5 Must-Have Elements to Include in Your Security Awareness Program

Nearly every security incident can be traced back to human error.

Data breaches, for example, often begin with a person being tricked into providing their access credentials to an attacker, from ‘fat-finger’ emails to the wrong recipient or from misconfigurations by system administrators.

Analyst group Gartner posits the potential of security awareness programs to yield more ROI than any other InfoSec investment. User behavior impacts security outcomes more than any technology, policy or process, it notes.

Nearly every security incident can be traced back to human error.

But as losses from incidents caused by human error grow unabated, are current approaches to awareness successfully making humans a harder target? In 2019, cyber attacks are mainstream news, awareness is heightened, but there is little evidence that behaviors are changing. The typical learning experience, delivered over a point-and-click video presentation, isn’t doing the job.

Over the past 12 months, Symantec has developed or commissioned several learning experiences that aim to progress from the cognitive aspects of learning (the acquisition of knowledge) to the behavioral (how and when that knowledge should be used) and procedural (putting the application of knowledge into habitual practice). We’re confident these activities are driving a measurable reduction in risk.

Each learning experience was developed according to the principles outlined below:


Most awareness programs – ours included – are developed with a threat-based view of the world, trying to cover off all the human behaviors that attackers prey upon. We must take care however to ensure our education programs both raise and relieve anxiety about threats. Academics have demonstrated learners are more willing to embrace security policies and safer behaviours when made confident in their use of technology.

So, our program follows two key principles:

  • For any given threat, the learning experience must instill confidence in how attainment of knowledge, skills or adherence to policy will help mitigate it.
  • Every security event is a learning opportunity. There is insufficient evidence that deterrence, sanctions or coercion in isolation will drive policy compliance or safer habits. A user that makes an error or fails an assessment needs our help, not our scorn.


Learners retain security-related information when advice is accompanied by a clear, practical action they can take to mitigate a given threat.

The most effective learning experiences embrace a ‘Tell, Show, Do, Apply’ approach. Take, for example, our approach to teaching password security to non-technical staff.

TellThe threat and its potential impact is described.Credential stuffing and password reuse attacks described for the learner.
ShowLearner is shown ways to mitigate the threat.The rationale behind hashing is described. Freely available tools are used to demonstrate the relative difficulty of cracking various hashed passwords.
DoLearner is asked to do something to reinforce what they’ve learned.Learners invited to use interactive tools to test various credentials against the same criteria.
ApplyLearner provided opportunities to immediately put this knowledge into practice.Learners asked to devise and switch to a secure master passphrase, and/or shown how to subscribe to a password manager.


Multiple empirical studies suggest an individual’s attitude and normative beliefs have a significant positive effect on intention to comply with security policies. People come to work with existing attitudes that play a ‘mediating’ role in whether they get value from an education program. They will only embrace learning they expect will be beneficial to them.

We’ve invested in promoting a ‘culture of security’ at Symantec. We enrolled our respected senior leaders in a highly visible campaign that set a new minimum standard for behaviours we expect from staff and suppliers. We stressed what’s at stake for us and our company.

Beyond this security advocacy, we ensure the mediums we use for training are enjoyable to interact with and relevant to the skills of the enrolled learners. Learning experiences must be engaging, easy to consume and concise.

We’ve invested in promoting a ‘culture of security’ at Symantec.

At Symantec we use gamification to drive engagement. Learners often ‘compete’ – either individually or in teams – to outrank peers or attain a higher status. A learning experience in which skill, creativity or application of knowledge is outwardly celebrated tends to trigger the pleasant sensation of peer validation. We love being seen to have won almost as much as we love winning.

My team publishes leaderboards for just about everything. We celebrate the teams that report the most phishing emails and the teams that outperform their peers at secure code tournaments. We celebrate the in-house researchers that compete to find and disclose the most security bugs in our products.  We open up opportunities and forums for champions to spread their knowledge further inside and out of the organization.


Learners are provably more likely to retain and apply advice if it is provided in the context of their daily work, and where opportunities are provided for strong, positive habits to form.

We ideally want to apply just-in-time training whenever a user’s interaction with a system introduces heightened risk. Consider the following examples, which relate to use of email.

ThreatThreat ContextLearning Experience
Credential phishingWhen a user opens an email from a new sendero   Phishing Readiness (simulations)
o   Tools that provide indicators of trustworthiness (Symantec’s ‘Phishing Tacklebox’)
An email containing sensitive data is mistakenly sent to the wrong recipientAs a user is about to send an emailo   Warning flags when an email recipient is outside the organization’s directory
o   Tools that force users to classify documents and emails before they are sent (Symantec’s Information-Centric Tagging)

There are many opportunities for providing short, teachable moments as a user engages with a given security technology. When a Symantec user is compromised by one of our monthly phishing assessments, for example, they are offered a short lesson on what ‘tells’ our team included in the lure that should have been identified, and a ‘just-in-time’ quiz to reinforce the learning outcome.

Role and Skill Relevant

Learning experiences must cater for levels of security expertise, which today sit across a large continuum.

Humans have a ‘psychological need’ to feel a sense of autonomy. Staff who perceive their behaviour as self-determined, to such a degree that they internalize policies, are more likely to comply with them.

At Symantec, software engineers and system administrators are provided additional training opportunities. Even when we train all staff in order to achieve a baseline of compliance, we offer multiple learning paths based on role and skill.

[embedded content]

Dynamic and Responsive

Off-the-shelf security awareness learning experiences can struggle to keep pace with new threats and compliance requirements. Any learning experience that requires significant investment to update is not ideal.

At Symantec we chose to acquire learning platforms that enable us to build and edit bespoke learning experiences at speed. Where appropriate, we build web-based learning experiences from the ground up. We recently built and deployed a learning experience to several hundred engineers in response to a minor security incident in under a day.


Our awareness program is focused on measurable outcomes.

While completion rates on training are an important metric, completion doesn’t guarantee a change in behaviours. So, we work with a variety of internal teams to measure our real-world impact on incidents, how and when they are reported, even the configuration choices and working habits of staff. We measure rates of recidivism among at-risk staff identified and trained under our phishing assessment program. We measure whether software engineers are getting sharper at identifying problematic classes of vulnerabilities.

We’re seeing strong signs of improvement.

Consecutive HR surveys of Symantec staff agree. In May 2019, 97% of surveyed staff expressed confidence in knowledge of their security responsibilities, 95% said they were provided the right advice to help protect their online interactions and 92% felt their team and immediate managers prioritize security appropriately.

In future blog posts, my team and I will detail the learning experiences we’ve rolled out and describe how each meet the above criteria.

If you’d like to hear more about Symantec’s Security Awareness Program, Brett Winterford will be speaking at the Gartner Security and Risk Management Conference in Sydney on Monday 19 August at 12:45pm.

About the Author

Brett Winterford

Senior Director, Trust and Safety, Symantec

Brett leads global programs that aim to empower Symantec staff with the tools and knowledge they need to protect the organization from cyber security threats.

Cobalt Group Returns To Kazakhstan

July 31, 2019


Cobalt Group is a financially motivated cyber-crime gang that has been active since at least 2016. The group is mainly interested in carrying out attacks against banks, in an attempt to access the banks’ internal networks and potentially take over sensitive components, such as ATM-controlling servers or card-processing systems. Although the Europol arrested Cobalt Group’s leader in 2018, the group remains active until this day.

Check Point Research recently uncovered a Cobalt Group campaign that went after a bank in Kazakhstan, and crafted a particularly convincing malicious document carrying the bank’s logo. What is more worrying is that the document itself could have been downloaded from the bank’s official website, adding to its legitimacy and making potential victims less suspicious. This article will describe the full infection chain of the attack, as well as the attribution process of this attack.

Decoy Document

The investigation into this attack started when we came across a malicious document hosted on the promotional website of the Kassa Nova Bank, which according to its description provides financial products and services to the public and to small enterprises in Kazakhstan.

The malicious file was hosted amongst the documents repository of the bank, making it even easier to confuse with a legitimate document:


After being downloaded and launched, the document displays a decoy message in Russian asking victims to enable its content. Coupled with the use of Kassa Nova’s logo in the document’s body, this socially-engineered content can easily trick victims to run the embedded malicious macros:

Enabling the macros starts a multi-stage infection chain that eventually downloads and executes a Cobalt Strike beacon, providing the attackers with a foothold inside the target organization.

Such use of common penetration testing tools for offensive operations is a known practice among many threat groups, especially Cobalt Group. Not only does this practice saves threat actors a lot of development effort, it also makes the attribution a lot harder.

The Macros

The Document_Open macro function is automatically triggered by Word once the user presses the “Enable Macros” button.

The code used is heavily obfuscated, the variable names appear to be randomly generated, and the code contains comments that are a combination of random words:

The purpose of the macros is to write an XSL file to the local disk, “C:WindowsTempaA3jY9HP.xsl”, and run it using an execution technique known as “SquiblyTwo”.

This technique makes use of the legitimate WMIC utility, where attackers can invoke either JScript or VBScript code form an XSL file, simply by running the following command:

wmic os get /format:[XSL_FILE_PATH]

In our case, the XSL file contains JScript code that downloads the next stage executable from a remote server address, runs it, and eventually deletes the XSL file to remove any traces:

The domain which hosted the next stage payload, myovs[.]de, belongs to Otto Schmidt, a German media company in the tax, business, and corporate law market. Apparently, this company’s website was also compromised prior to the attack.

The Payload

The downloaded “file.exe” payload is a signed executable, and it has a valid certificate by Sectigo:

Figure 6: Signed downloaded payload

MD5: a26722fc7e5882b5a273239cddfe755f

The executable communicates with 185.61.149[.]186/rpc to download and decrypt a Cobalt Strike beacon. The beacon then communicates with the following URL on the same IP address:


Surprisingly, this communication resembles legitimate requests made when viewing the Office 365 Outlook calendar. Looking up the unique request header led us to a GitHub project called “Malleable C2 Profiles”, which offers a variety of “profiles” that mimic the communication patterns of legitimate services, known malware families or even APT groups.

This can be an effective way of evading detection and exfiltrating data from an infected system, without raising any suspicions, as someone monitoring the network might mistake this for legitimate Office 365 traffic.

Cobalt Trails

Even though the existence of Cobalt Strike beacons in association with a Central Asian bank reduces the amount of possible responsible APT groups to a very short list, additional evidence was required in order to conclude that Cobalt Group was behind this operation.

When investigating executable files, one can gain insight into what tools the developers (or threat actors) used to compile the executable file, by looking at the “Rich Headers”.

At times this information about the development environment can lead to more samples from the same threat actor, which reused the same building environment over multiple compilations of the same variants of malware.

Figure 7: Decoded Rich Headers from the payload (as shown by PE-bear)

Utilizing this technique to find similar files, we were able to uncover a large number of similar Cobalt Strike loaders.

Comparing the loaders’ logic verifies our assumption that the samples are indeed related:

Both samples rely on a similar algorithm in order to correctly extract the next stage shellcode, using the current month or the year as an offset for the decoding.

If the month or the year do not match the intended window of operation, the next stage of the attack would not be executed correctly.

Figure 8: “file.exe” payload                                                 Figure 9: Matched sample

Furthermore, one of the found samples exhibited a unique project name in its debugging information: BATLE_SOURCE

MD5: 02c11b8697aeec84249316733c2a0c2d

This is the exact project name (and similar folder path) as can be found in older, previously attributed Cobalt Group loaders, which can be traced back to 2016:

MD5: af82af8f5d540943aaba20920d015530

After taking into the account the overlap in TTPs, targets and the technical similarities to previous attacks, we were able to associate this campaign to Cobalt Group operations with high confidence.

Macro Builder Kit

In addition to the executable payload, during our investigation, we tried to hunt for similar documents by using unique features of the involved artifacts. Interestingly enough, we were able to find several malicious samples that emerged around the same time we discovered the document in question.

The comparison below between the VBA call graph of the Kassa Nova document macros and another document we found shows that they are quite similar, with the only difference being the random function names, which still maintain the same string length:

Moreover, the XSL files that were dropped by these documents are almost identical to the one dropped by the attack we described and even included the same comments and code formatting. However, this appeared to be the only connection between these delivery documents and ours, since they would eventually drop banking Trojans such as Dridex, IcedID and Ursnif.

The fact that the payloads belong to different campaigns suggests that once again Cobalt Group utilized a macro builder kit sold in underground criminal forums. In the past, Cobalt Group was observed utilizing other “commercial” exploit building frameworks such as “ThreadKit” and “Microsoft Word Intruder”.

Previous Attacks

Cobalt group is known to be especially active in Eastern Europe and Central Asia, and as it turns out, this is not even the first time that Kassa Nova bank was involved in a Cobalt Group related attack: During December 2018, a malicious attachment was sent from the e-mail address belonging to one of the bank’s employees, to other potential targets in the financial sector.

This is known TTP of Cobalt Group – compromising one company in order to compromise another, by sending malicious emails from a credible trusted partner.

The e-mail attachment in question utilized the newly disclosed CVE-2018-15982 to install CobInt – a signature reconnaissance tool used by Cobalt Group, only a day after 360CoreSecurity disclosed information about the use of this 0-day in the wild.


Whether it is compromising the bank’s website, building a tailored document to masquerade as a legitimate one, using a valid certificate for the payload and more, this looks like another well-calculated attack that was carefully planned ahead of time. Cobalt Group does not seem to be bothered by the arrest of one of its leader and is rather expanding its toolset and going after new targets.

Check Point contacted the representatives of the Kassa Nova bank as soon as the attack was discovered, who then confirmed that the attack was detected by internal systems and successfully remediated.

Appendix A: IOCs

https://kassanova[.]kz/files/docs/T47188445.doc - Malicious document drop-zone

7f0f3689b728d12a00ca258c688bf034 - MD5: Malicious document

a26722fc7e5882b5a273239cddfe755f - MD5: Downloaded Payload

185.61.149[.]186 - Cobalt Strike beacon C2

Appendix B: Cobalt beacon configuration


'PROTOCOL': '0',


'SLEEPTIME': '30000',


'DNS_SLEEP': '0',

'MAXGET': '1398102',

'USERAGENT': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)', 'PORT': '80',

'DNS_IDLE': '134744072',

'C2_POSTREQ': "[('_HEADER', 0, 'Accept: */*'), ('BUILD', ('BASE64URL',)), ('PREPEND', 0, 'wla42='), ('PREPEND', 0, 'xid=730bf7;'), ('PREPEND', 0, 'MSPAuth=3EkAjDKjI;'), ('PREPEND', 0, 'ClientId=1C0F6C5D910F9;'), ('PREPEND', 0, 'MicrosoftApplicationsTelemetryDeviceId=95c18d8-4dce9854;'), ('HEADER', 0, 'Cookie')]",


'PUBKEY': '30819f300d06092a864886f70d010101050003818d00308189028181008f8c237f7f407fcf5f47e2d76c589982b2595ead0d45d4e4ea875b2d07f2b8283f64786c7a142d3ce78baa01d1bb14479162d14520cc8ba15b1dc0b5e57850ab7bccb95838156dec5b58097a007d0180e358e144653d80381ac240efe9b789adf5f319515651bdfc3eb160b411f5cba2b8e7e21cb2cbc743b5ffb6fba5d2b8ff0203010001',

'SPAWNTO_X86': '%windir%\syswow64\gpupdate.exe',

'C2_REQUEST': "[('_HEADER', 0, 'Accept: */*'), ('_HEADER', 0, 'Cookie: MicrosoftApplicationsTelemetryDeviceId=95c18d8-4dce9854;ClientId=1C0F6C5D910F9;MSPAuth=3EkAjDKjI;xid=730bf7;wla42=ZG0yMzA2KjEs'), ('BUILD', ('BASE64URL',))]",


'JITTER': '20',





'DOMAINS': ',/owa/',

'MAXDNS': '235'


Another Attack Against Driverless Cars

In this piece of research, attackers successfully attack a driverless car system — Renault Captur’s “Level 0” autopilot (Level 0 systems advise human drivers but do not directly operate cars) — by following them with drones that project images of fake road signs in 100ms bursts. The time is too short for human perception, but long enough to fool the autopilot’s sensors.

Boing Boing post.