Fight the Phish! Don’t Hesitate to report phishing!

With phishing threats still the largest threat leading to a data breach, it’s not surprising that Department of Homeland Security (DHS) / Cybersecurity Infrastructure Security Agency (CISA) dedicated a week to cover this topic. If you’re looking to learn more about phishing threats, you’ve come to right place. There isn’t a week that goes go by that we’re not publishing something related to the latest phishing threat landscape. It may be the latest tactic we’ve observed in our Managed Phishing Detection and Response (MPDR) service or reported on in our weekly highlights of Secure Email Gateway (SEG) misses.

By Tonia Dudley

It didn’t take long before Aaron realized that there’s more to just teaching users how to identify a phishing email. This was a time when organizations were starting to feel the pressure of advanced persistent threats (APT), and early detection was critical. Providing employees with a quick way to send that suspicious (real) email off to the security operations team shifted the focus from “don’t click” to “just report.” When assessing the maturity of your program, it’s important to look at the resiliency rate – anything greater that 1 indicates more users reporting a suspicious email. It’s no longer about “it only takes one to click.” The conversation has changed to “it only takes one to report,” setting in motion your organization’s detection process using those indicators of compromise (IOC) to search your environment from the endpoint (EDR) to your web proxy. This is why Cofense has moved beyond being known as a “security awareness” company, shifting to a phishing defense company.

In 2011, our co-founders Rohyt Belani and Aaron Higbee launched PhishMe based on the idea Aaron had of creating a SaaS offering that would allow enterprises to conduct immersive phishing training for their employees. Today, this immersive training is the foundation to any organization invested in a phishing defense program.

Graphical user interface, text, application Description automatically generated

Over the years we’ve refined our approach to focus phishing simulation templates toward active threats. As the SEG technology adapts to known threats, we’ve added templates that resemble a phishing threat that is more likely to end up in your users’ inbox. By aligning to the current threats and tactics, your organization is better prepared to defend against a real phishing campaign.

Not only is choosing the right template for your organization essential, focusing on the right metrics is critical as well. If your program is truly concerned with defending against phishing threats, the key metric that reflects the success of your program is number or percentage of users reporting. Need evidence of this success? Let’s take a look at the annual Mandiant M-Trends on median dwell time and the year-over-year improvements. Dwell time is the amount of time a threat actor is in your environment before they are detected. As ransomware has topped the headlines this year, early reporting become even more critical. We see threat actors delivering their toolkit (reconnaissance tools, remote access trojans, keyloggers) far in advance of deploying the actual ransomware.

Figure 1 – Typical Credential Phish

Calendar Description automatically generated

Graphical user interface, application Description automatically generated

If you haven’t implemented a phishing defense program, it’s never too late to get started. We encourage organizations to deploy a full end-to-end program but if you’re limited on budget, starting with PhishMe and Reporter (included in your license) is a great option. We know having thousands of users suddenly report emails to your security team can be daunting. You can leverage our Managed Phishing Defense and Response (MPDR) service to gain speed and expertise.

Figure 2 – M-Trends Annual Report: Median Dwell Time

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Contact us any time for details or a demo.

This post was first first published on Cofense’s website by Cofense. You can view it by clicking here