Co-authored by Quinn North, Senior Incident Response Analyst, IBM Security.

The security world abounds with case studies demonstrating that end users are a weak point within the organization. End users are constantly bombarded by phishing attacks, are notorious for using weak account credentials and are preyed on by malware relying on the user to introduce malicious software into an environment. All of these examples may lead to significant damage to the organization and negative headlines.

Unfortunately, despite significant efforts, end user security issues continue to stymie even the most well-funded and resourceful security teams. Even with end user training, new hire training, annual security certifications and periodic emails from an exasperated security teams pleading to think twice before clicking on a link, end users continue to introduce and ferment risk within an environment.

It’s safe to assume that most end users have good intentions and are not actively trying to open the doors for the bad guys. So why does the end user continue to be the weakest link? Perhaps we need to adjust how we interact with end users.

Introducing the Feedback Loop

A feedback loop consists of four unique stages:

  1. Capturing or measuring a behavior;
  2. Conveying information to the end user in a manner that is easy to understand;
  3. Conveying the direct consequence of the behavior; and
  4. Recapturing or remeasuring the behavior.

One method to illustrate the feedback loop in the information security realm is via spear phishing exercises. These are exercises sanctioned and conducted by the organization to identify users that are prone to clicking on malicious links. Spear phishing training exercises are an excellent method to correct unwanted end user behavior.

Feedback Loop in Action

Demonstrating the exercise in a feedback loop, an end user first clicks on a spear phishing email that, ideally, should be recognized as malicious. The first step in the feedback loop has been satisfied.

As soon as possible after the user clicks on the link, the individual should be educated on what happened and how to avoid the same mistake in the future, per the second step.

The third step is informing users of the consequences of their actions. This should be done both from an information security aspect (i.e., what the ramifications were to the state of security within the organization) and from a human resources perspective. No one is advocating formal disciplinary actions over clicking on a link in a test. However, repeat and frequent occurrences may warrant additional attention.

Finally, the fourth step, retesting participants, is necessary to ensure they have learned from the affair and the unwanted behavior has been corrected.

Driving End User Security Awareness

While the basic steps of the feedback loop are equally important, attention must be given to their temporal spacing. If it takes three months to notify users of their unwanted behavior, the ability to learn from that behavior is diminished. The more closed the feedback loop is, the more likely the end user behavior will be adjusted.

While the example above focuses specifically on spear phishing, the feedback loop can be applied to a variety of other user practices, such as unwanted web browsing, the installation of unapproved software packages and so on.

Teaching end user security can significantly drive awareness. It is potentially a powerful and effective force multiplier to your security posture. When incident response teams respond to computer security emergency events, a lack of end user security awareness is too often the root cause.

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

How to Report Scam Calls and Phishing Attacks

With incidents such as the Colonial Pipeline infection and the Kaseya supply chain attack making so many headlines these days, it can be easy to forget that malicious actors are still preying on individual users. They're not using ransomware to do that so much anymore, though. Not since the rise of big game hunting, anyway. This term marks ransomware actors' shift away from attacks against individual users and towards operations targeting large enterprises, noted CNBC. But attacks like phishing and…