption that people know how to respond and react correctly. The "security team" should be broadly defined to include the Help Desk (or whomever receives security-related calls), email administrators, web administrators, physical security, and any other group that might be responsible for taking an action if there is a potential attack.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.