Special Interest Group Updates

SOC-SIG (Security Operations Center):

Security Operations Teams, do you wish there were more SOC-specific information for FIRST members? We have just launched a SOC-SIG to focus on the many challenges encountered by SOCs in their mission to defend networks and detect adversaries. SOC teams are inundated with data and charged with extracting threat indicators out of an onslaught of normal everyday network and system activity. Left unaddressed, these challenges can lead to the SOC team being slower to detect and respond to potential incidents, getting distracted with false positive or negative alerts, and being subject to analyst over exposure and alert fatigue.

This new SIG aims to complement the existing materials focusing on CSIRTs by addressing SOC-specific concerns, processes, skills, and knowledge. While there is no one right way to configure the delineation between SOC and CSIRT services, it would help to have SOC-specific collateral and or models for addressing the challenges SOC teams face. The mission of the Security Operations Center SIG is to help synthesize existing materials and create new collateral for an easier to access focus area within FIRST for SOC-specific challenges and recommendations.

You can find the charter for the SOC-SIG here. If you are interested, feel free to join the SIG and help guide the development of these new resources.

Communications SIG:

Have you heard of the Communications SIG yet? It was recently created to bridge the gap for finding the right words between incident responders and the rest of the world. If that sounds interesting, you can find the charter and put in a join request here.

Human Factors SIG - Time to kick out Human Error?

by Bjørn Tore Hellesøy, Security analyst, KraftCERT.
Co-chair of FIRST SIG Human factors in security

Last year I opened a presentation with this: «Human error are the words cyber security guys use when they don’t know shit». The response was laughter. But I think it is true. Here’s why, and why it’s relevant to incident responders.

A plethora of reports cIaim that human error, or human element, or some human factor, is the major cause for cyber incidents. For example, Verizon DBIR 2024 states that «68 % of breaches involved a non-malicious human element, like a person falling victim to a social engineering attack or making an error». EN1SA’s annual threat report says phishing continue to be the leading cause of cyber security incidents. Humans are for sure targets. Unfortunately humans are often referred to as the “weakest link” in cyber security. Many also conflate the somewhat error-prone human into the insider concept. For example, Google Cloud/Mandiant use the terms unintentional insiders and negligent insiders as examples of insider threat vectors. CISA categorize unintentional insider threats into negligent and accidental in their Insider Threat Mitigation Guide. The Common Sense Guide to Mitigating Insider Threats also includes unintentional in their definition of insider threats.

Don’t get me wrong: Human error and unintentional actions happen. It happens every day, everywhere, and sometimes with severe consequences for security. But it isn't a very useful concept. It is fundamentally low definition. Things are way more complicated, and more interesting.

Let’s go for an example: Urls can be malicious. And they are not easy to separate from legitimate urls, probably increasingly difficult today. Microsoft’s Digital Defence reports have for several years pointed out that homoglyphs are prevalent for impersonation of domains. Homoglyphs are what you probably missed when you started reading this text (look at the words “claim” and “ENISA” in the intro). If you did not notice: Was it an error? Social engineering? Were you unintentional? You obviously missed something. I think the underlying assumption about what we as humans should be able to detect with our eyes, is wrong, or at least over-simplistic. You cannot expect people to identify homoglyphs, not even the most aware and vigilant. Most of us want to allocate our mental resources to other areas, like doing our job. For many that includes some reading and clicking.

If “human error” is used to explain cyber incidents, situation and context, such as design issues are often neglected. Also the measures are oriented towards the individual. It might seem paradoxical for a social science type like me, but I often advocate for well tuned technical measures and solutions, more than security awareness training initiatives aimed at individuals. From 2022 there was a sharp decrease in malicious actors’ targeting of humans through Office VBA-macros. What caused this change? I don’t think a sudden change in culture or awareness lead to this. I think it’s a result of Microsoft disabling macros from running on Office files by default.

In order to understand the human, and to get insight into what causes or contributes to a cyber incident, we need to change our concepts. We need new models, more high definition. Rather than categorizing people into insider threats, we need to deeply understand actions made (or non-actions), that led to or contributed to a cyber incident, and why that happened.

As cyber security professionals, CERTs and CSIRTs, we should start to push back when someone use terms such as “weakest link”. You can ask what they really mean, and imply that it might not be the best way to learn from incidents.

We need to zoom out. Design issues and systems thinking are often neglected when we use human error as a category. We can learn learn from the area of safety science. Safety has been grappling with human error for about 100 years. Users of digital systems and services are (still) humans. Hence we should know more about the basics about us. For example, we are not all that into details. We are not all the same. We vary across many dimensions, we are extremely adaptive, means to an end oriented, and unpredictable at the individual level. Our obvious bandwidth limitations, biases, feelings, etc. are not bugs, but features. Features that need to be understood and approached in a functional manner within the cyber security domain. We are much more interesting than any “human error”, “social engineering” or “unintentional insider” concepts could encompass.

If cyber security is to be more human centered, we need FIRST members to get onboard. The FIRST “Human factors in security” Special Interest Group was established a couple of years ago, and is growing. Also other significant players such as NIST has reoriented towards human centered cybersecurity. Even security companies are starting to move on the matter. I think better understanding and new concepts and models will make us better at understanding cyber incidents, and to handle them. You are all invited to join that approach.

Published on FIRST POST: Jan-Mar 2025