Improve the Phishing Incident Response Workflow with PhishMe Triage™ and ServiceNow® Security Operations
Security leaders are bolstering their resiliency to phishing attacks. It starts with conditioning employees to recognize and report suspicious email. Take for example “Alice,” the CISO for a Fortune 100 company. Alice’s team regularly simulates real-world phishing on employees at all levels. The program involves behavioral conditioning that requires employees to report simulated and real attacks.
Joe, who works in Accounts Payable, is a classic example of how a properly conditioned employee is a fantastic line of human defense, filling gaps in technology that attackers often evade. His job is to ensure payments are made on time and accurately. Why is he a target? He has access to company financial systems with the ability to transfer money. How do the attackers know this? They scraped social networking sites to profile their next target.
So, what happens when there is a large volume of suspicious emails reported by a team of trained employees? PhishMe® and ServiceNow are providing security teams fast incident response to employee-reported emails. Through this integration, PhishMe and ServiceNow offer a powerful approach to identifying and responding to potentially damaging phishing attacks.
A Credential Phishing Attack Targets Accounts Payable
Back to Joe. Arriving early Monday morning, Joe begins going through his inbox as he does any other day. Before his first sip of coffee, Joe recognizes an email purporting to be from a local bank. It requests that because of a “system upgrade” at the bank, he needs to login and change his payment processing password. If he doesn’t change his password, future payments may be delayed.
Figure 1. Credential Phishing Email
A Conditioned Employee is Human Phishing Defense
Due to the anti-phishing program Alice has in place, Joe is well aware of phishing tactics designed to cause harm to the company. Joe realizes that this is a fraudulent email and immediately clicks on a feature in his email client to report the phish to the Security Operations Center (SOC).
The SOC uses PhishMe Triage to automate their phishing incident response. Once reported, Triage ingests emails and automatically analyzes and clusters like-messages together. This eliminates manual analysis and reduces the workload of a busy team. When Joe’s reported email is ingested, PhishMe Triage provides the SOC with a quick view of the email and indicates the phish is part of an account scam.
Figure 2. PhishMe Triage – Analysis of Credential Phish
Also, PhishMe Triage analysts have the system configured to automatically send an email to the sender, thanking them for reporting it. This completes the employee feedback loop and encourages employees to report emails in the future.
Fulfilling the Phishing Incident Response Workflow
Security and technology teams need to work together, and the integration between PhishMe Triage and ServiceNow Security Operations enables this. Analysts can configure notification templates to be sent to Security Operations to ingest, parse, and create incidents as part of the workflow. PhishMe Triage has several notification templates capable of being parsed by Security Operations. It also features automatic incident creation.
As a result, PhishMe Triage sends a notification with incident details to Security Operations and the network team receives instructions on how to help defend against a credential phish targeting the business. Using prioritization and automation in ServiceNow, the network team quickly blocks the link and mitigates the threat, and the analysts are automatically notified the work is complete.
Figure 3. PhishMe Triage – Notification Template
Figure 4. ServiceNow Security Operations Security Incident Creation
Human Sensors and Automated Incident Response – Attacker Denied!
PhishMe® and ServiceNow have made the process of managing phishing threats more streamlined with a custom XML file to be used in Security Operations. Before the day is fully underway, Joe in accounts payable, the security team, and network team have all worked in concert to defend against a targeted credential phishing threat.
Thanks to Alice’s security initiative, employees across the company are operating a formidable phishing defense program. Had it not been for Joe’s keen attention to detail and the conditioning he has received, the attacker may have been successful, causing financial harm. Likewise, security and IT worked together as part of an integrated workflow aimed at curbing phishing threats.
The phishing threat is alive and well! However, security teams can operationalize and maximize with low administrative overhead, their phishing defense strategy with PhishMe and ServiceNow.
To learn more about ServiceNow Security Operations, visit: https://www.servicenow.com/sec-ops
To learn more about the PhishMe Triage, visit: https://cofense.com/product-services/triage/