Human sensors: How encouraging user reporting strengthens security

Despite the pervasiveness of cyber-attacks threatening the enterprise security today, many organizations are still not taking advantage of their most widely deployed security asset: people.

Adversaries, including cyber criminals, nation-states, and hacktivists, are actively targeting employees, and by not encouraging users to report suspicious emails, organizations are missing a huge opportunity to gather vital information about threats. Developing a formal process for users to report suspicious emails provides real-time threat information, and allows for improved response and mitigation activities. Still, many organizations resist encouraging user response, citing a variety of reasons for not doing so, including a lack of manpower to process reports and a belief that there is limited value in user reporting anyway.

However, encouraging user reporting is not only beneficial, but can be done in a manner that avoids the common pitfalls and doesn’t substantially tax your staff.

What are the benefits?
Encouraging your users to report suspicious emails is akin to literally adding thousands of new sensors to your network. Upon receiving a report of a suspicious email administrators can initiate reactive response controls such as removing similar emails from users’ inboxes, redirecting and capturing command and control traffic, and blocking outbound traffic at your gateway. In the event of a compromise, you are able to more quickly and more effectively contain the damage.

Once user reporting becomes part of your culture, it will provide actionable data. Tracking the reports sent by individual users allows you to increase monitoring on certain machines as well as recognize users who provide valuable reporting data.

Can my users really provide useful information?
Many security administrators take the mistaken view that their users can’t be a source of valuable information. In my experience, most users want to do the right thing, but they haven’t been given enough information about what to look for or what to do if they receive something suspicious. By educating them on how to recognize the typical signs of a phishing email, and establishing a simple process for reporting, your user base can become a line of defense that is more effective than all of your technology.

Pitfalls to avoid
Security officers who understand the potential value of user reporting can still be tripped up by making some of the common mistakes that will derail user reporting:

  • Making the process too complicated. By encouraging user reporting, we are asking employees to go beyond their normal job duties, so we need to make the process as simple as possible. The best way to do this is to have one email address for all suspicious emails – don’t make users discriminate between spam and phishing – and make that address well-known to all users.
  • Poor communication. Simply put, if users don’t know why they should report emails, where to report them, and which emails to report, a program will probably fail. Educating users about the risks malicious emails pose, as well as how user reporting benefits security, will help motivate users to participate.
  • Users should know what to expect when reporting an email. Will someone respond to their report? Likewise, communicating that no one will be punished for reporting that they clicked on something, is crucial. If employees fear they may lose their job, they will avoid reporting.
  • As we all know, in the event of an incident, a quick response can dramatically limit the damage, so ensuring that employees know there will be no negative consequences for reporting – even if they may have compromised the network – greatly enhances the benefits of user reporting. When employees do report suspicious activity, recognize them publicly for a job well done.
  • Failing to take advantage of technology and staff. A culture of user reporting gives us a bevy of data to analyze – some of it’s useful, some it isn’t – and it’s important to properly manage the data we receive from the process. If you have a SIEM you should use it to manage the data you receive, and allow the IR team to respond to legitimate incidents.

The ultimate goal should be to make user reporting part of your organization’s culture, with IT employees valuing information received from users, and users understanding the important role they can play in security. An organization that has this kind of culture will be able to respond faster and more effectively to emerging threats.