Speaking in front of the House Committee on Special Intelligence earlier this year, Kevin Mandia (CEO of Mandiant) remarked that, “One of the most valuable resources in detecting and responding to cyber attacks is accurate and timely threat intelligence.” Despite its value, many organizations don’t have a way to get timely threat intelligence.
How can organizations improve in this area? If you know anything about us, it probably won’t shock you that we’re encouraging enterprises to focus on their users as a source of real-time threat intelligence. Given that the vast majority of targeted attacks focus on the end user as the primary point of entry, many compromises go through employees first, making them a potential (and largely untapped) source of intelligence about threats. Up until now, however, we’ve focused solely on the end user’s ability to recognize cyber attacks. We’ve proven users can be trained to improve their behavior toward phishing attacks, and we believe they are capable of more.
Our newest addition to PhishMe, Reporter™, gives our customers the ability to use PhishMe to capitalize on their workforce as a means of gathering timely threat intelligence by organizing and streamlining the process for gathering user reports. Through our experience training over 4 million employees, PhishMe has found that most will react to a phishing email within two hours of it being sent — meaning if we can train employees to not only recognize phishing emails, but report them as well, your users can become proactive human sensors that provide your incident response team with timely intelligence about attacks threatening your network.
This kind of threat intelligence aids your IR process in a number of ways. After identifying a genuine phishing email, your administrators can remove similar emails from users’ inboxes, redirect command and control traffic, and block outbound traffic at your gateway. If a user has already interacted with a phish and compromised your network, a report of the incident can aid the IR team in mitigating the threat and avoiding having adversaries living on your systems undetected for months.
In addition to providing information about attacks threatening your enterprise, over time Phish Reporter provides information about your users as well. By tracking reporting activity for each user, Phish Reporter helps administrators score a user’s ability to correctly identify and report phishing emails, and thus prioritize reports from that user accordingly, monitor certain machines more closely, and recognize employees for a job well done.
Ultimately, your goal should be to make reporting part of your organization’s culture and make your employees active participants in securing the enterprise. An organization with this type of culture will respond faster to incidents and be more prepared for emerging attack techniques and threats.