Building Human Intelligence – Pun Intended


Published on

Presented by: Rohyt Belani, Phishme

Abstract: In the physical world, the human brain has evolved to avoid danger. The threat of physical pain triggers fear – and we have learned to avoid behavior that causes pain. In the electronic world of email, however, this concept doesn’t translate. Clicking on a malicious link or opening an attachment laced with malware doesn’t cause pain, and often a user won’t even notice anything is wrong after doing it. How then, can we teach fear perception in the electronic world? Is it even possible? In this presentation I’ll discuss how immersive training can key on psychological triggers to teach people to become skeptical email users who not only avoid undesired security behavior but can aid intrusion detection by reporting suspicious emails, helping to mitigate one of the most serious problems in security: slow incident detection times. According to reports from Mandiant and Verizon, average detection time for an incident is in the hundreds of days. A properly trained workforce is not only resilient to phishing attacks, but can improve detection times as well.

Published in: Technology, News & Politics
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Building Human Intelligence – Pun Intended

  1. 1. Building Human Intelligence – Pun Intended Rohyt Belani Co-founder & CEO, PhishMe @rohytbelani @PhishMe
  2. 2. Nature of Advanced Cyber Attacks Disruption Cybercrime Cyber-Espionage and Cybercrime Damages 2005 2005 2009 2011 2013 Worms Viruse s Spyware/ Bots Advanced Persistent Threats Zero-Day Targeted Attacks Dynamic Trojans Stealth Bots Changing cyber attacks Evolving cyber actors Shrinking barriers to entry New Threat Landscape
  3. 3. Some Statistics • Massive-scale phishing attacks loom as new threat, USA Today • Ponemon Institute: 2012 Cost of Cyber Crime Study • 2012 Verizon Data Breach Investigations Report • 'Spear phishing' the main email attachment threat, ComputerWorld UK In a single campaign,
  4. 4. ..and technical controls are failing Did these companies not have the best defensive and detective technologies in place?
  5. 5. We need to change the way we defend
  6. 6. “But security awareness doesn’t work” It didn’t, because we were: • Boring • De-focused • Compliance oriented • Passive and.. We didn’t have metrics to prove otherwise
  7. 7. Understanding the Hu Element Memories associated with emotional events are stored here
  8. 8. Learning Theory • For memories to last, we need long term potentiation (LTP) • LTP – “ long-lasting enhancement in signal transmission between two neurons that results from stimulating them synchronously” • Persistence or repetition of an activity tends to induce lasting cellular changes that add to stability in signal transmission between neurons
  9. 9. Human Psyche Hacked • To change behavior, we need: – Emotional triggers – Repetition – Feedback loops – Focused information – Develop intuition
  10. 10. Making It Work: It Needs to be Continuous What happened here?
  11. 11. Making It Work: Focus on the Real Threats Before you spend time and money on training ask yourself – can I fix this issue with a technical control? Example, Password complexity – do I really need my users to know what makes a strong password? USB sticks – can’t I just disable them?
  12. 12. Making It Work: Think “Marketing”
  13. 13. Making It Work: Immerse in the Experience
  14. 14. Knives At A Gunfight 2012 Verizon Data Breach Investigations Report: Time windows for financial and PCI breaches. Time from compromise to discovery: Days - Months Time from compromise to exfiltration: Minutes - Days Effective threat protection demands discovery in minutes, not months Time from discovery to containment: Days - Months
  15. 15. We Have a Detection Problem! • Median number of days that attackers were present on a victim network before detection? 2431 • Percentage of breaches that went undetected for “months or more”? 66%2 1 2
  16. 16. Can We Think Outside the Shiny Box? Most people respond to emails within the first few hours of receiving them – if they are trained to report we get relevant, near time threat intelligence Users who learn to not fall for phishing attacks also learn to report them Threat intelligence opportunity
  17. 17. Control cost by incident phaseDifficultytoDetect Cost to Control $5.5MM, Average cost to remediate a breach in 2012 Compromise Exfiltration Propagation Persistence With a thriving user reporting ecosystem
  18. 18. Improve Incident Response • Users provide new source of near-time threat data • Early detection drives down key cost factors such as time from incident to response • Response can start Day 1 – Redirect and capture C&C traffic – Remove same/similar emails from other inboxes – Block additional inbound/outbound – Increase monitoring at targeted entities – If a successful compromise containment may be limited
  19. 19. This is the end goal…
  20. 20. Thank You @rohytbelani @PhishMe #humansensors