P RE D I C T I V E I NTELLIGEN CE
But when it’s time to make critical
decisions, he’s at the wheel. Know
why? His expertise and intuition are
irreplaceable. This is the point in the
response chain where he earns his salary
by saving the day against malware, wire-
transfer scams, you name it.
Kamel Tamimi, Principal Security Consultant
at Cofense Inc
services, the industry that spends the
most on cybersecurity technology, is so
far behind. So where does the problem
lie? Ask any SOC or incident response
team – it’s the sheer volume of items
needing analysis and response, alerts
reported by both users and machines.
Automation saves time. People
save the day
Humans and machines – now let’s talk
solutions. When your phishing response
uses each in the smartest ways, you
can stop active threats faster and more
efficiently, rather than drowning in emails
and leaving your network exposed.
I have a customer who used to spend
an entire day, or the better part of
one, manually sorting through emails
reported to his abuse box. I’m talking
about a highly skilled incident response
professional who would rather hunt
threats than look at mountains of spam.
Now he handles this task in an hour
or sometimes less. The difference:
automated email analysis combined with
a great spam filter. His platform weeds
out spam and other harmless emails,
plus groups verified phishing emails by
attribute and campaign. These groups,
or clusters, let him respond to entire
phishing campaigns – way more efficient
than responding to this email, and this
one, and that one, etc.
The automation even extends to security
playbooks. Instead of spending his highly
paid time on basic response tasks, this IR
pro is happy to rely on automation.
34
And don’t forget, many of those analysed
emails came from human reporters –
users trained to recognise and report
phishing. When those reports undergo
machine analysis and SOC teams act
on the findings, man and machine are in
harmony. Everyone, and everything, is in
the right role.
A couple of success stories
Another Cofense customer stopped
a phishing attack in only 19 minutes.
Again, a balance of automation and
human intelligence made the difference.
The email appeared to come from
the CEO. It asked employees of a
healthcare company to click on a
link, go to another page and read
and confirm their agreement with a
corporate policy.
First, though, employees had to login
with their network credentials. The
attacker aimed to harvest passwords,
gain file system access and reroute
electronic payroll deposits. And
he almost succeeded. In fact, many
employees took the bait. The email
was very convincing, using the
company’s logo and language from its
website. Fortunately, other employees
remembered their training and reported
the email – within a minute of the
campaign’s launch. Eighteen minutes
later, thanks to automated analysis
followed by human vetting, the company
blocked the phishing site and pulled the
email from inboxes.
One more example – a major financial
services company saw a series of
reported emails sent, allegedly, by a
major credit card provider. The email
landed in hundreds of inboxes and, as in
the previous example, used counterfeit
branding to get users to drop their guard.
The email told recipients that the credit
card company had noticed unusual
‘recent activities’ in their accounts. It
then instructed employees to click a
link to a ‘My Account’ page, where they
could verify and protect their personal
information. The landing page asked for
a wealth of personal data: name, social
security number, email address and more.
In other words, a classic credential
phish, this one aiming for personal data,
not company information (though armed
with employee’s personal details, the
attacker could have connected the dots
and targeted the corporate network.
Fast-forward to the happy ending; the
Issue 08
|
www.intelligentciso.com