October 26, 2022 · 9m read
Phishing Incident Response: Automate your abuse mailbox and cut triage and response time
Even with huge investments in user training and phishing report triage, attackers still prevail at using email as an easy entry point into an organization. It’s a never-ending battle to secure the inbox.
Veteran security teams know that user reports of phishing are absolutely essential for detecting attacks that bypass security filters. One recent study showed that employee reports proved effective in helping defend an organization quickly, with new phishing campaigns reported in less than 5 mins and 60% of reporting employees having an accuracy of >80%.
But there are two problems in how user reports are included in the phishing response process:
- The large time gap between the first user report and the security team remediating the entire attack leaves a window open when others can fall victim to the attack.
- The many variants of an attack make it difficult for the security team to quickly and confidently remediate the full scope of the attack.
In this blog, we’ll explore key issues and share best practices for how your team can set up a more efficient phishing response and cut phishing triage and response time.
Phishing Response: A Quick Overview
Phishing response involves many different tools and processes working together:
- Gateways / inbound phishing detection: Frequently synonymous with email security, gateways attempt to block harmful or suspicious messages from ever reaching mailboxes.
- Phishing training and simulations: Because no detector is perfect, security teams train users to learn what phishing attacks look like so they can spot and report them.
- Phishing reporting: Users are also trained to report incidents to their security team when they see something suspicious in their inbox. For example, they might forward to a specific mailing list or click a button in the mailbox to report the incident.
- Phishing triage: Once users have reported phishing incidents, the security team needs to review the reports, find all other incidents, determine the remediation required, and communicate back to users to close the loop.
Unsurprisingly, these steps bring unique challenges that complicate the phishing response.
The barriers to a better phishing response process
1. Inbound detection will never be bulletproof
Gateways and API-based filters are extremely important in helping catch a large number of attacks. And while their capabilities constantly improve, they are still not invincible, nor will they ever be.
Attackers continuously find new means to evade SEGs and filters, and security vendors must keep playing the game of cat and mouse to protect against new tactics and techniques. And if a gateway or filter can’t catch the attack initially, the security team needs to detect the attacks another way. This is why the rest of the phishing response process is so important: inbound detection will never be perfect.
2. Phishing training and simulation is difficult to get right
Phishing training is imperative so that users are able to help protect themselves and their organization. But phishing training and simulation solutions make it difficult to do this well. They have inherent limitations and security teams spend energy trying to work around them.
Limitation: Today’s tools send simulation messages that must get through inbound detection.
Workaround: Security teams must spend their time figuring out how to create a clever message that will get past a filter, or, more likely, use an allow list with an unrealistic template that would never make it to a mailbox in a real attack. Not only does this train users on overly simplistic attacks, but it leaves an allow list opening for real attacks.
Limitation: Even if the simulation message makes it to the mailbox, the inbound detection tools frequently probe the links anyway and cause false positives.
Workaround: Investigate each test failure and manipulate results to account for false positives.
Limitation: Force customers into a specific phishing reporting mechanism that may not be preferred and might not work on all devices.
Workaround: Ask end users to report from specific email clients.
3. Phishing reporting has a detection-remediation gap
Even when your well-trained users spot and report a phishing attempt, another employee may accidentally fall for it before the security team has a chance to remediate the entire attack. The time between the first report and the security team’s full remediation is what we call “The Detection-Remediation Gap.”
It only takes another second for a different user to fall victim. In fact, one study shows that one minute and 20 seconds is the median time it takes for an employee to open a phishing email that lands on a company's network and in their inbox. Not much time for the security team to jump in and rescue.
4. Phishing triage is manual (and very painful)
Once the security team is aware of a phishing attack, they must find and address all variants of the same attack across all mailboxes to quickly contain the attack. Phishing triage can be extremely tedious and error-prone, especially on an ongoing basis. Manual efforts here result in slow response time, especially when incidents happen outside of work hours or the security team is busy fighting other fires. This allows an attacker to have even more time to win against targets and infiltrate systems.
While there are some abuse mailbox remediation solutions coming to market to help with phishing triage, their remediation options are lackluster, not allowing flexibility for the security team to manipulate the mailbox quickly in post-delivery.
How to make phishing response more effective and efficient
In order to better protect against phishing messages that make it into employees’ mailboxes, we need a better phishing response process.
Material’s approach: collective phishing defense. Find a way to enable one employee’s report of a phishing incident to instantly protect the rest of the organization. We call this phishing herd immunity.
By automatically clustering similar messages during an attack, Material can treat the messages as a single unit instead of individually trying to remediate each one. Once one user reports a phishing incident, Material can automatically apply a default remediation across the entire campaign to prevent future victims.
When the security team triages the incident, they can update the remediation for all messages with a click.
Remediations can “speed bump” or entirely block links and attachments, display a custom warning banner, or remove the email from the inbox entirely. And security teams choose which remediations apply automatically to reported messages, and then adjust the remediation during triage. Some teams even leave the defanged version in the mailbox as a training opportunity.
You’ve put a ton of investment (time, money, and resources!) into phishing training. By using a collective defense approach, you can get more out of those investments by enabling users to protect one another while also reducing operational pain for the security team.
How security teams are using Material Security to automate phishing response
Many teams are improving their phishing incident response processes with this new approach. Information security analyst at Cloudera, Trevor O’Donovan, shared, “We had enough of phishing. It was taking time away from other work. We wanted it automated to get a better handle on it and be more proactive." The security team at Cloudera proceeded to cut phishing triage time by 80% with Material Security’s Phishing Herd Immunity solution.
If you’d like to learn more about how security teams are using Material to better protect their organizations, check out these other resources:
- Ridesharing Giant Lyft’s Journey to a More Efficient Phishing Response
- Gusto Tackles Three Priorities With a Novel Approach to Email Security
- Collective Health scales user phishing reporting while drastically reducing the Security team’s time spent triaging
And if you’d like to see how Material can help improve your team’s phishing response, try Material for yourself here.