Interviews | May 4, 2020

Time is of Essence in Dealing with Phishing Threats


Aaron Higbee
Chief Technology Officer and Co-Founder

Cofense

Q1. Why do phishing attacks continue to be so successful despite the heightened awareness of the problem and all the effort that organizations have been putting into dealing with the threat?

Phishing continues to be a pervasive and highly effective attack method, primarily, because there is zero accountability demanded of secure email gateway (SEG) vendors. Endpoint security solutions, web gateways, firewalls and more are evaluated on a regular basis by reputable third-party testing organizations, challenging vendors to continually improve the efficacy of their solution. This, in turn, allows security teams to understand which solutions are doing a pretty job and which ones need big improvement.

But that's not the case for secure email gateways. The big ones covered by analysts do not submit to independent testing to show if they're really doing a good job of keeping the bad out. Analyst firms do not evaluate how the different SEGs stack up when compared to each other using rigorous testing.

Many organizations are sold this myth that because they have a SEG, they are “protected” and have little to worry about. Yet every day, end users at large organizations across the globe report to Cofense thousands of suspicious and malicious emails that slipped past their “secure” email gateways. These phishing emails land in employee inboxes, waiting to be opened and clicked on so an attacker can successfully compromise the organization. We see so many new breach headlines every month that we've almost become anaesthetized to it – the sad truth is that a large majority of these breaches started with a successful phishing attack that bypassed the SEG.

The stark reality is that SEGs are porous - there is a lot of bad stuff that gets through. And SEG vendors have little impetus to improve the level of protection they provide because they aren't subject to submitting their product to independent, third party testing houses to evaluate the efficacy of the protection they truly provide.

Q2. What kind of tools and services are going to be needed in the next few years to combat the rise in phishing? Where do the biggest capability gaps exist currently?

There's a lot of talk and excitement about AI, ML and automated analysis. While automation is nice, let's not fool ourselves into believing the “next generation” of automated phishing email analysis, which many vendors are touting, is going to be better than the previous generation and magically solve the phishing problem.

We've already seen signs that attackers are deceiving automated phishing analysis, leveraging trusted tools and software to bypass perimeter technologies. And with all new advancements that come with automation, the attackers are going to figure out ways to get past it.

So what's needed? We need to understand attackers have been crafting phishing emails for years to evade automated analysis. Humans are non-deterministic. Attackers game automated analysis techniques, but they cannot predict each human's reaction. We need to marry human-driven insight and instinct with technology to help organizations detect the bad stuff that gets in. Humans have this innate ability, that technology can't always detect, to look at something and say, "that doesn't feel right."

Security Operations teams feel the gap – they don't have the tools to rapidly search and quarantine live phishing attacks in progress. We hear it every day when we talk to organizations around the world. The SOC teams are overworked, stressed, and lacking the tools and resources they need to quickly and efficiently protect their organization against the phishing attacks that make their way in.

Q3. What does Cofense plan on highlighting at Black Hat USA 2020?

Left undiscovered, phishing attacks can cause serious damage to an organization, and time is of the essence once a phishing threat is delivered. Yet overburdened SOC teams have told us repeatedly that they have neither the time nor the right tools to quickly and efficiently identify the truly malicious threats that have slipped past their email security -- the sheer volume of reported emails they receive every day is overwhelming. The irony is SOCs often spend time cleaning up phishing incidents after they are successful. They could be spending time responding to live phishing campaigns in progress.

We're arming security operations teams with the tools they need to rapidly identify, analyze and automatically quarantine the real phishing attacks that made it past their SEGs so they can neutralize a threat in minutes before it has time to do lasting damage.

Cofense Triage enables security teams to quickly and easily turn user reported email into actionable intelligence by using a large library of powerful rules that leverage our network of over 22M human sensors to cut through the often-overwhelming noise of suspicious email reports, allowing analysts focus their attention on emerging threats.

Cofense Vision allows Incident Response and SOC teams to quickly, efficiently, and reliably find Indicators of Phishing and automatically quarantine the entire phishing campaign before malware can take hold or harvest credentials. These analysts can rapidly hunt for and quarantine even the most complex morphing phishing attacks across the entire messaging environment of an organization.

We believe humans are the cornerstone of an effective end-to-end phishing defense program. Our solutions combine timely attack intelligence on phishing threats that have evaded perimeter controls and were reported by employees, with best-in-class security operations technologies to stop attacks faster and stay ahead of breaches.

Sustaining Partners