Phishing emails are one of the most frequent, easily executable, and harmful security attacks that organizations – regardless of size – face today. With over 90% of all data breaches starting with a phishing email, the potential for financial damage is real and immediate.
Security analysts face numerous challenges while responding to phishing attacks. Handling attack numbers without burning out, switching between multiple screens to coordinate response, avoiding errors while completing mundane tasks, and standardizing response and reporting procedures are all sources of worry.
To help meet these challenges, users can now combine phishing intelligence, trends, and context data from Cofense IntelligenceTM with the security orchestration and incident management capabilities of Demisto, thus improving their response posture to the phishing malaise.
Cofense Intelligence and Demisto integration features
- Timely, accurate, relevant and consumable human-vetted threat intelligence delivered as machine-readable threat intelligence by Cofense Intelligence and ingested into Demisto Enterprise.
- Triggering of specific playbooks for the incident response team on how to mitigate and eliminate the attack.
- Visibility into linked phishing campaigns for specific attacks from Cofense Intelligence into Demisto Enterprise.
Fig 1: Cofense Intelligence command list for Demisto Enterprise
USE CASE #1
Automated phishing incident response
There is often a mismatch between the high-volume nature of phishing attacks and analyst agility in responding to them. Phishing attack identification, triage, reputation checks, and response involves switching between multiple screens, mundane and repeatable tasks, and tunnel vision that precludes knowledge of larger phishing campaigns that encompass a particular attack.
Using rule-sets, analysts can map phishing attack categories from Cofense Intelligence to specific Demisto playbooks that automate repeatable tasks such as indicator collection, reputation checks, and mail communication with affected parties. The phishing response playbook will trigger and execute automatically on receipt of a phishing attack.
Fig 2: Cofense task in IOC Enrichment playbook for Demisto Enterprise
Playbooks can provide standardized response procedures and post-response documentation, helping analysts respond to phishing attacks quicker and generate scalable, comprehensive reports based on a rich pool of indicators and investigation actions that are common across incidents.
To learn more about Demisto’s integration with Cofense Intelligence, download our joint solution brief.
USE CASE #2
Threat hunting with phishing campaign data
While phishing attacks are often a part of larger, more coordinated phishing campaigns that exploit multiple entry vectors in an organization, analyst response treats them as isolated incidents due to paucity of time, knowledge, and personnel resources.
While responding to a particular phishing attack, analysts can query Cofense Intelligence from Demisto and get details about the malware family, indicators of compromise, severity and payload method for this attack. This information can be used for subsequent threat hunting exercises on Demisto for similar phishing attacks that have occurred on other organizational entry points.
Fig 3: Cofense results for interactive investigations in the Demisto War Room
By leveraging common indicators and context across phishing attacks in a campaign, analysts can link incoming incidents accordingly for a more efficient, speedy, and scalable response. These linkages exist in posterity, building a knowledge repository for analysts to learn from and respond better to future attacks.
With Demisto’s integration network of 100s of security and non-security products, these use cases just scratch the surface of potential actions analysts can orchestrate using Cofense Intelligence as one of the components.
If you're new to Demisto and interested in exploring this integration among others, we invite you to sign up for the Demisto Community Edition below.