Most security teams today are pretty much in the same boat: limited budget, limited man power, and limited time to defend their network against escalating threats and attacks. Perhaps that’s why so many information security vendors claim to have the “silver bullet” to protect the customer’s environment and solve their problems.
Imagine a cunning phisher: he knows his craft and sends your users an email appearing to come from your CEO that bypasses all your other technology. What would you do?
One of our customers faced that very scenario and relied on Cofense TriageTM and the Cofense Phishing Defense Center (PDC) to analyze and respond to the attack in less than 20 minutes after it launched.
New additions to the TrickBot malware’s capabilities, observed by the Phishing Defence Centre, indicate that this malware tool is undergoing active development. The designers of this malware are still working hard to introduce new functionality including a network worm functionality and a screen-lock module. The worm component utilises the leaked “EternalBlue” exploit for CVE-2017-0144 to propagate itself across networks that have yet to patch or discontinue the use of SMBv1. The deployment of the screen-lock module (which appears to be still in the early phases of development) gives the threat actors the ability to change the functionality of the malware from robust banking trojan to a rudimentary ransomware.
Rohyt Belani, CEO & Co-founder, Cofense
So far, it’s been a very exciting 2018 here at Cofense, with our recent acquisition and announcement of our new name and brand. We continued performing well as a company and launching numerous new features across our products.
After introducing Cofense PhishMeTM and Cofense ReporterTM, a financial services company had reduced susceptibility to 10% or lower across its 10,000+ employees. At the same time, reporting had climbed to almost 50% for data-entry simulated phishes and just under 25% for click-only.
In other words, employees had learned to identify basic phishing attacks.
Sometimes you need to “turn up the heat.”
The company’s CISO realized it was time to use more complex scenarios to further harden resiliency. The CISO pointed out that attackers don’t ask permission to launch sophisticated attacks, so the company had to be ready for anything.
To make scenarios tougher, the company added its branding to simulated phishes, plus mirrored complex phishing attacks it had seen in the wild. By upping the difficulty, the company figured susceptibility would increase, at least temporarily.
That’s exactly what happened. A phishing email pretending to be about manager evaluations, a scenario common to most organizations, fooled nearly 37% of recipients. But a month later, another office-communication phish, relating to time-off requests, elicited a click rate of just 12%—evidence the company did a good job of educating employees, especially those who had clicked the month before.
Not only that, reporting levels held steady during the same period, remaining higher than rates of user susceptibility. In fact, in a recent simulation the first email was reported before anyone mistakenly clicked. In a real phishing attack, the reported email would have been actionable information incident responders could use.
Smart next steps.
The company anticipates that employees will keep getting better at spotting advanced phishes. As susceptibility rates level out, employees should expect to see even tougher scenarios.
Again, these will likely include emails based on active threats, in particular emails purporting to come from internal sources. According to Cofense’s 2017 Phishing Defense and Resiliency Report, these kinds of “business process” scenarios are among the most effective.
One great source of complex scenarios: Cofense IntelligenceTM, our phishing-specific threat intelligence which helps organizations stay in front of attacks. You can use this service’s insights to keep your scenarios relevant.
Important note: it’s wise to mix in complex scenarios vs. abandoning basic phishing scenarios altogether. Users need to prepare for both, since attacks come in all degrees of complexity. Also, you don’t want users to be afraid to open legitimate emails from HR or other teams. If you’re not sure about the right mix, Cofense’s Professional Service Team can help.
When it comes to battling phishing, you can never say “mission accomplished.” But refining your defenses like this client did is an accomplishment in itself.
Learn more about phishing defense in Cofense’s 2017 Phishing Resiliency and Defense Report.
Over the past couple of days, the Cofense™ Phishing Defence Centre has observed multiple campaigns that prompt the user to download what appears to be a life insurance invoice. The “invoice” gets delivered in the form of a zip file that contains a LNK file with content crafted to create an effective malware downloader tool. The malware it delivers: Ursnif.
On February 27th 2007, while on the phone with my friend and co-founder Rohyt Belani, I typed the name phishme.com into GoDaddy™. We couldn’t believe our good luck and immediately registered it. As the co-founder who named this company PhishMe®, the emotional attachment is real. Somewhere in the pile of entrepreneurial startup books, I have a branding book that suggested your name is a vessel that should be big enough to carry your future products and services. We outgrew that boat quite some time ago.