By Macky Cruz
Most advanced persistent threat (APT) defense strategies leave the human element out of the solution, focusing solely on data protection, threat intelligence, and comprehensive network monitoring.
We believe that this approach should be reinforced with rigorous security awareness programs to be truly effective as human weakness is still the greatest vulnerability in any system.
Social engineering is predominant in uncovered APT campaigns. While spear phishing remains a primary tactic used to deliver malware in targeted attacks, we can?t ignore other social engineering ploys, such as the old ?free USB on the street? trick and fake emergency phone calls.
Accordingly, enterprises should complement existing security efforts with a proactive security awareness program. This program should aim to train the workforce on how to react to actual security incidents, and to practice safer network usage habits.
All employees ranging from full-time employees to third-party consultants, to business partners and suppliers from all departments should be part of this training.
Going proactive: Implementing regular security drills
A proactive security program should make the threat real for every worker. This way, every person who has access to the network feels the responsibility of actively defending the organization.
The program must emphasize three core ideas. First, it must make the workers aware of what targeted attacks are ? their impact to companies and the usual methods used to execute them. In an ISACA study on APTs, 67 percent of respondents report that they haven?t increased awareness training about APTs.
The program should tackle the basic principles of social engineering ? the psychology behind it and the human emotions it takes advantage of, such as fear, urgency and trust. It should also incorporate policies that will aid employees to practice what they?ve learned.
For example, management should implement a policy that allows employees to validate the authenticity of anything they find suspicious, such as an ?urgent business-critical task? request from a dubious source posing to be one of the higher-ups.
Second, the program must move away from one-time training manuals. Instead, it must implement real-life security drills to train employees how to confront actual social engineering attacks.
Some organizations develop phishing tests, while others use automated phishing diagnostic tools to test their employees? capacity to defend the organization in actual targeted attack scenarios.
You must ensure that these drills provide real-time feedback. For instance, if an employee falls for a simulated phishing attack, he should be immediately notified with a brief explanation about the mistake he made. The notice should also include an advice on how to spot and handle these kinds of emails.
Keep in mind, however, that spear phishing is just one of the several ploys used in targeted attacks, and that threat actor tactics change over time. Companies should adjust their security drills to keep up with evolving threats and techniques.
Third, the training program should make employees understand which information is safe to reveal in public and which aren?t. Employees are oftentimes not mindful of the repercussions of sharing too much online.
Osterman reports that 13 percent of organizations experienced a leakage of sensitive or confidential data through Facebook, 9 percent through Twitter, and 10 percent through LinkedIn. Despite these incidents, only one-third of organizations provide trainings on appropriate use of social media.
Transforming your weakest link into a security asset
The success of any targeted attack defense doesn?t only depend on threat intelligence and good network security software. It also depends on a well-informed and vigilant workforce.
Empower employees by helping them realize the important role they play in mitigating targeted attacks. Incorporate regular proactive security drills to your custom defense to boost advanced software technology and intelligence with active human coverage.
The author is the technical communications specialist at TrendLabs, the research and development and support headquarters of Trend Micro
