Review: Keeping the bad phish out of your network pond with Cofense Triage

One of the most popular — and quickest — ways for attackers to enter a network these days is to trick a user into taking an action, whether installing malware or providing their login credentials. And if they pretended to be a company official, a business partner, or a family friend, their chance of success skyrockets.

Phishing e-mails run the gamut from clumsily worded sweepstakes type scams all the way up to highly researched and targeted campaigns designed to attack a handful of key people at an organization. Yet, despite the danger they pose, most organizations have little or no defense against them.

From PhishMe to Cofense

Back in 2008, when the original PhishMe product was deployed, which was also the name of the company at the time, there was also a very low awareness of the danger that these types of e-mails represented. The PhishMe simulation was created to allow network administrators and security personnel to craft their own phishing e-mails to train users about the dangers sometimes hidden in mail messages.

John Breeden/IDG

PhishMe is still available today. It was kind of fun to test the interface and see all the different types of phishing e-mails that could be created, and the rate of success each campaign has historically achieved. Given the fact that anyone can fall victim to a particularly good or targeted phishing scam, including technically savvy people, it might be a good idea to include PhishMe as part of an overall cybersecurity maturity program.

As an organization, PhishMe has moved its focus away from pure education into threat remediation. Even the company name is changing, from PhishMe to Cofense, which is a combination of collaborative and defense. One of the first Cofense-branded products, Triage, takes e-mails reported by users as suspected phishing, and helps to manage responses. In one sense, the PhishMe product helps to make users more adept at spotting phishing scams, while Triage creates a way for organizations to tap into the newfound skillset that employees should have learned.

John Breeden/IDG

Deployed as an on-premises virtual appliance, Triage connects with almost any corporate e-mail program. It works with an add-on app called Reporter, which adds a button with a little fish to the standard control ribbon of most e-mail clients. Whenever a user gets an e-mail that they suspect is a phishing scam, they simply push the button to report it. It also works with mobile clients, so users who check mail on their smartphones can still connect to Triage. And incidentally, if a reported phishing e-mail was generated by the PhishMe program as a test, pressing the button gives instant feedback, and thanks, from the IT team for doing the right thing.

Testing Triage

On the backend of Triage is a management console where administrators can see every suspect e-mail that users have reported. The program groups similar e-mails together into clusters, so admins don’t have to redouble their efforts hundreds of times for the same, or similar, phishing e-mails. Remediating one of them also fixes the problem for the entire cluster.

John Breeden/IDG

Within Triage, users can be categorized to help direct responses. Certain users can be designated as VIPs, or very important persons, which might mean that they get their suspected phishing e-mails looked at first. Most organizations probably put their executives into the VIP group, but it could also be people like human resources personnel, who are more often attacked with things like fake resumes than most other groups.

More important than VIPs is reputation. Every user starts out equal, but those who report phishing e-mails can be awarded points in addition to sending out a thank you message, which increases their score and makes them a more reliable source. The opposite is also true. Users that send in items that are not phishing-related, like messages from LinkedIn for example, can be given negative points for wasting time. Users don’t get to see their scores, though it might make for a nice gamification type situation if they did. However, IT staff can take reputation scores into account when deciding which e-mails to investigate first. For example, zooming into one submitted by a cadre of trusted users over one from another group that is always crying wolf.

John Breeden/IDG

Once an investigation is launched, admins have a variety of tools available within Triage to categorize e-mails as legitimate, a grey mail such as an ad or newsletter, or a bonafide phishing attempt. Triage integrates with most malware or threat-scanning programs, and even sandboxing tools, so the reported mail can be examined for overt threats, or links to compromised web servers. The headers, which are often spoofed in phishing e-mails, can be examined. And even the full text of the letter, rendered but not actually assembled to protect the IT teams working within Triage, can be read and displayed.

John Breeden/IDG

In testing, it was fairly easy to confirm phishing e-mails. Most of them are not particularly innovative, and even the best ones need to follow certain patterns, such as spoofing their return address information or asking a user to click on an outside link disguised as something internal. Slightly harder to catch were the so-called “recon” e-mails that didn’t contain any links or malware, just a note from someone pretending to be a boss asking for financial data, passwords or outright money transfers. Even then, there are telltale signs that Triage can highlight.

Once an e-mail has been categorized, there are several options that admins within Triage can take. These include sending off an e-mail to mail administrators asking to blacklist certain addresses, creating trouble tickets to prevent future threats of a similar nature, thanking users for their help – and possibility raising their reputation scores by a few points, or creating rules that can be used to more quickly identify specific phishing threats in the future.

Right now, Triage only supports e-mail-based options. For example, you can’t actually force your firewall to block IP addresses from within the program, only create a trouble ticket or ask the team that handles that to do so. Cofense representatives say they are working on some new options to further empower Triage, but they were not available as of this round of review testing.

John Breeden/IDG

It’s also interesting to note that the effectiveness of Triage is based on the strength of the local user community within an organization. If you install Triage and no users bother to report any phishing e-mails, the console will remain blank. A similar situation arises if users only report non-phishing e-mails to the system. As such, while the PhishMe simulation product is not required for Triage to work, more highly trained and motivated users will act as both a first line of defense and a force multiplier. Triage will technically work without PhishMe, but probably not nearly as effectively with an untrained user pool.

Phishing e-mails are not going anywhere. Even with extremely low possibilities of success, it normally only takes one distracted or untrained user to click on a bad link to open a bridgehead into a protected network. Cofense’s Triage is still evolving, but even now represents one of the most advanced defenses against the growing threat of phishing. And when combined with PhishMe to further train users about the dangers, it gets even more worthwhile.