Go back

Phishing Incident Response: Automate your abuse mailbox and cut triage and response time

Even with huge investments in user training and phishing report triage, attackers still prevail at using email as an easy entry point into an organization. It’s a never-ending battle to secure the inbox.

Product
October 26, 2022
9m read
9m read
9m listen
9m watch
9m watch
circles and arrows in a red background
speakers
speakers
speakers
authors
John Hrvatin
participants
No items found.
share

Even with huge investments in user training and phishing report triage, attackers still prevail at using email as an easy entry point into an organization. It’s a never-ending battle to secure the inbox.

Veteran security teams know that user reports of phishing are absolutely essential for detecting attacks that bypass security filters. One recent study showed that employee reports proved effective in helping defend an organization quickly, with new phishing campaigns reported in less than 5 mins and 60% of reporting employees having an accuracy of >80%.

But there are two problems in how user reports are included in the phishing response process:

  1. The large time gap between the first user report and the security team remediating the entire attack leaves a window open when others can fall victim to the attack.
  2. The many variants of an attack make it difficult for the security team to quickly and confidently remediate the full scope of the attack.

In this blog, we’ll explore key issues and share best practices for how your team can set up a more efficient phishing response and cut phishing triage and response time.

Phishing Response: A Quick Overview

Phishing response involves many different tools and processes working together:

  • Gateways / inbound phishing detection: Frequently synonymous with email security, gateways attempt to block harmful or suspicious messages from ever reaching mailboxes.
  • Phishing training and simulations: Because no detector is perfect, security teams train users to learn what phishing attacks look like so they can spot and report them.
  • Phishing reporting: Users are also trained to report incidents to their security team when they see something suspicious in their inbox. For example, they might forward to a specific mailing list or click a button in the mailbox to report the incident.
  • Phishing triage: Once users have reported phishing incidents, the security team needs to review the reports, find all other incidents, determine the remediation required, and communicate back to users to close the loop.

Unsurprisingly, these steps bring unique challenges that complicate the phishing response.

The barriers to a better phishing response process

1. Inbound detection will never be bulletproof

Gateways and API-based filters are extremely important in helping catch a large number of attacks. And while their capabilities constantly improve, they are still not invincible, nor will they ever be.

Attackers continuously find new means to evade SEGs and filters, and security vendors must keep playing the game of cat and mouse to protect against new tactics and techniques. And if a gateway or filter can’t catch the attack initially, the security team needs to detect the attacks another way. This is why the rest of the phishing response process is so important: inbound detection will never be perfect.

2. Phishing training and simulation is difficult to get right

Phishing training is imperative so that users are able to help protect themselves and their organization. But phishing training and simulation solutions make it difficult to do this well. They have inherent limitations and security teams spend energy trying to work around them.

Limitation: Today’s tools send simulation messages that must get through inbound detection.
Workaround: Security teams must spend their time figuring out how to create a clever message that will get past a filter, or, more likely, use an allow list with an unrealistic template that would never make it to a mailbox in a real attack. Not only does this train users on overly simplistic attacks, but it leaves an allow list opening for real attacks.

Limitation: Even if the simulation message makes it to the mailbox, the inbound detection tools  frequently probe the links anyway and cause false positives.
Workaround: Investigate each test failure and manipulate results to account for false positives.

Limitation: Force customers into a specific phishing reporting mechanism that may not be preferred and might not work on all devices.
Workaround: Ask end users to report from specific email clients.

3. Phishing reporting has a detection-remediation gap

Even when your well-trained users spot and report a phishing attempt, another employee may accidentally fall for it before the security team has a chance to remediate the entire attack. The time between the first report and the security team’s full remediation is what we call “The Detection-Remediation Gap.”

graph content image

It only takes another second for a different user to fall victim. In fact, one study shows that one minute and 20 seconds is the median time it takes for an employee to open a phishing email that lands on a company's network and in their inbox. Not much time for the security team to jump in and rescue.

4. Phishing triage is manual (and very painful)

Once the security team is aware of a phishing attack, they must find and address all variants of the same attack across all mailboxes to quickly contain the attack. Phishing triage can be extremely tedious and error-prone, especially on an ongoing basis. Manual efforts here result in slow response time, especially when incidents happen outside of work hours or the security team is busy fighting other fires. This allows an attacker to have even more time to win against targets and infiltrate systems.

While there are some abuse mailbox remediation solutions coming to market to help with phishing triage, their remediation options are lackluster, not allowing flexibility for the security team to manipulate the mailbox quickly in post-delivery.

How to make phishing response more effective and efficient

In order to better protect against phishing messages that make it into employees’ mailboxes, we need a better phishing response process.

Material’s approach: collective phishing defense. Find a way to enable one employee’s report of a phishing incident to instantly protect the rest of the organization. We call this phishing herd immunity.

By automatically clustering similar messages during an attack, Material can treat the messages as a single unit instead of individually trying to remediate each one. Once one user reports a phishing incident, Material can automatically apply a default remediation across the entire campaign to prevent future victims.

When the security team triages the incident, they can update the remediation for all messages with a click.

Remediations can “speed bump” or entirely block links and attachments, display a custom warning banner, or remove the email from the inbox entirely. And security teams choose which remediations apply automatically to reported messages, and then adjust the remediation during triage. Some teams even leave the defanged version in the mailbox as a training opportunity.

You’ve put a ton of investment (time, money, and resources!) into phishing training. By using a collective defense approach, you can get more out of those investments by enabling users to protect one another while also reducing operational pain for the security team.

How security teams are using Material Security to automate phishing response

Many teams are improving their phishing incident response processes with this new approach. Information security analyst at Cloudera, Trevor O’Donovan, shared, “We had enough of phishing. It was taking time away from other work. We wanted it automated to get a better handle on it and be more proactive." The security team at Cloudera proceeded to cut phishing triage time by 80% with Material Security’s Phishing Herd Immunity solution.

If you’d like to learn more about how security teams are using Material to better protect their organizations, check out these other resources:

  • Ridesharing Giant Lyft’s Journey to a More Efficient Phishing Response
  • Gusto Tackles Three Priorities With a Novel Approach to Email Security
  • Collective Health scales user phishing reporting while drastically reducing the Security team’s time spent triaging

And if you’d like to see how Material can help improve your team’s phishing response, try Material for yourself here.

Related posts

Our blog is your destination for expert insights, practical tips, and the latest news in technology. Stay informed with our regular updates and in-depth articles. Join the conversation and enhance your understanding of the tech landscape.

blog post

New in Material: Detections, Remediations, Reports & More

As the days grow shorter and the weather gets colder, Material’s ready with a steady stream of hot platform updates to keep you warm.

Patrick Duffy
4
m read
Read post
Podcast

New in Material: Detections, Remediations, Reports & More

As the days grow shorter and the weather gets colder, Material’s ready with a steady stream of hot platform updates to keep you warm.

4
m listen
Listen to episode
Video

New in Material: Detections, Remediations, Reports & More

As the days grow shorter and the weather gets colder, Material’s ready with a steady stream of hot platform updates to keep you warm.

4
m watch
Watch video
Downloads

New in Material: Detections, Remediations, Reports & More

As the days grow shorter and the weather gets colder, Material’s ready with a steady stream of hot platform updates to keep you warm.

4
m listen
Watch video
Webinar

New in Material: Detections, Remediations, Reports & More

As the days grow shorter and the weather gets colder, Material’s ready with a steady stream of hot platform updates to keep you warm.

4
m listen
Listen episode
blog post

Identifying Risk in Google Workspace with Material & SADA, An Insight Company

Partnering with SADA, An Insight company, companies big and small can get deep insights into the types of risk that live inside of Google Workspace, powered by a data-driven analysis of user behaviors, sensitive data in email and files, and posture settings by the Material Security platform.

Josh Donelson
5
m read
Read post
Podcast

Identifying Risk in Google Workspace with Material & SADA, An Insight Company

Partnering with SADA, An Insight company, companies big and small can get deep insights into the types of risk that live inside of Google Workspace, powered by a data-driven analysis of user behaviors, sensitive data in email and files, and posture settings by the Material Security platform.

5
m listen
Listen to episode
Video

Identifying Risk in Google Workspace with Material & SADA, An Insight Company

Partnering with SADA, An Insight company, companies big and small can get deep insights into the types of risk that live inside of Google Workspace, powered by a data-driven analysis of user behaviors, sensitive data in email and files, and posture settings by the Material Security platform.

5
m watch
Watch video
Downloads

Identifying Risk in Google Workspace with Material & SADA, An Insight Company

Partnering with SADA, An Insight company, companies big and small can get deep insights into the types of risk that live inside of Google Workspace, powered by a data-driven analysis of user behaviors, sensitive data in email and files, and posture settings by the Material Security platform.

5
m listen
Watch video
Webinar

Identifying Risk in Google Workspace with Material & SADA, An Insight Company

Partnering with SADA, An Insight company, companies big and small can get deep insights into the types of risk that live inside of Google Workspace, powered by a data-driven analysis of user behaviors, sensitive data in email and files, and posture settings by the Material Security platform.

5
m listen
Listen episode
blog post

Risky Biz Podcast Interview with Rajan & Dan

Dan Ayala, Chief Security & Trust Officer from Dotmatics joins Rajan Kapoor, Field CISO from Material on Risky Business to discuss how to wrangle securing data that ends up in corporate cloud email and file stores.

Material Team
10
m read
Read post
Podcast

Risky Biz Podcast Interview with Rajan & Dan

Dan Ayala, Chief Security & Trust Officer from Dotmatics joins Rajan Kapoor, Field CISO from Material on Risky Business to discuss how to wrangle securing data that ends up in corporate cloud email and file stores.

Rajan Kapoor
10
m listen
Listen to episode
Video

Risky Biz Podcast Interview with Rajan & Dan

Dan Ayala, Chief Security & Trust Officer from Dotmatics joins Rajan Kapoor, Field CISO from Material on Risky Business to discuss how to wrangle securing data that ends up in corporate cloud email and file stores.

Rajan Kapoor
10
m watch
Watch video
Downloads

Risky Biz Podcast Interview with Rajan & Dan

Dan Ayala, Chief Security & Trust Officer from Dotmatics joins Rajan Kapoor, Field CISO from Material on Risky Business to discuss how to wrangle securing data that ends up in corporate cloud email and file stores.

Rajan Kapoor
10
m listen
Watch video
Webinar

Risky Biz Podcast Interview with Rajan & Dan

Dan Ayala, Chief Security & Trust Officer from Dotmatics joins Rajan Kapoor, Field CISO from Material on Risky Business to discuss how to wrangle securing data that ends up in corporate cloud email and file stores.

Rajan Kapoor
10
m listen
Listen episode
blog post

Material Product Demo: Securing Google Workspace & M365

Abhishek Agrawal gives an in-depth product demo walkthrough on Risky Business

Material Team
35
m read
Read post
Podcast

Material Product Demo: Securing Google Workspace & M365

Abhishek Agrawal gives an in-depth product demo walkthrough on Risky Business

Abhishek Agrawal
35
m listen
Listen to episode
Video

Material Product Demo: Securing Google Workspace & M365

Abhishek Agrawal gives an in-depth product demo walkthrough on Risky Business

Abhishek Agrawal
35
m watch
Watch video
Downloads

Material Product Demo: Securing Google Workspace & M365

Abhishek Agrawal gives an in-depth product demo walkthrough on Risky Business

Abhishek Agrawal
35
m listen
Watch video
Webinar

Material Product Demo: Securing Google Workspace & M365

Abhishek Agrawal gives an in-depth product demo walkthrough on Risky Business

Abhishek Agrawal
35
m listen
Listen episode
Privacy Preference Center

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.