Phishing remains a primary concern for businesses and organisations but there are solutions available to ensure CISOs are always one step ahead of attackers. Kamel Tamimi, Principal Security Consultant at Cofense, tells us more.
Let’s talk problems.
Everybody knows that phishing is a huge problem. Targeting unsuspecting humans, it’s the vector behind data breaches and theft on a massive scale. A couple of stats bear this out: email now delivers 92% of malware according to the Verizon, Data Breaches Investigations Report, 2018, while the average user receives 16 malicious emails per month according to Symantec’s Internet Security Threat Report, 2018.
Organisations working on a phishing awareness problem are chasing ghosts (or simply not paying attention to the data.) Proactive companies left awareness years ago and focus on harnessing human intuition. In phishing simulations based on real active threats, trained users perform well – in fact more report the threats instead of falling for them, often by margins of 2-to-1 or even 3-to-1. That’s according to the Cofense, State of Phishing Defense 2018.
The chart you see here is based on data in the META region. You’ll see the energy industry has over 16 reporters for each susceptible user (resiliency rate). That’s not just very good, it is the best. It proves what is possible. It’s ironic that financial services, the industry that spends the most on cybersecurity technology, is so far behind.
So where does the problem lie? Ask any SOC or incident response team – it’s the sheer volume of items needing analysis and response, alerts reported by both users and machines.
Automation saves time. People save the day.
Humans and machines – now let’s talk solutions. When your phishing response uses each in the smartest ways, you can stop active threats faster and more efficiently, rather than drowning in emails and leaving your network exposed.
I have a customer who used to spend an entire day, or the better part of one, manually sorting through emails reported to his abuse box. I’m talking about a highly skilled incident response professional who would rather hunt threats than look at mountains of spam.
Now he handles this task in an hour or sometimes less. The difference: automated email analysis combined with a great spam filter.
His platform weeds out spam and other harmless emails, plus groups verified phishing emails by attribute and campaign. These groups, or clusters, let him respond to entire phishing campaigns – way more efficient than responding to this email, and this one, and that one, etc.
The automation even extends to security playbooks. Instead of spending his highly paid time on basic response tasks, this IR pro is happy to rely on automation.
But when it’s time to make critical decisions, he’s at the wheel. Know why? His expertise and intuition are irreplaceable. This is the point in the response chain where he earns his salary by saving the day against malware, wire-transfer scams, you name it.
And don’t forget, many of those analysed emails came from human reporters – users trained to recognise and report phishing. When those reports undergo machine analysis and SOC teams act on the findings, man and machine are in harmony. Everyone, and everything, is in the right role.
A couple of success stories
Another Cofense customer stopped a phishing attack in only 19 minutes. Again, a balance of automation and human intelligence made the difference.
The email appeared to come from the CEO. It asked employees of a healthcare company to click on a link, go to another page and read and confirm their agreement with a corporate policy. First, though, employees had to login with their network credentials. The attacker aimed to harvest passwords, gain file system access and reroute electronic payroll deposits.
And he almost succeeded. In fact, many employees took the bait. The email was very convincing, using the company’s logo and language from its website.
Fortunately, other employees remembered their training and reported the email – within a minute of the campaign’s launch. Eighteen minutes later, thanks to automated analysis followed by human vetting, the company blocked the phishing site and pulled the email from inboxes.
One more example – a major financial services company saw a series of reported emails sent, allegedly, by a major credit card provider. The email landed in hundreds of inboxes and, as in the previous example, used counterfeit branding to get users to drop their guard.
The email told recipients that the credit card company had noticed unusual ‘recent activities’ in their accounts. It then instructed employees to click a link to a ‘My Account’ page, where they could verify and protect their personal information. The landing page asked for a wealth of personal data: name, social security number, email address and more.
In other words, a classic credential phish, this one aiming for personal data, not company information (though armed with employee’s personal details, the attacker could have connected the dots and targeted the corporate network).
Fast-forward to the happy ending – the security team used automation to identify the campaign quickly, then moved swiftly to block the phishing domain – before any users entered data. All of this happened in minutes. Before, it would have taken days, according to the SOC analyst who managed the response.
But just imagine…
Imagine if the healthcare company was still manually analysing emails. Nineteen minutes could have turned into 19 hours or longer. As it was, even in 19 minutes plenty of users clicked. A well-crafted phish is an investment that pays big dividends. But so is an automated platform, fed by trained users and managed by experienced incident responders.
And consider if the security team at the financial services company still slogged through hundreds or thousands of emails by hand. Or relied on Outlook, whose many strengths do not include incident response.
This company too would likely have wasted hours or days examining the wrong messages. All the while employees, at least some of them, would have handed criminals the keys to their personal kingdoms.
No one has time to waste while phishing emails are on the loose. So automate to save time and let humans save the day. It’s the best way to stop active threats before they make trouble, including the kind of headlines no company wants to see.