Thank you to all attendees of Forcepoint X-Labs’ theater presentation at Black Hat USA 2019. Dr. Margaret Cunningham explored the science of curiosity, how it is exploited by attackers and offered strategies for using curiosity to increase engagement and positive security behaviors.
Here follows a summary of the talk and the download location for the slides.
What is curiosity?
Dr. Cunningham began her talk by citing an example of a social engineering lure that triggers the recipient’s curiosity. If asked by your CEO’s Executive Assistant to send a file to your CEO’s personal email address while they are on vacation wouldn’t you be interested to know why you were asked to help, what file is needed and what reward may be bestowed upon the request is fulfilled? You may even be curious to find out if the request is legitimate or the EA’s email address has been spoofed.
Dr. Cunningham went on to explain that curiosity motivates, engages and often delights – it embodies the intrinsic motivation to learn more. To quote George Loewenstein “Curiosity is the gap between what we know and what we want to know”. Curiosity is also sparked when people are presented with something that doesn’t fit with their understanding of the world.
Why are we curious?
State curiosity is closely aligned with information seeking and associated rewards – and is tied to Attention and Memory. Curiosity is triggered by environmental changes – changes which catch the individual’s attention. One’s memory comes into play when making a determination on whether the stimuli is novel or unfamiliar. Consider how attackers leverage email templates to mimic a legitimate parcel delivery notification or an invoice from a supplier – the goal of the attacker is to not raise the recipient’s curiosity by presenting something familiar.
How does curiosity impact security?
Dr. Cunningham then set a challenge for the audience. Can you think of 5 ways that attackers leverage curiosity? The answers were grouped into 3 classes:
- We get phished looking for a reward
- We are tricked into paying attention to the wrong thing
- We see something out of place and want to explore it
Further examples are provided in the slides.
Harnessing curiosity for good
There is much that the cybersecurity industry can do to incorporate the science of curiosity into attack mitigation techniques, cybersecurity user interface design and understanding of human behavior. How can you benefit from this?
- Honeypots are a prime example of leveraging the curiosity of an attacker against them. Attacker behavior and IoC can be observed and extracted.
- User interface design can make good choices obvious, or better, the default. Attention grabbing alerts can be reduced to help maintain the focus of users and admins alike.
- Understanding motivated behavior, such as behavior driven by curiosity, helps provide context for what we can know and what we can explain about human behavior. Forcepoint leverages this understanding to assign a risk score based on user behavior over time and so better protect organisations from risky behavior. Curiosity-driven behavior is used to inform the Forcepoint Adaptive Trust Profile (ATP). ATP translates into real-world protection through our Risk-Adaptive Protection solution.
Dr. Cunningham presented the key takeaways of the talk as:
- Curiosity drives us to seek new and exciting information
- Memory and attention play a key role in motivating behavior
- Adversaries are skilled at manipulating emotions and curiosity
- Understanding curiosity can contextualize user behavior, and help us identify risky users
- By piquing curiosity, we can improve security behaviors that benefit users and organizations
The slides from the presentation are now available to download.