Cofense Email Security

Phishing Detection and Response: Speed and Automation with Cofense Triage and ServiceNow SIR

By Mike Saurbaugh

How quickly can your security team produce information about the success of phishing incident response capabilities?

What if company leadership asks the CISO for data about the number of malicious phish that bypassed the secure email gateway and that employees caught and reported? Is this information available? More importantly, how rapidly does the team remedy employee-reported phishing threats?

With an integration between Cofense Triage™ and ServiceNow Security Incident Response (SIR), security teams reap great benefits. These include:

  • Bi-directional APIs to integrate and enrich platforms
  • Accelerated phishing email identification and mitigation
  • Improved analyst efficiency to investigate and respond without switching screens
  • Centralized visibility into enterprise incident management and response

Cofense and ServiceNow have long been technology partners and created an integration with Cofense Intelligence for phishing threat lookups and an earlier interoperability with Cofense Triage, both of which are in the suite of products that make up the Cofense phishing detection and response platform. As products evolved, Cofense and ServiceNow boosted security teams’ ability to manage phishing threats.

Think of Cofense Triage as a source of truth to highlight and inform analysts, who in the company reported emails as malicious, while removing the noise from benign reported emails. Now, take these highly credible reported phish and populate ServiceNow SIR with phishing incidents for analysts to remediate through next-steps automation actions across the enterprise. The result is a streamlined process to investigate, prioritize and resolve phishing attacks.

The APIs That More Than GET It

With the advent of a new set of Cofense Triage APIs (version 2), customers benefit from capabilities they had been asking for. Among them:

  • Bidirectional support between platforms – GET, POST, PUT, DELETE
  • Cofense Triage data ingestion and updating outside of the user interface
  • Filtering, and sorting improvements using sparse fieldsets, for better performance
  • To-One (many reports to one category), and To-Many (one category to many reports) relationships
  • Expanding pagination parameters

Optimizing Your Phishing Incident Response

  • Ingest employee-reported phishing emails from Cofense Triage based on severity, category, threat indicators and reporter reputation.
  • Create security incidents in ServiceNow Security Incident Response (SIR) from events in Cofense Triage’s inbox, reconnaissance and processed queues.
  • Ingest phishing threat indicators from Cofense Triage into ServiceNow SIR to enrich and operationalize incident response.
  • Update and process/categorize phishing emails in Cofense Triage from ServiceNow SIR.
  • Bidirectionally manage phishing threat indicators and observables between Cofense Triage and ServiceNow SIR.

Go Configure…

1. First, configure ServiceNow SIR to create an incident based on the desired criteria.

Ingest email artifacts from Cofense Triage – Inbox, Recon or Processed locations. The example below will create a security incident in SIR based on conditions met searching Cofense Triage.

  • Location = Processed
  • Report Category = Crimeware
  • VIP Reporter = True

Figure 1. ServiceNow SIR Security Incident Creation Criteria Querying Cofense Triage

2. Review security incident in ServiceNow SIR after polling interval collects data matching criteria.

MS-blog-image-i-042821-480x306.png: Image illustrating the importance of phishing defense for Microsoft users.
Figure 2. ServiceNow SIR Incident Locations Obtained from Cofense Triage

Figure 3. Security Incident Matching Creation Criteria (Processed location, Report Category, VIP)

3. Incident details shown below in figures 4-6 are from reported phish received by Cofense Triage and ingested into SIR. Fields populated were retrieved from polling APIs.

Figure 4. Cofense Triage Data Populating Fields in SIR

Figure 5. Direct Link from Within SIR to Cofense Triage to Preview Reported Email

Figure 6. URL and Domain Populating Observables Table

4. Additional attributes from Cofense Triage populating ServiceNow SIR – Cofense Reporters, and Threat Indicator types and their finding.

Graphical user interface, application Description automatically generated

Figure 7. Cofense Reporters

Figure 8. Threat Indicators and Finding Ingested into SIR as Noted by Cofense Triage

5. What if an analyst in ServiceNow SIR wants to update a threat indicator finding in SIR and change state in Cofense Triage? You can do it, all within the SIR interface and sync the observable reputation with Cofense Triage. The update writes to Cofense Triage and updates the threat level, as shown in figure 10.

Figure 9. Changing Threat Indicator Finding (Suspicious to Malicious) in SIR to Sync Update to Cofense Triage

Figure 10. Updated Threat Indicator Finding in Cofense Triage (Side-by-Side with Previous Finding)

6. What if a reported email is in the inbox location and hasn’t been processed? Don’t let reported emails remain unattended. On a set polling interval of choice, ingest uncategorized reports from Cofense Triage and Process in ServiceNow SIR. This will keep your Cofense Triage inbox location cleared out, which is ideal. The sequence below is SIR ingestion criteria, incident creation and processing into Cofense Triage.

Graphical user interface, application Description automatically generated

Figure 11. Incident Criteria to Ingest from Cofense Triage Inbox – Matching Rule Priority Less Than 2

Graphical user interface, application Description automatically generated

Figure 12. Uncategorized Report from Cofense Triage Populating ServiceNow SIR

Graphical user interface, application Description automatically generated

Figure 13. Processed report in Cofense Triage Initiated from ServiceNow SIR

With Cofense Triage bidirectional APIs, ServiceNow Security Incident Response (SIR) can create incidents for analysts to work through to closure. The information populated in the incident from Cofense Triage provides the team with timely and relevant suspicious emails, indicators and observables, and without the need to switch screens. ServiceNow’s automation workflow engine can take action across enterprise infrastructure based on the information ingested from Cofense Triage.

Download the Cofense app by visiting the ServiceNow Store. And, if you find this integration useful, or have different use cases not available yet, let us know!

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.
Share This Article
Facebook
Twitter
LinkedIn

Search

We use our own and third-party cookies to enhance your experience. Read more about our cookie policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.