Cofense Launches Responsive Delivery Capabilities to Strengthen Effectiveness of Global Anti-Phishing Programs

New feature for Cofense PhishMe enables operators to deliver phishing scenarios only when a user is actively performing tasks in their mailbox

Leesburg, Va. – Feb. 28, 2019 – Today Cofense™, the global leader in intelligent phishing defense solutions world-wide, announced the addition of Responsive Delivery to its flagship product for phishing simulations. This first-to-market feature enables Cofense PhishMe™ Enterprise edition operators to deliver phishing scenario emails only when intended recipients are actively performing tasks in their mail client. Responsive Delivery gives operators confidence that simulations will not be missed by a user who is away from the desk and ensures that the scenario email is delivered directly to the inbox without interruption.

This Company Turned a Phishing Attack into a Teachable Moment

You’ve read it on this blog before. It’s not enough to simulate phishing emails and raise employees’ awareness. At the end of the day, you need to be able to stop real attacks. One key: basing simulations on phishing threats you actually see in your organization.

Following is a real example of one CofenseTM customer that took these words to heart. This company is global. It operates in an extremely data-rich industry that stores Social Security numbers, email addresses, credit card information, and more. In other words, they have a lot to protect.

First, the company leveraged information from a real credential phishing attack.

This company trains its employees to recognize and report phishing. The team responsible for the anti-phishing program took advantage of a monthly report from the Cofense Phishing Defense Center (PDC), which analyzes and escalates user-reported emails to alert customers immediately to verified phishing threats.

The monthly report described a phishing email, one seen in a different industry, that asked users to perform an urgent network upgrade. “Action required”—just click a link. Upon clicking, users would be taken to a site where they would enter their network credentials.

The Cofense PDC sees hundreds of thousands of similar emails targeting customers each year. Here’s a sample:

Next, they simulated the attack to educate employees.

Credential phishing is an epidemic. To help their employees spot a credential phishing attack, the company decided to use this real attack to craft a simulation. Here’s what the simulated email looked like:

As you can see, the simulated phishing email used a header very similar to the email seen in the wild.

Armed with other details from the real phish, including the full body of the message, the company sent this simulation to high-value targets—employees with elevated credentials, the “keys to the kingdom.” It’s smart to focus on these employees, just like attackers do.

The results were encouraging. The ratio of employees reporting the simulated phish versus those that fell susceptible was greater than 1:1. It was a good start. With continued simulations, the rate should increase and show better resiliency to credential phishing.

To repeat, it’s good to condition employees to report phishing emails. It’s even better to have them practice against the real deal, so they can help stop it before real damage is done.

To learn more about the growth of credential phishing, view the Cofense State of Phishing Defense 2018 report.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Cofense Vision Offers SOC and IR Teams Greater Visibility into Phishing Threats Delivered to Inboxes

Newest addition to Cofense phishing defense solution suite reduces the risk of phishing attacks, enables security teams to quarantine unreported threats

LEESBURG, VA. – Feb. 26, 2019 – Today Cofense™, the leading provider of intelligent phishing defense solutions world-wide, announced the general availability of Cofense Vision™, the company’s newest solution for protecting organizational assets from phishing attacks. Effective defenses against phishing must include visibility into the threats that bypass technical controls and are delivered to a user’s mailbox. Users of Cofense Triage™ can already prioritize and understand these threats, and now with the addition of Vision, security operations center (SOC) and incident response (IR) teams are able to identify and quarantine all messages that made it into a mailbox and pose a threat with more speed and efficiency.

Every day, phishing emails bypass perimeter defenses to become ticking bombs in employee mailboxes. In fact, the Cofense Phishing Defense Center determined that as many as one in seven suspicious emails reported by end-users are malicious, based on analysis of more than 2 million emails in 2018. During that time, Cofense found over 55,000 credential harvesting attacks designed to exploit SSO architecture and 25,000 campaigns hiding malicious files inside cloud services to avoid gateway detection. Left undiscovered, these attacks can cause serious damage to an organization. Integrated with the latest release of Triage, Vision identifies all messages that are part of a campaign across an organization and enables security teams to quickly find emails that were not reported by users and quarantine them directly from within Triage, ultimately mitigating their potential risk to the business.

“It’s not just one mail gateway technology that is chronically failing, our customers have multiple technologies in their filtering stack, yet phishing emails still make it in. The email search and quarantine tools on the market today are not fast enough, and don’t have the oversight in place needed to operationalize an auditable workflow inside of SOCs. Vision quickly identifies all recipients of complex phishing attacks and, with a single click, quarantines to remove the threat from all mailboxes,” said Aaron Higbee, Chief Technology Officer, Cofense. “You shouldn’t have to pay extra to your email vendor to remove the phishing email they failed to detect. Vision, either in combination with Triage or connected with existing SOC tooling, will deliver immense productivity gains for SOC and IR teams, so they can execute their jobs efficiently and better protect the company.”

Cofense uses technology for automation where it makes sense, with an emphasis on increasing human and organizational capabilities to reduce risks and quickly mitigate negative consequences when phishing attacks succeed. Triage improves automation by driving non-essential tasks out of the workstream to the point where the keen eye of an operator can make a good decision. Vision extends the capabilities of Triage, allowing SOC and IR teams to proactively hunt for unreported threats and create transparent audit and governance of mitigation actions.

Organizations that have taken a more proactive approach with threat hunting teams will find the Vision platform extremely beneficial, giving them the capability to search for indicators of compromise (IOCs) and tactics, techniques and procedures (TTP’s) of cyber threats in their mail environment even if a user didn’t report the message. Users are able to quickly find the other mailboxes where a suspicious email may reside (Vision Discover) and when that email is detected, quickly quarantine it to remove the threat (Vision Quarantine).

Cofense Vision is now generally available for Cofense Triage customers. For more information, please visit the website.

About Cofense

Cofense™, formerly PhishMe®, is the leading provider of intelligent phishing defense solutions world-wide. Cofense delivers a collaborative approach to cybersecurity by enabling organization-wide engagement to active email threats. Our collective defense suite combines timely attack intelligence sourced from employees with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

 

A Closer Look at Why the QakBot Malware Is So Dangerous

CISO Summary

Cofense Intelligence ™ recently reported a phishing campaign distributing the QakBot malware. QakBot infestation is a significant threat, so be sure to share today’s follow-up post with your SOC analysts.

We’ll drill down into the novel techniques QakBot uses to stymie detection and manual analysis. This sophisticated banking trojan, which Cofense™ has seen distributed via the Geodo/Emotet botnet, uses multiple tools to cover its tracks and steal credentials. The threat actors who have developed it are creative and aggressive.

Cofense Security Solutions Advisor Tonia Dudley to Speak at 2019 RSA Conference

Phishing Defense Expert and Board Member for the National Cybersecurity Society Will Present Two Sessions 

LEESBURG, VA. – February 22, 2019 – Today Cofense™, the leading provider of intelligent phishing defense solutions world-wide, announced that the company’s first Security Solutions Advisor, Tonia Dudley, will speak at the 2019 RSA Conference. Set to present two sessions, a Learning Lab on March 6 in a traditional Classroom setting, Dudley will discuss the need to develop long term strategies for phishing simulation campaigns and the value of a human touch in security. A second session on March 7, with a focus on automation vs human intuition. With more than a decade of cybersecurity experience, Tonia has managed cybersecurity incident response, security awareness programs, and IT compliance programs for large scale global organizations.

When Sharing Isn’t Caring: Phishing Attacks Are Abusing File-Sharing Sites

Cofense™ has predicted continued growth in phishing attacks that abuse file-sharing services, for example, Google Docs or Sharepoint. In this post, I’ll examine why and how threat actors are doubling down on this tactic.

First, here’s the full prediction from Cofense threat analysts Nick Guarino and Lucas Ashbaugh:

“The majority of phish seen in the wild in 2019 will live in historically ‘trusted’ sharing services like Google Docs, Sharepoint, WeTransfer, Dropbox, Citrix ShareFile, and Egnyte. It’s difficult for these services to keep up with the constant barrage of varied phishing tactics (Whack-A-Phish, anyone?). In fact, the service providers can be really slow about staying on top of this stuff. Traditional security tools (firewalls, anti-virus) have no insight into the files housed on these services. As a result, it is incredibly difficult to protect users against these phish hiding in plain sight.”

Why is file-sharing a target? Because users trust these services.

In a recent post on credential phishing threats, we referenced the cloud as an attack surface. One of the emotional triggers that a threat attacker will pull is trust. When users get an email pointing them to, say,  Dropbox, there’s a greater likelihood they will engage with the message. These services have become trusted brands, so it’s only natural for a threat actor to leverage them.

It’s difficult for email gateway controls to block messages that link to these cloud-based services. Because the file is hosted outside the organization’s perimeter, traditional security solutions such as firewalls or anti-virus don’t have visibility. Threat actors are well aware of this fact, which is why they’ve been so successful with these types of campaigns.

User interaction is related to the business process.

We often see threat actors use generic messages as shown in the example below. In it, you won’t find any brands that would make the user more likely to interact with the message. The likelihood of user interaction is related to the business process presented—easily shared files.

This particular organization has URL defense protections enabled. It has also added tags to the message to alert the user that it is potentially harmful, since it originated outside the organization. These additional defenses can be helpful, but they make it difficult for the user to assess if the URL is legitimate.

One thing you can do: focus your phishing defense program on current threats, like attacks that abuse file-sharing. Teach users to identify phishing emails that link to file-sharing sites and condition them to ask questions before replying, for example:

  • “Am I expecting to receive an invoice from the sender?”
  • “Does my job normally require me to process invoices from unknown sources?”
  • If yes, “Does our business process require the finance teams to validate that an invoice or purchase order is expected or legitimate?” This might be possible in a smaller organization where teams interact with each other more frequently, however, it’s most likely not the case in larger, more diverse organizations.

To repeat, as long as these types of attacks are successful, we will continue to see them near the top of the phishing charts.

View all 6 Cofense phishing predictions for 2019.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Cofense Recognized for Raising the Standards of Quality Customer Service

Technical Operations Center (Support) Stands Out for Excellence in Customer Service, Winning an ISPG Award and Being Named a Finalist for the HDI Conference Awards

LEESBURG, VA. – February 13, 2019 – Today Cofense™, the leading provider of intelligent phishing defense solutions world-wide, announced the latest industry recognition for their distinguished Technical Operations Center (Support). On Feb. 4, Info Security Products Guide (ISPG) named Cofense the Bronze winner of the Customer Service Department of the Year category for the 2019 Global Excellence Awards. In addition, the department was recently named a finalist for HDI’s Team Excellence Award. Both awards represent Cofense’s high standards for quality and customer service, a key element for ensuring that organizations remain protected from the many threats being launched against them.

Cofense Recognized for Raising the Standards of Quality Customer Service

Technical Operations Center (Support) Stands Out for Excellence in Customer Service, Winning an ISPG Award and Being Named a Finalist for the HDI Conference Awards

LEESBURG, VA. – February 13, 2019 – Today Cofense™, the leading provider of intelligent phishing defense solutions world-wide, announced the latest industry recognition for their distinguished Technical Operations Center (Support). On Feb. 4, Info Security Products Guide (ISPG) named Cofense the Bronze winner of the Customer Service Department of the Year category for the 2019 Global Excellence Awards. In addition, the department was recently named a finalist for HDI’s Team Excellence Award. Both awards represent Cofense’s high standards for quality and customer service, a key element for ensuring that organizations remain protected from the many threats being launched against them.

Here’s Proof that Corporate Board Members Want Stronger Phishing Defense

By Susan Mo

More and more, boards of directors are security decision-makers. One example: Cofense just published a case study on a company whose board lit a fire for a stronger phishing defense—and it’s paying dividends. 

This board took the lead in launching phishing simulations. 

A leading aviation company in my part of the world, Australia, has a highly public presence. Translation: any security issues would likely make headlines. So the board mandated an anti-phishing program. Using Cofense PhishMeTM, the company now runs phishing simulations to condition its employees to recognize and report phishing emails. 

The program is still in the early stages, but already the results are encouraging. User susceptibility to phishing emails has dropped by 10%. Moreover, the rate of users clicking on embedded links in emails has dropped by 9%. Further proof the program is not just effective but necessary: even members of the company’s security teams have fallen for simulations. 

And the best proof of all: “Our security teams are stopping attacks reported by employees,” said the General Manager of Technology and Innovation. Real users are helping to stop real phishing threats. 

For further details, view the full case study.

Cofense board reports show results and ROI. 

To make sure that boards and other leadership teams see results, Cofense provides free board reports to our customers. Cofense PhishMe customers can request a report from their dashboards or in Cofense Community. They’ll get an easy-to-read two-page summary of their program’s progress.

At a glance, each report shows susceptibility rates, rates of users reporting phishing, and the resiliency rate—that is, the ratio of users reporting emails to those that take the bait. A ratio of 1 reporter to 1 susceptible user is a good start. A rate of 5:1, for instance, would be very good. 

The reports also benchmark progress within a customer’s industry. If you’re in financial services, you can see how your anti-phishing compares to other Cofense financial customers. You can even zoom out to see a comparison covering over 20 major industries. 

One customer said their report gave them “the high-level ROI analysis our leadership needed.” It’s the kind of information security-minded boards require—and that security and awareness teams can use to justify budget. 

For a broader view of the role boards play in cyber-security, view this article in Forbes. 

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  

 

With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat

CISO Summary

The Revenge RAT malware is getting stealthier, thanks to unusually advanced delivery techniques and support infrastructure. Cofense IntelligenceTM has recently seen this basic and widely available Remote Access Trojan benefit from these upgrades, which help it to access webcams, microphones, and other utilities as Revenge RAT does recon and tries to gain a foothold in targeted computers. When they succeed, RATs enable threat actors to wreak havoc, including monitoring user behavior through keyloggers or other spyware, filching personal information, and distributing other malware.