Saturday, July 20

5 Reasons why Automated Phishing Incident Response is critical to Zero Trust Model?

Racha Abdallah, Senior Cyber Security Consultant at CyberKnight

Information is the lifeline of any business. The falling of this information in wrong hands could be catastrophic. Hackers are coming up with new methods to steal confidential data. Despite the best technology controls in place, we hear incidents related to online frauds, espionage, card skimming, identity theft every day resulting in either financial or brand reputation loss.

While the organizations continue to focus on deploying the latest technologies to thwart cyber-attacks, hackers continue to target the weakest link in the organization i.e. The Humans. Every day we hear incidents related to Phishing & Social Engineering where end users are tricked into revealing confidential information or clicking a link only to download a malware.

Despite having full trust on the secure email gateway, no organization can claim that they have a “Phish Free” environment. It is for this reason having a phishing incident response framework is a must. The framework should integrate people, process and technology from cyber security perspective and must involve end users.

The below are the 5 reasons why automated phishing incident response is one of the core security controls in the context of the modern day threat landscape.

  1. Limited effectiveness of the Secure Email Gateways
    • Regardless of the secure email gateway vendor you choose, there is always a risk of a phishing email landing into the mail box. Most phishing sites are live and active for only a few hours. After that, hackers typically move to an entirely new hosting server. This allows them to evade detection and maintain an ongoing campaign without being detected and blocked. Once a phishing email lands into the mailbox, it all depends on the end user’s ability to use human intelligence to evade the attack.
  2. Phishing Incident Response begins with End User Involvement
    • End user engagement is critical to the development of any phishing incident response plan. The end users must be empowered to report any suspicious email. The end users not only should be trained but regular phishing simulation exercises should be conducted to determine end user behavior against phishing attacks. While most anti-phishing solution providers provide a reporter plug-in to report suspicious emails, you should always choose the vendor that offers intelligent reporter plug-in.
  3. Dumb Vs Intelligent Reporter Plug-In
    • For a phishing incident response framework to be effective, the reporter plug-in should be intelligent enough to provide fact-based threat alerts to the end users to facilitate their decision to report the suspicious emails. A dump reporter plug-in only works only as a post office to dispatch email content to the analysts while the intelligent reporter plug-in scans incoming emails and alerts the end users to report suspicious emails based on facts. This reduces the burden on the SOC team while reducing the false positives.
  4. Built-in Threat Intelligence Feeds for Incident Response
    • If you allow all the reported emails to be assigned to SOC analysts, it increases the burden on the SOC team. There has to be intermediate analysis before the SOC team can be engaged. Automated Phishing Incident Response allows the reported emails to be analyzed and should have built-in threat intelligence feeds to scan URL’s, attachments, IP Address and other components of the reported emails.  If the primary analyst finds any suspicious activity, he should have the ability to quarantine the email and should be able to engage the SOC analyst to do further investigation before marking the email suspicious and be able to delete it from all the end user mail boxes that received this email.
  5. Intelligence Sharing through Continuous Feedback Loop
    • A robust phishing incident response solution allows the incident response team to built an internal threat database. This database is built by collecting all the relevant information from the suspicious emails that bypassed the secure email gateway. The information gathered can be passed to the network or email gateway administrators to block the suspicious IP, domain or email address to ensure that the secure email gateway rules can be fine-tuned.

At CyberKnight, we are in the business of securing the digital boundaries of an organization using the Zero Trust approach and automated phishing incident response is a core component of our approach. We are an exclusive distributor of PhishRod in the region, which is the fastest growing security awareness & automated phishing incident response solution in the region.

About PhishRod

PhishRod is one of the leading anti-phishing solution provider. PhishRod suite contains Security Awareness Manager, Phishing Simulator, Automated Phishing Incident Response & Policy Compliance Manager. Our ability to customize the content along with the analytics driven approach for phishing readiness, security awareness & policy compliance helps the organization fortify their first line of defense. PhishRod comes with 90+ built-in threat intelligence feeds that helps an organization to report, analyze, quarantine and delete suspicious emails. For further information, please visit