Building Human Intelligence – Pun Intended

Rohyt Belani

Co-founder & CEO, PhishMe

@rohytbelani @PhishMe

Nature of Advanced Cyber Attacks

Disruption

Cybercrime

Cyber-Espionage

and Cybercrime

Dam

ages

2005 2005 2009 2011 2013

Worms Viruse

s

Spyware/ Bots

Advanced Persistent Threats

Zero-Day Targeted Attacks Dynamic Trojans

Stealth Bots

Changing cyber

attacks

Evolving cyber

actors

Shrinking barriers to

entry

New Threat Landscape

Some Statistics

• Massive-scale phishing attacks loom as new threat, USA Today • Ponemon Institute: 2012 Cost of Cyber Crime Study • 2012 Verizon Data Breach Investigations Report • 'Spear phishing' the main email attachment threat, ComputerWorld UK

In a single campaign,

..and technical controls are failing

Did these companies

not have the best

defensive and

detective technologies

in place?

We need to change the way we defend

“But security awareness doesn’t work”

It didn’t, because we were:

• Boring

• De-focused

• Compliance oriented

• Passive

and..

We didn’t have metrics to prove

otherwise

Understanding the Hu Element

Memories associated with emotional events are stored here

Learning Theory

• For memories to last, we need long term potentiation (LTP)

• LTP – “ long-lasting enhancement in signal transmission between two neurons that results from stimulating them synchronously”

• Persistence or repetition of an activity tends to induce lasting cellular changes that add to stability in signal transmission between neurons

Human Psyche Hacked

• To change behavior, we need:

– Emotional triggers

– Repetition

– Feedback loops

– Focused information

– Develop intuition

Making It Work: It Needs to be Continuous

What happened here?

Making It Work: Focus on the Real Threats

Before you spend time and money on training ask yourself – can I fix this issue with a technical control? Example, Password complexity – do I really need my users to know what makes a strong password? USB sticks – can’t I just disable them?

Making It Work: Think “Marketing”

Making It Work: Immerse in the Experience

Knives At A Gunfight

2012 Verizon Data Breach Investigations Report: Time windows for financial and PCI breaches.

Time from compromise

to discovery:

Days - Months

Time from compromise

to exfiltration:

Minutes - Days

Effective threat protection demands discovery in minutes, not months

Time from discovery to

containment:

Days - Months

We Have a Detection Problem!

• Median number of days that attackers were present on a victim network before detection?

2431

• Percentage of breaches that went undetected for “months or more”?

66%2

1 www.mandiant.com/library/M-Trends_2013.pdf

2 http://www.verizonenterprise.com/DBIR/2013/

Can We Think Outside the Shiny Box?

Most people respond to emails within the first few hours of receiving them – if they are trained to report we get relevant, near time threat intelligence Users who learn to not fall for phishing attacks also learn to report them

Threat intelligence opportunity

Control cost by incident phase D

iffi

cult

y to

Det

ect

Cost to Control $5.5MM, Average cost to remediate a breach in 2012

Compromise Exfiltration Propagation Persistence

With a thriving user reporting ecosystem

Improve Incident Response

• Users provide new source of near-time threat data

• Early detection drives down key cost factors such as time from incident to response

• Response can start Day 1 – Redirect and capture C&C traffic

– Remove same/similar emails from other inboxes

– Block additional inbound/outbound

– Increase monitoring at targeted entities

– If a successful compromise containment may be limited

This is the end goal…

Thank You

Rohyt@PhishMe.com @rohytbelani @PhishMe #humansensors