Most cyber attacks are made possible because of social engineering; whether it is a phishing e-mail, a phone call from a “job applicant” or a “competition” on social media. This means that if you want to protect your organization from cyber attacks, you need your colleagues to listen. The problem? Nobody likes being interrupted. Because of this, many organizations are forcing security awareness as a compliance issue. They say; “you have to take this e-learning course by the end of the month, or HR will come after you”. Is it measurable? Sure. Does it make your company less likely to be hacked? Probably not. So what can we do instead? Create a powerful awareness message based on actionable threat intelligence.

Follow the news!

How do newspapers make people want to read their articles? Academic research has shown that certain news values or news criteria can help explain when something is newsworthy. This is a way to assess when people will be interested or not. We are not going to consider whether our audience is interested in news. Instead, we want to understand how we can create a message people will listen to. Here are some factors we should take into account:

  • Timeliness
  • Conflict
  • Personalization
  • Meaningfulness

In the news, timeliness is often about being fast with reporting new events. If we want to deliver a timely message, we need to reach people when they want to listen. The message must be new, and at the same time relevant for the problem at hand.

Conflict: this brings tension to a news story. It plays the same role in security awareness, the conflict factor is the conflict between the adversary and the organization. What are the bad guys up to, and how could it hurt us?

The meaning of personalization is similar to the news world. What does this mean for the people affected, such as the employee and colleague, the customer? If we describe the impact of some security news as “potential for confidentiality breach and possible lateral movement within the network”, it is not likely to be interesting for someone outside the security team. The message must be written for the audience we are targeting!

Meaningfulness is related to how we identify with the issue. Are the victims similar to me? Could it happen to my workplace, and how would that change things?

A powerful awareness message can improve cybersecurity more
Using the right powerful awareness message can change your cybersecurity program from compliance focused to driving actual security behaviors.

Awareness tied to context of threat intelligence

Most awareness messages are shaped like technical instructions distributed by e-mail. It regularly fails at all our “news values”. How can we change that to move towards truly powerful awareness programs? Programs that are relevant and helpful to the job people need to get done in the moment? When we manage to deliver relevant news at the right time, we have people’s attention. Then we can attach recommendations and trainings directly to that context.

Threat intelligence as a hook for powerful awareness messages

Crime sells. Threat intelligence is to a large extent “true crime”. We are not thinking of threat intelligence in the form of IP address block lists. Instead, we need news stories to learn from. We need a story with a victim to identify with. It should have a threat actor to fear, and a way to tie it to “us”. When we think about how the victim should have protected him or herself, we are at the same time planning our own risk mitigation.

This is the primary motivation for Cybehave’s upcoming threat intelligence platform: a threat intelligence service with built-in context-aware security training. What if you could get alerted to important cybersecurity news that are relevant to your firm and our business sector? That would be great as a hook to communicate recommendations for risk mitigation. When the threat intelligence comes with ready-to-use awareness program content, we have access to powerful awareness messages.

Sawfish – a Github phishing campaign

Let’s take a recent example. Last week Github released news about an ongoing phishing campaign named “Sawfish” against Github account holders. Github is an online code repository used to hold computer code for developers and organizations. Is this information relevant for a marketing VP or the receptionist at a hotel? Probably not. But it is relevant to developers, the security team and product owners. This brings us to another important aspect of making awareness messages meaningful; they should be role based. Let’s see how we can use these news to motivate good security practices among software developers:

Intel Summary

There is an ongoing phishing campaign targeting Github.com account holders. The campaign bypasses one-time-password (OTP) based two-factor authentication. When accounts are taken over, attackers can download source code, also from private repositories, they can contribute malicious code to the repositories and they may steal access tokens. This means that an attacker who compromises the account of someone who contributes to popular open source packages could use the access to attack the users of these packages.

Impact Assessment

Account takeovers on code repositories could lead to leaked source code and malicious code injection in your organization’s codebase. It could also lead to injections in open source components maintained by developers who have had their accounts compromised.

Recommendations

  • Consider setting up two-factor authentication using a hardware token.
  • Make it a habit not to click links in emails or social media messages to get to a login page. Instead use a bookmark or type the url in your browser.
  • Regularly review audit logs of account changes where available. For Github you can read more about how to review your account security here: https://help.github.com/en/github/authenticating-to-github/preventing-unauthorized-access.
  • Make sure to review the risk of adding third-party dependencies in your code. You don’t only trust the coding abilities of the developers of third-party dependencies, implicitly you also trust their ability to protect the integrity of that code.

Delivering this message to a developer is much more powerful than telling them to check where a link is leading before clicking it. The best way would perhaps be to get a short message about the Sawfish campaign. The recommendations and options to learn more can be optional but visible. A powerful awareness message will motivate people to seek further recommendations and information. We think people learn faster with the right motivation.

Cybehave is working to deliver the best threat intelligence program for effective cybersecurity awareness. Sign up for our weekly newsletter today and stay informed about threat intelligence and awareness. You will also get a free demo of our threat intelligence platform when we launch!

Leave a Reply