Last week, Brian Krebs released a blog post about the recent news of a Virginia Bank being breached—not once, but twice. And he didn’t bury the headline. It was right up front: “Hackers used phishing emails to break into a Virginia Bank….”
As a former incident response and security awareness person, I am always wanting to gather the latest information on any announcement of a data breach. I want to know the who, what, and how, so when management comes asking, “Could this happen in our organization?” we can provide an answer to give reassurance or determine what else we should be doing.
For this incident, we know the user “clicked on a link” and that allowed the malware to get installed on their machine. What we don’t know: did they report this email to their security operations or IT helpdesk teams? We also don’t know what the email looked like or whether it was highly targeted to the individual who clicked. How many users received the initial email? Was the secondary attack the same type of message?
In today’s environment, where email is essential to every user, it is critical to ensure that users at all levels are trained on identifying and reporting suspicious emails. This story is a good reminder that encouraging users to report a message—even if they clicked or opened the attachment—is extremely helpful to the security teams. Early detection is what allows security teams to quickly mitigate the risk to the organization or even stop an attack in action.
Find Answers Faster
When an organization uses Cofense Triage™ to manage its phishing defense and is faced with this scenario, it is able to quickly mitigate and stop an attack in progress. Cofense Triage analyzes reported emails and group emails from a phishing campaign in a cluster. Within Cofense Triage, the security operations team (SOC) can leverage the recently announced Cofense Vision™ to quickly see who else received a phishing email. Using Cofense Vision, operators can easily quarantine malicious messages across every user’s inbox in Microsoft Exchange and Office 365 with a simple click – eliminating the threat instantly.
Within Cofense Triage they are also able to pull the indicators in the phishing email to take further protective actions and orchestrate the response. The first action would be to pass the list of IPs/URLs over to the network team, so they can block and prevent any connection to the malicious site. Next, the operator would pass the indicators over to the SEIM and begin searching the logs to find if any users interacted with the links.
These are the steps an operator would take each time a reported message is identified as malicious—first by a human reporting and second by a human analyzing the malicious intent of the message. Once a person has completed the task of identifying a threat in Cofense Triage, the operator can use automation to trigger downstream actions and hand-offs to other teams.
Finding the right balance of human interactions with automation allows you to quickly mitigate a phishing attack—and block the attacker’s goal of gaining access to data or other assets, or simply establishing a foothold.
But this is a small bank, you say. Well, Cofense™ has solutions that fit every organizational size, as well as managed Cofense Triage professional service which provides the same level of support to SMBs and enterprises alike.
Humans + Technology = Eliminated Threats
The phishing threat isn’t going away but rather evolving daily to evade perimeter controls that are designed to block and tackle. At Cofense, we believe the key to stopping these highly-evolved phishing attacks more efficiently is the powerful combination of human phishing reporters and leading-edge technology. Human intuition plus highly responsive technology lets you disrupt attacks in progress and eliminate threats.
Learn more about the impacts of phishing response trends in your region—download the Cofense Phishing Response Trends report.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.