The document discusses the evolving landscape of advanced cyber attacks and the inadequacies of current security measures. It emphasizes the importance of enhancing human intelligence in threat detection through emotional engagement, continuous training, and user reporting. The need for quick incident response and the integration of user feedback are highlighted as essential components in combating cybersecurity threats effectively.

1. Building Human Intelligence –
Pun Intended
Rohyt Belani
Co-founder & CEO, PhishMe
@rohytbelani @PhishMe

2. Nature of Advanced Cyber Attacks
Disruption
Cybercrime
Cyber-Espionage
and Cybercrime
Damages
2005 2005 2009 2011 2013
Worms
Viruse
s
Spyware/
Bots
Advanced
Persistent Threats
Zero-Day
Targeted Attacks
Dynamic Trojans
Stealth Bots
Changing cyber
attacks
Evolving cyber
actors
Shrinking barriers to
entry
New Threat Landscape

3. Some Statistics
• Massive-scale phishing attacks loom as new threat, USA Today
• Ponemon Institute: 2012 Cost of Cyber Crime Study
• 2012 Verizon Data Breach Investigations Report
• 'Spear phishing' the main email attachment threat, ComputerWorld UK
In a single campaign,

4. ..and technical controls are failing
Did these companies
not have the best
defensive and
detective technologies
in place?

5. We need to change the way we defend

6. “But security awareness doesn’t work”
It didn’t, because we were:
• Boring
• De-focused
• Compliance oriented
• Passive
and..
We didn’t have metrics to prove
otherwise

7. Understanding the Hu Element
Memories associated
with emotional events
are stored here

8. Learning Theory
• For memories to last, we need long
term potentiation (LTP)
• LTP – “ long-lasting enhancement in
signal transmission between
two neurons that results from
stimulating them synchronously”
• Persistence or repetition of an activity
tends to induce lasting cellular changes
that add to stability in signal
transmission between neurons

9. Human Psyche Hacked
• To change behavior, we need:
– Emotional triggers
– Repetition
– Feedback loops
– Focused information
– Develop intuition

10. Making It Work: It Needs to be Continuous
What happened here?

11. Making It Work: Focus on the Real Threats
Before you spend time and
money on training ask
yourself – can I fix this issue
with a technical control?
Example,
Password complexity – do I
really need my users to know
what makes a strong password?
USB sticks – can’t I just disable
them?

12. Making It Work: Think “Marketing”

13. Making It Work: Immerse in the Experience

14. Knives At A Gunfight
2012 Verizon Data Breach Investigations Report: Time windows for financial and PCI breaches.
Time from compromise
to discovery:
Days - Months
Time from compromise
to exfiltration:
Minutes - Days
Effective threat protection demands discovery in minutes, not months
Time from discovery to
containment:
Days - Months

15. We Have a Detection Problem!
• Median number of days that attackers were
present on a victim network before detection?
2431
• Percentage of breaches that went undetected
for “months or more”?
66%2
1 www.mandiant.com/library/M-Trends_2013.pdf
2 http://www.verizonenterprise.com/DBIR/2013/

16. Can We Think Outside the Shiny Box?
Most people respond to emails
within the first few hours of receiving
them – if they are trained to report
we get relevant, near time threat
intelligence
Users who
learn to not fall
for phishing
attacks also
learn to report
them
Threat
intelligence
opportunity

17. Control cost by incident phaseDifficultytoDetect
Cost to Control
$5.5MM, Average cost to remediate a breach in 2012
Compromise Exfiltration Propagation Persistence
With a thriving user reporting ecosystem

18. Improve Incident Response
• Users provide new source of near-time threat data
• Early detection drives down key cost factors such as
time from incident to response
• Response can start Day 1
– Redirect and capture C&C traffic
– Remove same/similar emails from other inboxes
– Block additional inbound/outbound
– Increase monitoring at targeted entities
– If a successful compromise containment may be limited

19. This is the end goal…

20. Thank You
Rohyt@PhishMe.com
@rohytbelani @PhishMe #humansensors