author photo
By Bruce Sussman
Thu | Oct 15, 2020 | 2:47 PM PDT

In our exclusive Behind the Scenes interview series, we take a deeper look at a topic that is relevant to the information security community.

Today's conversation answers this question: How can threat intelligence strengthen security awareness?

We're speaking with Sherrod DeGrippo, Sr. Director of Threat Research and Detection at Proofpoint, and Robert Shields, CISSP, also of Proofpoint.

Watch the full interview here, or see excerpts of our conversation below.

[SecureWorld]  When it comes to threat intel, you have been talking about threats from COVID-19, Remcos, Nemty, and Avaddon. Will you give us some information on each one?

[Sherrod DeGrippo]  The threat actors are leveraging the concept of COVID-19. The pandemic is on everyone's mind, and they're using that for social engineering. So they're essentially using the pretense of something around COVID-19 to get people to click.

Now Remcos, Nemty, and Avaddon are all types of malware. Remcos is a remote access Trojan [RAT], which can give a threat actor complete access to your entire computer from a remote location. So they would be able to completely control the computer, see everything, do everything that a user could do locally.

And then Nemty and Avaddon are both types of ransomware that have come up in the past several months. And the reason I brought them up... it's because they both are leveraging some pretty interesting branding and logos and illustrations. Nemty is leveraging the popular cartoon characters Rick and Morty. And Avaddon is based all around a sort of wizard concept and is leveraging some of the Harry Potter characters.

[SecureWorld]  As you as you look at all of these concerns, which one of these causes you the most concern and why?

[DeGrippo]  Each of those that I mentioned all have the ability to be delivered, as well as many other payloads, via downloader. So I think it's the downloaders that are the biggest concern right now, from our perspective.

They're able to morph and change and be flexible in what those next stage payloads are. Is it going to be ransomware? Is it going to be a RAT? Is it going to be a keylogger, or a coin miner? It could be any of these different things, because the threat actor can then make intelligent choices.

[SecureWorld]  For threats that have been around and evolving long-term, we put up the defenses. And then they evolve to get around the defenses. Then we put up the defenses. How quickly does that cat and mouse game play out?

[DeGrippo]  I think a lot of people don't realize this but it plays out hour by hour. So we'll actually see payloads that execute during the day in the morning, and by the afternoon, they've implemented evasion techniques.  So we are seeing the evasion, but we now have to do some changes in our detection capability to make them work again.

[SecureWorld]  Great analysis. Really appreciate that. Now, Robert, I want to shift to you for the next couple of questions. Give us some examples of behavior change that indicates an organization's security awareness training is paying off that, that a culture of security is emerging. 

[Robert Shields]
I break that down into what users are more likely to do and what they're less likely to do.

So if you look at it from what they are more likely to do when they get one [a phish], they're going to look at their emails more judiciously. And they're going to report what they believe to be suspicious emails. So they're more likely to recognize the social engineering attacks and report that. They're going to feel empowered... they'll see something, they'll say something, they're gonna be less likely to fall for the trap.

They're going to lock their computers, they're not going to share passwords or post passwords on their computer screens. And they're less likely to go out and surf the web and download software that could really threaten the organization.

[SecureWorld]  I want to ask about ownership, because this is something that often comes up in conversation: who owns security awareness training in most organizations? What are you seeing?

[Shields]  We did some recent research on that very topic. I'm going to focus on two roles, the Chief Information Security Officer [CISO] and the Chief Privacy Officer. And if you look at their job descriptions that are out on the market today, you will see in 99% of the cases, there are specific duties that are called out for each one of those roles.

And what you'll see for the CISO is security awareness training, improve, measure, manage, execute the program so that the organization can meet its goals. For the Chief Privacy Officer, the same thing, except with the privacy context, to make sure that users are aware of their obligations and responsibilities based on privacy.

So those two roles typically own that and are responsible for ensuring that the organization is doing what it should do to meet its regulatory requirements, and to make sure that they protect the privacy and security, intellectual property.

[SecureWorld]  For more information on this topic, watch the recent SecureWorld Web Conference: Threat Intelligence & Security Awareness for the New Normal.