Combat Phishing with Enterprise Security Response

Oh look, another email with an urgent message to change your bank password by clicking an embedded link… From a bank you don’t even use. Phishing emails are a daily annoyance, but they’re also a popular ingress point for targeted attacks.

Overall, phishing and spam messages are on the decline, but that’s simply because attacks are becoming more targeted. Spear-phishing campaigns targeting employees increased 55% last year, according to Symantec’s Internet Security Threat Report, and these campaigns are more selective than ever.

It’s become easy and inexpensive to launch a spear phishing campaign thanks to readily available kits. But what makes these attacks successful is targeting and personalization through social engineering.


We are the Weakest Link

Humans continue to be the weakest link in the infosec chain, and with tons of information available about companies and their employees on the Internet, it doesn’t take much effort for these emails to look convincing. In fact, it can be as simple as sending what looks like an attached invoice to accounts payable.

The now-infamous hack of the Democratic National Committee exploited this human vulnerability. Staffers received what looked like a Gmail password reset message, and the link took them to what appeared to be a Google login page, where their passwords were collected. Twenty out of 108 recipients clicked this link, giving hackers access to email, schedules, and shared documents.

Many organizations roll out security training to attempt to prevent this kind of breach, users are becoming smarter but they need to be acknowledged when they report attempts. So… how do you deal with phishing emails?

Black Hole Mailbox

Do you have a reporting email address like Is it simply a mailbox or does it go to a distribution list? Is there some type of auto-reply enabled? Have I now proprogated the threat? The bigger question is: does anyone pay attention to it?

There are often so many other higher priority issues to deal with that the phishing mailbox gets largely ignored. When these reports go to a distribution list, they’re even more likely to be ignored as everyone assumes someone else will do it. Email is not a system of record and therefore shouldn’t be used to track phishing attacks. Not to mention that there’s no way to implement repeatability, correlate and generate threat intelligence, or development or access to shared knowledge.

On the submitters’ side, they have no idea if anyone even received the email, let alone did anything about it. They don’t get any feedback as to whether what they submitted was actually a phishing email or if they did the right thing by submitting it. Recognition is an important part of promoting security conscience behavior.

Phishing Response the Automated Way

Automation can save you some 20 minutes of investigation for every phishing email, as well as acknowledge the submitter. You might say, “Well that’s great, but how do I start?”

Start passively: The passive method involves setting up an easy way for the submitter to get that suspicious email into the system of record for triage. It’s essentially a customer-facing front end for your security team. This can be done with a web form which will collect the submitter’s info and a copy of the email or by simply asking your users to continue forwarding emails to but this time there is a system that can parse out the info and send an acknowledgment back to the submitter.

Once the email is received, the system automatically scans the message for malware and compare data from the header, body, and attachments against known IoCs (Indicators of Compromise).

It’s important to note that this isn’t about replacing your email security. But with the exception of solutions that do an additional check at the time a URL within an email is clicked, most email scanning is done prior to delivery to the recipient’s mailbox, so once a phishing email makes it inside the network, it’s free to spread.

Grow to active: A more active response would involve the security analyst searching the mail store for additional copies of the phishing email to delete before they can be opened or clicked. But deleting someone else’s email sounds like it could go very badly. Can you trust the overeager newbie not to delete something important by mistake?

You can with the right system and controls in place. A smart system won’t let the emails get deleted until they’ve been programatically confirmed as malicious. A smart system won’t require your security analyst to login to a mail store and begin a search.

The Proactive Way: Enterprise Security Response!

Now you can take the learnings from this investigation to make your security products smarter by updating sensors with newly discovered IoCs. Today, that is time-consuming, as each product, from firewall, to EDR, to SIEM, needs to be updated manually and individually. But with an Enterprise Security Response system, that data can be pushed out to point products quickly and automatically.

The final proactive step brings us back to that security awareness training to address the human vulnerability. But instead of the canned training video, you can use the most tailored and real-world training. For example, you could notify users who received but didn’t report a phishing email. If you deleted a possible attack email from a user’s mailbox, inform them via a message. (This step can even be automated for simplicity.)

You can also send real-life examples (with harmful links removed) to users to give them a better idea of what to look for. This way training is customized to your organization instead of generic lessons that don’t really prepare users to identify phishing attacks.

Even with better security education, phishing emails are still a serious threat. Employing Enterprise Security Response can make triage easier and faster, while providing you the tools to limit damage and better identify future threats.

Read more: Learn how streamlining your vulnerability and security incident response processes can help you rapidly:

  • Prioritize and investigate a new security alert
  • Address suspicious emails, and
  • Respond to a high-profile vulnerability.
Myke Lyons
Myke is the Director and Head of Strategy for ServiceNow’s Security Business Unit helping larger companies better respond to imminent security incidents, quickly find indicators and observables of compromise, and effectively remediate known vulnerabilities. Myke has over 15 years experience in information technology and security. Prior to moving to the Security Business Unit, Myke led ServiceNow’s information security group and was brought on board to help secure the cloud startup while creating a mantra of transparency. He has also held Senior Security positions at Grey Global Group, Y&R, WPP Group, and GE Capital.

2 Responses to “Combat Phishing with Enterprise Security Response

Leave a Reply Text

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.