| 19 November 2014
Most of us have been in an airport and heard the announcement over the loud speaker; “If you see something, say something.” The airport has security personnel; however, their agents cannot be everywhere at once. They collectively rely on travelers passing through the airport to be their eyes and ears in places agents cannot be. In this way, as an airport traveler, you are a “sensor” watching for, detecting, and alerting on suspicious behavior such as unoccupied luggage.
What does this have to do with information security? Just as passengers can help prevent an incident in the airport by reporting suspicious activity, employees can help prevent a data breach by reporting suspicious email. The key to unlocking this valuable source of threat intelligence is to simplify the reporting process for employees, and to measure the results of your program to prioritize reports from savvy users.
Last year we released our PhishMe Reporter™ solution, which streamlines the reporting process and provides invaluable data about user reporting habits, enabling customers to measure the point when employees move from passive recognition of phishing attacks to becoming active participants in detecting and reporting them.
Improve Incident Response by Simplifying the Reporting Process
Most organizations already have a process in place for users to follow to report a suspicious email – but how often is it being followed? Does your process include many steps that may be foreign to a non-technical user such as viewing full headers or sending a message as “an item?” How Reporter=Buttonconfident are you that your users can correctly follow this process each time?
Reporter simplifies all of this by installing a button on each user’s email toolbar that enables users to rapidly report suspicious emails to your security team or Computer Incident Response Team (CIRT) with just the click of a button. The packaging of the email is always consistent, which ensures that the metadata, body, and any attachments included in the original phish, are all provided for forensic analysis. With a consistent reporting format and identical fields every time, Reporter provides a painless use-case mapping into an existing SIEM and/or logging solution you may be operating.
The results of analysis will be used to help determine which technical controls and mitigations a CIRT may undertake as they dissect the content for potentially malicious links/attachments. Quick response by the CIRT and supporting teams can reduce the cost, duration, and potential data loss that may result from an active phishing incident.
Measure Reporting and User Response to Simulated Phishing Events
In addition to improved IR capabilities, using Reporter gives our customers the ability to track user reporting habits and answer questions such as::
How many users reported a specific email?
How much time elapsed between launch of a PhishMe scenario phish and first user to report?
What are a specific individual’s reporting habits?
What happened first, undesirable actions or user reports?
During PhishMe scenarios, Reporter answers these questions and neatly integrates the data for each scenario, cleanly overlaying Reporter metrics with phishing scenario metrics. For emails from unknown sources, it provides a mechanism for the rapid detection and reporting of potentially malicious emails that can target your users at any time.
By focusing on providing users with positive reinforcement during teachable moments, we enable improved recognition of potentially malicious messages.
Enable Employees to Become Phishing Intrusion Detection Systems
Over time, an organization that uses Reporter will create a culture that emphasizes safe email use. Since Reporter tracks user response history, the CIRT can prioritize reports from users with solid reporting histories. Additionally, as reports of emails come in and are positively identified as malicious, the CIRT can begin to recognize patterns and take preventive action. Just as passengers have become cognizant of the risks associated with air travel and have learned to recognize and report suspicious activity in an airport, your employees can learn about the risks associated with email and learn to report suspicious email.