THE PHISH HIT 200 INBOXES.
THE CLOCK WAS TICKING FAST.
A “very convincing” phishing email hit a financial services company. After evading the company’s secure email gateway (SEG), the phish, which spoofed a major credit card provider, urged employees to click to a My Account page—a subtle counterfeit designed to steal information like home address, social security number, email, and more.
Fortunately, the company’s SOC was ready and stopped the attack in 10 minutes. Five keys underpinned their super-fast response. Here’s how your SOC team can shift into high gear, too.
1. AUTOMATE NOISE REDUCTION
Do your employees report suspicious emails? If yes, that’s terrific. But when email reports pile up, with the vast majority harmless, SOC teams can’t keep pace using manual processes. The first key to faster phishing response is automated noise reduction—a speedier way to filter out spam and other benign messages.
This company uses Cofense Triage to reduce noise, analyze, and prioritize email reports—all automatically. Fun fact: another company used Triage to reduce its backlog of 40,000 reported emails to less than 1,000.
2. FAST-TRACK EMAIL ANALYSIS
Once you’ve filtered noise, you need to analyze and prioritize bonafide threats. The financial services company was able to stop the attack so fast because it could quickly answer the question, “Where should we focus first?”
Again, the key was Triage automation. It clusters phishing emails by attributes—subject, message, attachments, URLs, and more—and also groups them by payload to identify today’s complex attacks. In the case of this credential phishing attack, the SOC team knew in minutes they had a serious threat on their hands.
3. USE THREAT INTELLIGENCE TO ZERO IN QUICKLY
Once your team confirms an attack and knows where to focus, another question must be answered: “What are we looking at?” Threat actors are relentless innovators, constantly devising new tactics and techniques. Here’s where hi-fidelity phishing intelligence comes into play.
Using Triage, the financial services company had access to a library of rules continually updated to reflect the changing threat landscape. The library is curated by the Cofense Intelligence, Research, and Phishing Defense Center teams, who examine millions of phish and user reports to identify emerging threats and develop rules to stop them. It’s crowd-sourced phishing intelligence, a kind of network effect spanning every global industry, enabling you to rapidly isolate and mitigate high-risk messages.
4. EXPEDITE USER REPORTING
Let’s back up a moment. The SOC team couldn’t have known that 200+ users received the phish if some of them hadn’t reported it. Think about it. The phish got past the SEG, the first line of defense, so employees had to step up and form the second line.
They did just that, reporting the phish with a single click, using the Cofense Reporter button on their email toolbar. Easy reporting = faster reporting = speedier phishing response. Of course, before employees can report a phish they have to identify it. The company conditions users through Cofense PhishMe, running phishing simulations based on the latest threats identified by our threat intelligence and research teams.
5. GET TO REMEDIATION FASTER
To recap: an attack is reported, verified as real, then analyzed and prioritized. You’ve quickly gathered indicators of compromise. Now it’s time to shut down the threat.
The financial services company’s SOC acted fast. They blocked the phishing page’s domain—before any users entered data—and were in a position to recommend extra measures like blacklisting sites and pulling emails from user inboxes.
Speaking of quarantining emails, while the company didn’t use Cofense Vision, this solution does enable SOCs to find an entire phishing campaign across all inboxes and quarantine every phish with one click.