Most security teams today are pretty much in the same boat: limited budget, limited man power, and limited time to defend their network against escalating threats and attacks. Perhaps that’s why so many information security vendors claim to have the “silver bullet” to protect the customer’s environment and solve their problems.
Regardless of what a solution promises, it’s undeniable that things continue to bypass those “silver bullet” solutions. And we have a couple of good examples to show just that.
The good news is that, in these cases, the companies being targeted had a back-up plan to utilize an existing commodity — its employees. Conditioned employees are able to scrutinize and recognize things that haven’t been seen before while a piece of technology cannot. Technology requires a signature that has been written, and in the right place, to catch a threat.
An intuitive human sensor who is properly conditioned can see when things are not right, report those suspicious emails, and give a trained analyst the opportunity to identify and mitigate an active threat. A proper write up from the analyst can then be looped into logs, proxy and full packet captures to find other users that potentially did not identify the threat.
Let’s take a look at examples of threats that were identified by humans and not the email gateway technology:
Email Wasn’t Stopped by Proofpoint
Looking at this email we see that the attackers are acting as if they are from Microsoft, perhaps posing as support for the Office365 account. Using a common tactic of playing on the user’s sense of urgency, the phish is crafted to convince the user they must act quickly to save his or her account. And, conveniently, the attackers have included a link for the user to do just that.
Digging deeper into the HTML of the attacking email we see that the “Verify Now” link does not go to Microsoft or an attributed site, but to a malicious site that mimics Office365.
Looking in the header we see that it did come through the Proofpoint device and, while it scored, it was not stopped from being delivered to the inbox of an employee.
Luckily, this company had trained its employees to recognize phishing attempts, provided them with an easy way to report and alert IT Security and an easier way to assess, analyze, and respond to active threats.
Email Wasn’t Stopped by Ironport
The email below is the standard DocuSign phish that has been around for the past few years – so it’s a pretty well-known threat.
As indicated in the headers, this email was scanned by the Ironport engine and permitted to be delivered to the employee. Luckily, the employee was smart enough to recognize something the expensive technology did not.
We can clearly see the URL referenced in the HTML of the email. This email reaches out to a website that is clearly not DocuSign and using a .php extension.
The employee then reported the threat to the IT Security team using Cofense TriageTM.
The URL is clearly referenced in our platform:
We can see the multiple references from VirusTotal listing the site as clean. That’s because the threat was identified immediately and the site was taken down within a day of discovery. This gives security vendors little incentive to update their signatures to detect threats that are only online for 24 hours or less.
Your network is your castle and a few walls won’t keep it safe. You need a moat, a watch tower, and a battalion to respond to attacks.
Technology fails. Regardless of the silver bullet technology installed, attackers seem to find ways around it. Attackers are clever humans. And so are your employees. Activating your entire organization as a collective defense will ensure you have that last line of defense in place.
To learn more about the benefits of phishing awareness training, view the 2017 Cofense Phishing Resiliency and Defense Report.