October is Cybersecurity Awareness Month, an opportunity for organizations to spend a little extra effort educating their non-security staff on security best practices. This training generally focuses on basics such as enabling MFA, strengthening passwords, and teaching the warning signs of phishing. While these actions can improve your security posture when successfully adopted, training is often not enough to stop harmful human behavior, especially as threat actors continue to adapt to bypass these efforts.
As we look ahead to the future of Cybersecurity Awareness Month, what elements of our training should be enhanced to address these new attack vectors, and where can we begin to rely more on technology to reduce the impact of human error?
Enhancing MFA Education
Enabling multi-factor authentication is one of the four initiatives highlighted by CISA as part of this year’s Cybersecurity Awareness Month training. MFA is a vital first line of defense, reducing the impact of stolen credentials. However, for organizations that have already deployed MFA, there is still training that can be done to ensure it is effective.
Threat actors are aware of the increased use of MFA and have developed numerous tactics to bypass traditional MFA methods. One such tactic is known as MFA prompt bombing. In this attack, the threat actor floods an employee with MFA prompts in the hopes that the employee will accidentally accept when the prompt appears, or accept on purpose after they have received several, just to make the prompts stop. The hacker may pose as the organization’s IT or support staff when making these requests, and may even call the employee posing as support in order to trick the victim into approval. The timing of these requests is also critical. Requests sent at the start of the workday, when employees would typically be logging in, will attract less attention and are more likely to be approved.
Groups such as Lapsus$ have found success with this method, contributing to several recent high-profile breaches, including September’s Uber breach and the March 2022 leak of Microsoft source code.
As MFA bypassing becomes more common, organizations are increasingly exploring phishing-resistant MFA to replace traditional methods such as SMS or push notifications. Adaptive authentication serves as another MFA safeguard, relying on machine learning to identify abnormalities and require additional verification, depending on the risk detected.
The reality for many security teams, however, is that successful widespread implementation of these technologies is still months to years out of reach. In the meantime, enhancing security awareness training around MFA can help address the problem. Consider additional training for users on how to recognize an abnormal MFA request and what to do if they receive a flurry of requests. Educate your employees on your organization’s IT practices, so they can recognize when a request is legitimate versus coming from a threat actor posing as a team member.
Improving our Phishing Detection
Much of our current security awareness training boils down to don’t click on things. The reality, however, is that phishing remains one of the most prevalent initial attack vectors, accounting for 90% of data breaches in Cisco’s 2021 Cyber Security Threat Trends report.
If we can’t stop humans from clicking on things, can we improve our defenses so there is less opportunity to click on things in the first place? In RH-ISAC’s recent podcast episode, 2022 Cyber Intelligence Summit keynote, Ira Winkler, discusses why he feels we are placing too much of the security burden on our employees. Security teams have long recognized humans as the weak point in their security, yet we are still relying on security awareness training to prevent attacks. Ira advocates for designing our systems to limit the damage humans can do. This sentiment is echoed later in the episode by Mike Britton, CISO of Abnormal Security, a company dedicated to detecting and blocking abnormal email behavior.
Traditional secure email gateways rely on signature and reputation-based detection that can’t keep pace with modern threat actor behavior and aren’t able to detect highly targeted spear-phishing attacks, spoofing known third parties.
If a high volume of phishing emails are making it through your defenses and reaching your employees, it may be time to invest in next-generation security tools with automated capabilities better suited to today’s threats, as opposed to relying on security training to prevent successful attacks.
Modern Cybersecurity Awareness Month
There will always be a place for security awareness training, particularly as technological alternatives remain out of reach for many organizations. We should, however, ensure that the training we provide is engaging and addresses the threats as they evolve.
Learn more about effective security awareness training in these other RH-ISAC blog posts.
- Enabling Secure CI/CD via Application Security Awareness Training
- Increase Security Awareness to Prevent Ransomware Attacks
- Strengthening Your Organization’s Password Policy
RH-ISAC members also have access to our Security Awareness Working Group, which meets regularly to discuss security awareness best practices. Not a member? Learn more about RH-ISAC membership.