Finding the Whole Phishing Attack: Problems and Solution
Mitigating a phishing attack is a little like zapping termites. If you don’t eliminate the whole problem, trouble continues to breed.
To help, CofenseTM has announced the general availability of Cofense VisionTM. We knew that existing email search and quarantine tools weren’t fast enough, making it hard for the SOC to find and remove every phish.
Integrated with the latest release of Cofense TriageTM, Cofense Vision lets incident responders see the entire phishing attack, including emails not reported by users. With a single click, the SOC can quarantine every bad email and stop the attack in its tracks.
Cofense Vision copies and stores all emails in the customer’s cloud, so the SOC can look for a phishing campaign without creating more work for the email team. The solution also provides a compliant, auditable workflow.
Let’s take a closer look at some of the problems it solves.
“Searching takes too long.”
Every day, phishing emails bypass perimeter defenses to land in users’ inboxes. As the Cofense Phishing Defense Center has reported, 1 in 7 reported emails is malicious. In 2018 alone, for example, our team found over 55,000 credential phishing attacks. A single well-crafted phish can cost a business big. It’s critical to perform searches quickly and efficiently, especially since threat actors are more creative in evading network security with polymorphism, encryption, and obfuscated malware.
But traditional native tools, Powershell, for instance, make email searching complex and extremely time-consuming. To search and purge with Powershell you’re limited to 50,000 mailboxes. If the mail environment is larger, you have to create multiple searches.
You also have to build searches for multiple senders or multiple subject lines, which complicates the hunt and slows it even more. It’s also tough to know that you’re hitting every mailbox and not missing any threats.
In old-school searching, emails are grouped together, or “clustered,” based on an exact match to criteria like sender and subject. This allows you to find emails that match criteria you know about. However, such an approach to clustering doesn’t account for the way malware morphs and avoids exact matching, in some cases changing the sender, subject, or content for each recipient.
“We create more work for the email team.”
Traditionally, every step described above is handled by the IT team that owns the email platform—not by the SOC, the team responsible for stopping attacks. There’s a built-in conflict, one of competing priorities. The messaging team needs to make sure legitimate emails go through, while the SOC is trying to defend the business by mitigating attacks.
In this set-up, the messaging team is doing its day job AND handling SOC requests to find and quarantine phishing emails. The issues detailed in the previous section—the limits of native search tools and the inadequacies of old-school clustering—make life even more difficult for the messaging team. They’re asked to perform searches that (a) take a lot of time because they’re so complex and (b) get in the way of their regular duties.
Without a solution that empowers the SOC to search and quarantine on its own—with no heavy lift from the messaging team besides determining the fate of quarantined emails—the hunt for phishing threats is going to be inefficient. It’s a lot easier to send a command than to make a request.
With Cofense Vision, operators search an offline copy of the email environment hosted in their own cloud. There is thorough and strict auditing of who is searching for what. The SOC team gets what it needs while the mail team doesn’t have to hand over the keys to the kingdom.
If complicated email searching is slowing your phishing response, get more details on Cofense Vision. Learn more here.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.