Phishing detection and response for the future

CIO Tech Asia spoke with Ryan Jones director of sales APAC at Cofense.

Tell us why phishing is the number one method in which a threat actor can gain access to a company’s network?

RJ: It’s pretty simple, really. Phishing remains the number one way a threat actor can gain access because it does not rely on a technical failure; especially at the gateway level. Phishing relies on people, their emotions, the way they think and how they act. More than anything, the key factor that has allowed phishing to be successful is that it’s using methods as old as time and it’s not using any new methods. Frank Abagnale from Catch Me If You Can fame said, “The whole social engineering aspect of scamming hasn’t changed in 40 years. Scammers, conmen and criminals all stay the same, but the methods have changed significantly”.

Why is it important to condition employees to recognise phishing?

RJ: It’s so important for a number of different reasons. People are not naturally exposed to these types of things, especially phishing emails so the times that they are, you need them to be effective. When we condition our employees through phishing simulation awareness training, we are harmlessly exposing them to real phishing campaigns Cofense has seen in the wild, and allowing them to learn in a safe environment. This reduces the likelihood that they will fall prey to a real phishing attack when they naturally receive it.

I equate it to learning how to drive a car. When you drive a car, you get training lessons on how to drive safely, recognise the rules to follow, what things to know and look out for that the behaviour becomes second nature. It’s no different than conditioning employees to recognise a potential phishing attack.

From your experience, what have you seen that is the most effective in protecting an organisation against phishing?

RJ: To defend against phishing, the primary thing an organisation needs to have in place is a solid plan. Phishing has been around so long, and it becomes a major problem in their network when they don’t do anything to effectively plan for when the situation arises after a threat evades a SEG. Some organisations place too much emphasis at the gateway level – but beyond that, many lack having a robust detection, response and mitigation plan.

Where organisations could be most effective is utilising what they are doing on the security awareness side. That is,  conditioning people to recognise what an attack looks like, taking those findings and operationalising in an effective way to actually deal with phishing emails reported by users. The purpose is to analyse the internal intelligence that is coming through from your employees and providing the visibility to their SOC team. After a suspicious email is identified, it’s being able to use that intelligence for better defence by finding the same threat inside the business and to shut down the attack quickly.

This can be achieved with the right set of tools. If you’re an organisation receiving hundreds or thousands of user reports a month it is very difficult to manually deal with it. Things can get missed. You need the right toolset and the right expertise to defend against unknown and persistent threats.

This is where using the Cofense Phishing Defense Centre™ (PDC) makes sense. At Cofense, we manage phishing incident response for organisations, so when they use our reporting, it is analysed by someone who specialises in phishing and uses the tools that allows them to scale, and to do it quickly. You’re not left defending on your own. This is a common thing that people get caught up in — they try to take on the problem alone. It is much more effective when you have what’s happening in other organisations is being shared with you so you’re being proactive in your remediation strategy. At Cofense, we call that the “Network Effect”.

You mentioned the “Network Effect”, why is the human element so important and what makes this approach so unique?

RJ: The Network Effect is an interesting one. Actually, we see it being used in other technologies today, but not in the area of phishing or phishing defence. It’s not uncommon with Endpoint Detection and Response (EDR) to have a network effect where files are tagged as malicious and are shared across the network.

But you don’t usually see in it phishing. When an organisation gets hit by an attack and then another organisation gets hit with exact same attack either on the same day or later, it’s a missed opportunity to be able to defend against that threat.

With the Network Effect, if you have a bunch of people in an organisation reporting an attack, they may be the first to report it globally. That intelligence is then shared across multiple organisations, and it gives all of the SOC teams the opportunity to defend against that attack even before they see it or know about it. You have the benefit of a shared community where we are all working together to defend against known attacks. The Network Effect also brings the human element into it.

We know that once a threat lands in the inbox, technology won’t be able to detect it. A solid defence needs the intuition of a person who understands the context of what the email is, and so by adding all those things together – recognising, reporting, and sharing – you get the Network Effect.

Cofense opened a new Phishing Detection Centre (PDC) in Melbourne, one of five PDC’s situated globally. Why is this important to customers in APAC?

RJ: It’s important for a number of different reasons, the main one being that it places a hub specialised on the types of specific attacks occurring in this region. There is still the benefit of global threats that Cofense is seeing around the world but allows us to have specialists in our region to service clients in real-time. It also gives the ability for organisations that may have data residency issues to use the Cofense Managed PDR service which is conducted by the Cofense PDC team. For some organisations there are jurisdictions which limits them to operate outside of their region and by having a dedicated centre in APAC is another way in which we can meet the needs of our local customers.

You recently announced that you acquired an Israeli company called Cyberfish. Tell us how incorporating their technology into the existing Cofense suite of products will enhance an organisation’s phishing defence?

RJ: We are very excited about the Cyberfish acquisition for a number of reasons. The first is the way their Computer Vision technology is similar to how a person works. One thing we know is technology won’t stop everything. But, by layering technology and layering people, you have the best possible chance to defend against a phishing attack.

The way Cyberfish works is by doing visual analysis to see if its phishing like a human does and reduces the risk element further by preventing some of those emails from coming into the environment in the first place. This is done at the user inbox level, which allows the initial risk to be less, then pairing it with awareness training, detection and response, and remediation to be able to have the full plan.

Post-pandemic, tell us about what you think we will see in the 2021 phishing landscape and what organisations should look for?

RJ: We’ll see a lot of same things as we’ve seen in the past; with some slight evolution. Credential phishing will still be prevalent – it’s a good foothold for an attacker as they can exfiltrate data and gain access to systems.

Crypto variants are becoming notorious by what we’ve seen in the news. These have done some damage to many organisations, in particular and of recent is Channel Nine in Australia.

Also, ransomware has slightly evolved to not only encrypt files, but now it exfiltrates data so companies have to deal with a double ransom.

Organisations need a plan when phishing attacks arrive in user inbox; a way to identify and respond, but to also go beyond responding to an attack that’s been reported to be able to shut down the attack as its received.

Companies need to find the full scope of attack and remove it from their environment quickly through automation, or have the threat shared across other organisations using the Network Effect.

Here’s the last thing I will say. In the 2020 (ISC) workforce study, it was noted that around the world there is a desperate shortage of cybersecurity professionals of about 3M. Of that, 2.03M is in the APAC region. This is a huge deficit. In Australia, it was about 30-40k and in Singapore, 17-18k.

These numbers give organisations pause for considering how they manage threats and how best to utilize the resources they have. In talking to CISOs, one way in which they are looking to do this is to have internal teams focus on other high value critical tasks and outsource a problem like phishing. While this is still a high value task, it’s time-consuming and is very labor intensive if you’re managing it. It is just one tactic that organisations are taking to alleviate the lack of resources.




One Thought to “Phishing detection and response for the future”

  1. Avatar Anonymous

    I like the term Network Effect. That’s a great way to put it. Another company actually calls it “Decentralized Threat Protection” because when one of their customers is targeted, their platform notifies all other organisations of this new attack and protects the entire customer network in real time. It seems like Cofense along with everyone else has missed the opportunity to be able to defend against that threat…… Might want to check out Ironscales.

Leave a Comment

Related posts