How standardized behavior creates predictable targets — and what to do about it
The attacker did not break anything.
He read the training manual.
Not yours specifically. The industry's. The same curriculum running inside tens of thousands of organizations worldwide — the same modules, the same simulated phishing, the same rules of thumb delivered to employees who will behave, predictably, exactly as they were trained.
He read it. Then he built his attack around it.
The Paradox at the Center of Security Awareness
Security awareness training exists to make employees predictable in a good way: predictably skeptical, predictably cautious, predictably compliant.
The problem is that predictability in defense is a targeting system for offense.
When every employee in every organization trained on the same framework behaves the same way under the same conditions, the attacker does not need to study your organization. He needs to study the framework. The training does not just teach employees how to be safe. It teaches attackers what to expect — and more precisely, where trust is assumed rather than verified.
Every place a standard says employees should trust X, an attacker reads: here is your entry point.
What the Training Actually Teaches
Walk through any standard security awareness curriculum and read it the way an attacker would.
"Download software only from official sources."
Employees learn: GitHub is official. The vendor's documentation page is official. Microsoft's download portal is official.
The attacker learns: create presence on GitHub. Occupy the category of source the training has already marked as trusted. The employee's own training will do the authentication for him.
This is exactly what happened in the EtherRAT campaign. The attackers did not compromise GitHub. They created repositories that looked like what employees had been trained to expect at a trusted source. The platform's legitimacy transferred to the payload. The training pointed employees toward a category — the attacker moved into that category and waited.
"Verify that files are signed before running them."
Employees learn: a signed file is a safe file.
The attacker learns: get a signature. Code signing certificates are obtainable. A signature verifies identity, not intent. The training has taught the employee to stop at the signature — which means everything beyond the signature is, by design, invisible. The check is the blind spot.
"Be suspicious of unexpected emails from unknown senders."
Employees learn: known senders are safer than unknown ones.
The attacker learns: become a known sender first. Compromise a vendor. Compromise a partner. Send the payload from an address the target's inbox already trusts. The training has drawn a bright line. The attacker steps over it — using the line itself as guidance on where to position.
In each case, the training does not fail because it is wrong. It fails because it is right in a way that is fully legible to the attacker.
Top comments (0)