If you’re shopping for a vendor to help with phishing awareness training, you might be thinking, “They all seem pretty similar. What’s the difference?”
As we have continued to improve anti-phishing capabilities for clients over the past few years, we have seen a myriad of changes in phishing email composition, style, and approach. Throughout all those changes however, one thing has remained the same.
By Jerome Doaty, Zakari Grater, and Brenda Gooshaw Samson
Technology is an important part of any phishing defense, especially perimeter tech designed to filter emails. But these systems, even those billed as “next-gen email security platforms,” don’t catch everything. Some phishes always get through.
Most security teams today are pretty much in the same boat: limited budget, limited man power, and limited time to defend their network against escalating threats and attacks. Perhaps that’s why so many information security vendors claim to have the “silver bullet” to protect the customer’s environment and solve their problems.
Imagine a cunning phisher: he knows his craft and sends your users an email appearing to come from your CEO that bypasses all your other technology. What would you do?
One of our customers faced that very scenario and relied on Cofense TriageTM and the Cofense Phishing Defense Center (PDC) to analyze and respond to the attack in less than 20 minutes after it launched.
New additions to the TrickBot malware’s capabilities, observed by the Phishing Defence Centre, indicate that this malware tool is undergoing active development. The designers of this malware are still working hard to introduce new functionality including a network worm functionality and a screen-lock module. The worm component utilises the leaked “EternalBlue” exploit for CVE-2017-0144 to propagate itself across networks that have yet to patch or discontinue the use of SMBv1. The deployment of the screen-lock module (which appears to be still in the early phases of development) gives the threat actors the ability to change the functionality of the malware from robust banking trojan to a rudimentary ransomware.
Rohyt Belani, CEO & Co-founder, Cofense
So far, it’s been a very exciting 2018 here at Cofense, with our recent acquisition and announcement of our new name and brand. We continued performing well as a company and launching numerous new features across our products.
After introducing Cofense PhishMeTM and Cofense ReporterTM, a financial services company had reduced susceptibility to 10% or lower across its 10,000+ employees. At the same time, reporting had climbed to almost 50% for data-entry simulated phishes and just under 25% for click-only.
In other words, employees had learned to identify basic phishing attacks.
Sometimes you need to “turn up the heat.”
The company’s CISO realized it was time to use more complex scenarios to further harden resiliency. The CISO pointed out that attackers don’t ask permission to launch sophisticated attacks, so the company had to be ready for anything.
To make scenarios tougher, the company added its branding to simulated phishes, plus mirrored complex phishing attacks it had seen in the wild. By upping the difficulty, the company figured susceptibility would increase, at least temporarily.
That’s exactly what happened. A phishing email pretending to be about manager evaluations, a scenario common to most organizations, fooled nearly 37% of recipients. But a month later, another office-communication phish, relating to time-off requests, elicited a click rate of just 12%—evidence the company did a good job of educating employees, especially those who had clicked the month before.
Not only that, reporting levels held steady during the same period, remaining higher than rates of user susceptibility. In fact, in a recent simulation the first email was reported before anyone mistakenly clicked. In a real phishing attack, the reported email would have been actionable information incident responders could use.
Smart next steps.
The company anticipates that employees will keep getting better at spotting advanced phishes. As susceptibility rates level out, employees should expect to see even tougher scenarios.
Again, these will likely include emails based on active threats, in particular emails purporting to come from internal sources. According to Cofense’s 2017 Phishing Defense and Resiliency Report, these kinds of “business process” scenarios are among the most effective.
One great source of complex scenarios: Cofense IntelligenceTM, our phishing-specific threat intelligence which helps organizations stay in front of attacks. You can use this service’s insights to keep your scenarios relevant.
Important note: it’s wise to mix in complex scenarios vs. abandoning basic phishing scenarios altogether. Users need to prepare for both, since attacks come in all degrees of complexity. Also, you don’t want users to be afraid to open legitimate emails from HR or other teams. If you’re not sure about the right mix, Cofense’s Professional Service Team can help.
When it comes to battling phishing, you can never say “mission accomplished.” But refining your defenses like this client did is an accomplishment in itself.
Learn more about phishing defense in Cofense’s 2017 Phishing Resiliency and Defense Report.