INTELLIGENT PHISHING DEFENSE
Sławomir Karpiński – CONNECT DISTRIBUTIONRupert Collier - Cofense
“Phishing and pretexting
represent 98% of social
incidents and 93% of
breaches. Email continues
to be the most common
vector (96%).”
Source: 2018 Verizon DBIR
Executives& CISO
SecurityOperations
SecurityAwareness
EndUsers
PHISHING DEFENSE A COMMON OBJECTIVE
No matter how
good your
perimeter security,
malicious emails
still reach the
inbox
UNCOMFORTABLE TRUTH
Large Scale Attacks
Highly Targeted Attacks
1A 1B 1C 1D 1E 1F
2A 2B 2C 2D 2E 2F
Morphing Attacks
Malware:Ransomware,Trojans, Hybrids
CredentialPhishing
Business EmailCompromise
PHISHING THREAT LANDSCAPE
DEFEATING NEXT-GEN DEFENCES
P
P
P
SPF
DKIM
DMARC
Organisation A Supplier B
Next-Gen SEG, AI, ML, Threat Intel,
Sandbox, UEBA etc
!!
www.organisation-a.com
You cannot defend
against attacks
you cannot see
UNCOMFORTABLE TRUTH
✓ Threats observed in the wild
✓ Threats observed by other organizations
✓ Threats that have reached the inbox
Threats
OUTSIDE
the network
Threats
INSIDE
the network
VISIBILITY THROUGH TWO LENSES
1 in 7emails reported by ~2m end users to the Cofense Phishing Defense Centercontain malicious content
VISIBILITY IN ACTION
Remember – the PDC only sees threats because users identified them
after technology didn’t
55,404
27,501
4,152
Credential HarvestingAttacks
Campaigns delivering malicious attachments – including abuse of filesharing services
Business EmailCompromise Attacks
2018 – Cofense Phishing Defense Center
WHAT GOT THROUGH?
The best security
awareness
program in the
world will never
deliver a zero click
rate
UNCOMFORTABLE TRUTH
CLICK RATE FLATTENING
Aggregated data of >70m simulation emails sent per year by >2,000 Enterprise customers
Most organizations
are unable to
effectively respond
to phishing attacks
UNCOMFORTABLE TRUTH
✓ Empowered & trusted as part of phishing defense
✓ Demonstrable evidence of contribution to improvement of security posture
✓ Increased user engagement in security awareness activities
✓ Visibility of attacks that have reached the inbox
✓ Shared phishing threat intelligence✓ Disrupt active phishing attacks with
greater speed and efficiency✓ Security awareness activities relevant
to real organizational threats
✓ Understanding of organizational risk posture
✓ Resources focused on biggest risks
Executives& CISO
SecurityOperations
SecurityAwareness
EndUsers
IntelligentPhishing Defense
PHISHING DEFENSE BENEFITS
COLLECTIVE PHISHING DEFENSE
Benefit from shared phishing threat intelligence to identify and shut
down phishing attacks faster.
Leverage intelligence from:
Global Enterprise & Industry peers
Cofense Phishing Defense Center
Cofense Intelligence
PHISHING RESPONSE CAPABILITIES
V I S I B I L I T Y AC H I E V E D
CASE STUDIES
PHISHING DEFENSE IN ACTION
11:48 Spear phishing attack launched
11:49 Users begin reporting the attack to the PDC
PDC begins analysis
12:00 Analysis escalated following initial analysis and further reports
Large scale attack identified
12:07 Analysis completed.
Customer alerted and mitigation actions implemented
Attack disrupted
Customer Industry: Healthcare
Location: US Headquartered
Number of Employees >70,000
Employees of a healthcare company were going about their day. The usual mundane emails piled up in their inboxes. So when they received a message from their CEO, employees paid attention. It wasn’t the typical meeting invite or question from a colleague.The email asked them to read and agree to a company policy. Simple. Just click on a link, which took them to a login page—from there, they’d enter their credentials and go to the policy page.But the sender wasn’t the CEO. He was a talented fraudster. The attacker aimed to harvest passwords, gain file system access, and reroute electronic payroll deposits. And he almost succeeded. Perimeter defenses did not stop this attack. Despite layered security controls, and mature and ongoing awareness activities, users still took the bait, clicked the link and gave up their credentials. The attack was mitigated because users were conditioned to recognise and report the attack, which provided visibility to security teams who were able to respond.
THE NET RESULTDespite layers of perimeter controls, a large-scale targeted attack spoofing the organization’s CEO made it to thousands of user inboxes, and many users gave up their credentials.Well conditioned users identified the attack, and reported it to the CofensePhishing Defense Center who were able to rapidly provide actionable intelligence to enable security teams to disrupt the attack in 19 minutes.
STOPPING A LARGE SCALE TARGETED ATTACK IN 19 MINUTES WITH COFENSE PHISHING DEFENSE CENTER
PRODUCTS
Cofense PhishMe
✓ Ongoing conditioning of users to recognize suspicious emails through ongoing intelligence-driven phishing simulation
✓ Drive reporting culture to get visibility of threats that have made it to the inbox
✓ Keep the risks of phishing front and center in users’ minds
ENABLING BEST PRACTICE
Cofense Reporter
✓ Provide simple quick-click method for users to report suspicious emails across desktop, web and mobile clients
✓ Promote high reporting engagement and augment phishing awareness activities by delivering feedback to users during simulations
✓ Enable enhanced metrics for phishing awareness program effectiveness
✓ Consistent format of reported emails preserving all information required for effective analysis, and reported simulations supressed avoiding distractions to the SOC
ENABLING BEST PRACTICE
Cofense Triage
✓ Speed and efficiency in phishing incident response
✓ Understand and process threat campaigns through clustering
✓ Create Playbooks to automate incident response actions
✓ Quickly identify and quantify risk – leverage reporter reputation and status to identify zero-day threats
✓ Maintain high reporting engagement through automated user feedback on what they reported, every time they report
ENABLING BEST PRACTICE
Cofense Vision
✓ Quickly identify all recipients of complex phishing attacks
✓ Single click quarantine to remove threat from all mailboxes
✓ Proactively hunt for unreported threats
✓ Transparent audit and governance of mitigation actions
ENABLING BEST PRACTICE
Cofense Intelligence
✓ Provide human-vetted phishing threat intelligence to drive and underpin phishing awareness and defence activities
✓ Machine readable IOCs inform decisions on what to block
✓ Rapid and accurate identification of malicious content
✓ Insight into emerging TTPs to help shape investment decisions for ongoing defense
ENABLING BEST PRACTICE
Cofense Managed Outcomes
✓ Fully Managed Services: phishing simulations and analysis
✓ Highly trained anti-phishing Specialists
✓ Experienced malware analysts utilizing best-of-breed Threat
Analysis Tooling
✓ Static & Dynamic Threat Analysis with a Global Perspective
✓ Customized scenario strategy: condition users to recognize
current threats
• Increased Phishing Resiliency
• Actionable Threat Intelligence
• Real-Time Threat Sharing
ENABLING BEST PRACTICE
Sławomir Karpiński – CONNECT DISTRIBUTIONRupert Collier - Cofense
CONNECT DISTRIBUTION Sp. z [email protected]
www.connectdistribution.pl+48 22 400 1234