When it comes to ensuring your employees are becoming and staying safe, there is nothing like a list of policies and procedures to help them make the right decisions. This month SC Media talked with Cofense Senior Director Product Marketing David Mount. In the first of two parts, David addresses some of the finer points on getting employees all on the same page when it comes to priorities.
SC Media: Phishing, malware and ransomware are topics that get tons of attention in the media yet it is still at epidemic proportions. Going beyond simple user education, let’s look at some finer details. Let’s say 50 users actually report a suspicious email to the security team. What does that mean in real terms? How can you tell how many employees actually received that email and what can a company do to defend against such a threat?
Cofense David Mount: Industry reports tend to unanimously agree that phishing is the #1 attack vector for successful data breaches. It works, and as such significant media attention abounds. Organisations have to accept the uncomfortable truth that no matter how good their perimeter controls, malicious emails are still reaching employee inboxes. The Cofense Phishing Defense Center observes that one in seven of the emails they receive — emails reported by users — contain malicious content. Each of these emails is a threat that has been identified by users, after technology failed.
To better defend against phishing attacks, organisations must address the fundamental problem of getting visibility of attacks. Much in the same way that it can only need one click on a malicious email to compromise an organization, it only needs one person to report a threat to enable security teams to get visibility. Once the threat is analyzed and understood, security teams need to find out who else received the email — fast. Time is of the essence, and sometimes security teams are reliant on messaging teams to do this searching, which can take many hours.
As a result security teams need to explore how they can perform high-performance email threat hunting, such as using Cofense Vision. Once the malicious emails have been found, they can be quarantined, removing risk of further compromise. By understanding the Indicators of Compromise of a threat, security teams can undertake other threat mitigation actions such as blocking access to payload and command and control infrastructure; and performing forensics to understand who might have been compromised, and taking appropriate actions to mitigate the threat. Without user reporting, none of these steps can happen.
SC: What actions should an employee take when they get emails that might trigger their Spidey senses that something looks off? Employees might be thinking that if they keep sending emails to the security team they are going to be considered incompetent to make a decision or they might think they’re overloading the IT team. What should employees know about the emails they send to security that might make them more confident in their decision to investigate these messages?
DM: When any of us receive a phishing email, there are three broad behaviors we could exhibit:
- We click the link, enter our credentials or open the attachment — either way we’re compromised, and that’s obviously undesirable.
- Our Spidey senses tell us that something looks off, we don’t trust the email, so we delete it. This is neutral behavior as whilst it protects us as individuals, it doesn’t provide the much needed visibility to SOC teams to be able to understand and mitigate threats. Afterall, it’s likely that we are not the only recipient of the threat.
- We report the email to our security teams. This is the most desirable behavior as we’re now acting as a valuable human sensor within our environment, providing visibility to security teams about threats that they were otherwise blind to.
Over-reporting is always better than under-reporting, as this maximizes’’ the visibility that SOC (security operations center) teams achieve over the threats that they were otherwise blind to. Mature security teams recognize that user reported emails can be the most actionable source of threat intelligence they can consume. Afterall, it relates to threats that are actually inside the organization. However, for security teams to turn these reported emails into actionable intelligence, they must be able to cut through the noise of false-positives, to find bad quickly.
Solutions such as Cofense Triage enable security teams to consume large volumes of user-reported emails, and prioritize and analyze them. By employing capabilities such as understanding who are the organisations ‘trusted reporters’ – i.e. those who have demonstrated an ability to identify and report malicious emails – security teams can prioritize effectively, eliminating the challenge of false positives.
Mature organisations go to great lengths to foster a strong reporting culture, such as offering a ‘’phish bounty’ – i.e. if users report emails, and they are found to be malicious, they receive some form of financial reward. This type of program can be far more cost effective than cleaning up a breach caused by a phishing threat that security teams didn’t know was there.
SC: Attackers are constantly changing how they send phishing emails. Poor grammar and misspellings are being replaced by highly sophisticated and targeted messages. How are phishing attacks changing over time from a technical standpoint (such as emails that are aware of sandboxes)? What are we seeing now that perhaps we didn’t see a year or so ago?
DM: The phishing threat landscape is fast evolving, with threat actors deploying a developing array of tactics and techniques to ensure successful delivery of phishing emails and payload execution. Recognizing that organizations continue to make investments in tools and technology to identify threats, these threat actors must make investments in their tactics and techniques to deceive and defeat these tools.
Abuse of cloud filesharing services is a growing tactic that is being observed more frequently within the Cofense Phishing Defense Center. This involves threat actors hosting payloads, such as a PDF file containing a malicious link, in cloud file sharing services such as Dropbox, OneDrive, GoogleDrive or sharepoint.com. When the phish is sent, it contains a link to the payload. However, as these file sharing services are commonly used for legitimate business purposes, they are not routinely blocked, and it can be extremely difficult to separate the good from the bad. In addition, URL scanning services at the gateway would not typically consider URLs to these services to be high risk, therefore the emails are delivered to the end user.
Other notable tactics and techniques include geolocation aware threats. These threats verify the location of the target before executing. One example observed in the Cofense Phishing Defense Center was a malware-based threat targeting users in Brazil. When malicious file was opened on a machine with a non-Brazilian IP address and language settings, the payload appeared benign – no malicious behavior was observed. However, when the IP address, system language settings and keyboard layout were changed to Brazilian, the payload executed. These tactics are used to both ensure appropriate targeting of threats, and also to defeat and deceive analysis technologies.
Part two of this Q&A session with David Mount will be posted later this month.