Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/4/2013
11:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Using The Human Perimeter To Detect Outside Attacks

The right training and reporting mechanisms can make it possible to crowdsource human observation of suspicious emails and potential attacks for faster detection

While automated technology, network sensors, and behavioral analysis are crucial to helping security professionals detect attacks against their network resources, sometimes nothing can beat good old-fashioned human observation. Security team members can only do so much to personally observe aberrant behavior, but fortunately, they may have a ready source of eyes and ears in what some jaded pros might consider an unlikely pool of candidates: end users.

The fact is that end users are at the front lines of attacks—most outside incursions to the network usually involve some form of social networking or another. Instead of simply putting up posters and sending out multiple-choice questions once a year about how to avoid phishing dangers altogether, social engineering experts say organizations should seek a more realistic and robust training goal. They should be teaching employees to spot suspicious activity and report it without fear of recrimination, whether they fell for a ploy or not. Ultimately, the goal is to turn employees into a sort of human perimeter to help the security team detect attacks more quickly.

"There are many more human sensors on a network than any intrusion detection system can ever hope to have, because every employee can be one," says Rohyt Belani, CEO of PhishMe. "If you look at the way security responders work today, they're picking leads off of either their IDS systems or their network logs and then they are going through a similar process to find suspicious behavior. Given the right mechanisms or right sorts of tools, the humans who are resilient to these attacks actually become great reporters."

The fact is that security has always been a game of reducing the odds of exposure rather than eliminating it. And yet, when it comes to the human element of security too many security pros are quick to disparage all end users as stupid because attacks continue to get through, says Mike Murray, managing partner for MAD Security. But that's like saying any other piece of detection technology is worthless because it doesn't work 100 percent of the time.

"A really motivated attacker is always going to get in—if you've got a skilled person, they're going to find a way into the network. The key is quick detection and good response capabilities at that point," Murray says. "Your IPS doesn't stop everything, but it should tell us something that gives the SOC operator an idea about where to follow up on something. If we can get our users doing that as well, that detective capability will allow us to respond much more quickly that we can naturally."

In many cases, human intuition may not kick in fast enough to prevent someone from falling for a phishing ploy or a malicious link altogether, but it usually happens pretty soon after the first strike, says Lance Spitzner, training director for SANS Securing The Human Program.

"When somebody gets hacked, they usually figure it out. Either their system crashes or a document looks a little weird or a particular website makes the browser act funny," he says. "When they report it, they improve organizational resilience."

Unfortunately, many organizations have a difficult time developing that resilience through a human perimeter because they simply don't have the mechanisms in place to support it. According to Chris Hadnagy, chief human hacker for Social-Engineer, Inc., one of the biggest impediments to the process is a fear by employees that telling someone about a problem may get them fired. The other is not having any procedure for properly reporting it.

"One of the things we find all too often when working with companies is that they don't have reporting agencies within their organizations," he says. "When something bad occurs, there's no place for the employee to say, 'Hey, I think I just clicked a link that was bad.'"

[Apple, General Motors, Home Depot, Johnson & Johnson, Chevron, Boeing, and other major corporations easily fall to social engineers in recent contest, a new report shows. See Social Engineers Pwn The 'Human Network' In Major Firms .]

On the back end, the organization needs to have enough manpower to handle these reports, Hadnagy says, explaining that for a Fortune 500 company with thousands of employees, "this is not a one-person job."

Not only should this team be working to sift through these reports and triangulating them with logs and other detection technology output, but it also needs to establish solid and positive communication with the employees that send the reports to encourage future cooperation.

"If they feel like they're going to be chewed out or punished, we create an atmosphere of fear," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-2319
PUBLISHED: 2019-12-12
HLOS could corrupt CPZ page table memory for S1 managed VMs in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking in MDM9205, QCS404, QCS605, SDA845, SDM670, SDM710, SDM84...
CVE-2019-2320
PUBLISHED: 2019-12-12
Possible out of bounds write in a MT SMS/SS scenario due to improper validation of array index in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ805...
CVE-2019-2321
PUBLISHED: 2019-12-12
Incorrect length used while validating the qsee log buffer sent from HLOS which could then lead to remap conflict in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdra...
CVE-2019-2337
PUBLISHED: 2019-12-12
While Skipping unknown IES, EMM is reading the buffer even if the no of bytes to read are more than message length which may cause device to shutdown in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in APQ8053, APQ809...
CVE-2019-2338
PUBLISHED: 2019-12-12
Crafted image that has a valid signature from a non-QC entity can be loaded which can read/write memory that belongs to the secure world in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastruc...