Tools, Training, and Threat Intelligence Empower Phishing Defense

March 11, 2019 • Zane Pokorny

Our guest today is Mollie MacDougall, threat intelligence manager at Cofense, a company that specializes in phishing defense, threat intelligence, and cyber incident response.

She shares the story of her unconventional professional journey and the role she plays in coordinating communications between technical and non-technical people in her own organization, as well as her insights on the broad spectrum of phishing threats organizations face, how they are quickly evolving, and the most effective strategies to protect your organization.

We’ll talk threat intelligence as well, hearing her thoughts on how to make sure your analysts aren’t getting too much noise in the threat intelligence signal.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 98 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Our guest today is Mollie MacDougall, threat intelligence manager at Cofense, a company that specializes in phishing defense, threat intelligence, and cyber incident response.

She shares the story of her unconventional professional journey, the role she plays in coordinating communications between technical and non-technical people in her own organization, as well as her insights on the broad spectrum of phishing threats organizations face, how they’re quickly evolving, and the most effective strategies to protect your organization.

We’ll talk threat intelligence as well, hearing her thoughts on how to make sure your analysts aren’t getting too much noise in the threat intelligence signal. Stay with us.

Mollie MacDougall:

I think that I have a somewhat unusual trajectory for someone in this space, and not such a technical one, actually. My background is in international security. I got my masters in international security studies at the Fletcher School of Law and Diplomacy. It’s a small school that’s affiliated with Tufts University, and from there, I worked on Capitol Hill in the United States, actually, with the House Foreign Affairs Committee. I was a bit of a generalist there, focusing a lot on Middle East and Africa issues, but worked a lot with other people’s portfolios, too. Increasingly, I realized that, as an international security wonk, without really understanding cyber and cyber conflict, I really couldn’t claim to be an expert in international security, and moving forward, it would be really critical to get that understanding.

I was offered an opportunity to work with the Department of Homeland Security looking at threats to the homeland. I eagerly took up that offer, and you make a plan and God laughs, so I did not end up going back into international security. My husband got an opportunity to move to London, and I have always wanted to live abroad, so I ended up working with Cofense — at the time it was PhishMe — and came in as a senior intelligence specialist with PhishMe, and took over the management of the entire team last summer.

While I manage very, very technical analysts who are tearing apart malware and phishing campaigns day in and day out, I have more of the international security and analytical mindset that I use to help guide them to understand the bigger picture at work, get out of the weeds a bit, to understand higher-level trends in phishing.

Dave Bittner:

That’s really interesting, because I think that’s a story that we’re hearing more and more, that, I guess, there’s almost a realization that folks who didn’t necessarily come up through the technical track really have a lot to contribute in cybersecurity zones.

Mollie MacDougall:

Yes, I think that’s something that we’ve all identified. Anyone that’s worked in this space has come to realize that communication in this space, communication between the technical and non-technical, is critical and difficult. People who are very much in the ones and zeros, as I like to say, don’t always spend enough time looking at the bigger picture to understand the best way to communicate important information to executives or policy makers, and policy makers and executives don’t always understand the best way to frame a question to get the answer that they’re looking for with those people who really are extremely technical.

Bringing people into the fold that understand, almost as a translator role, between those two spaces to fill that chasm … I think that more and more attention is being paid to the criticality of that space and of improving that communication, if you will.

Dave Bittner:

Let’s dig into some of what you’re up to at Cofense. Can you just give us a little overview? What does Cofense do, and what are you out there protecting people from?

Mollie MacDougall:

Certainly. Well, Cofense as a whole is a phishing defense-focused company. We help our customers defend against phishing, protect against getting compromised by phishing, and then help to quickly remediate any successful compromise, or attempted compromise. We really started out being a pioneer in the phishing simulation space, where a company wants to train and educate their workforce, so they send them phishing simulations to help them identify what a phishing email looks like, and maybe if they do click, lead them to educational material about what phishing is, and the threat out there.

I guess the company really became a victim of its own success when the name of the company became synonymous with this phishing simulation platform, when we do offer a suite of other services and products to defend against phishing. That’s why PhishMe rebranded last year and became Cofense to better represent.

The phrase “Cofense” comes from collective defense. It’s about that collective defense from the end users to the tools that your SOC analysts are using, to the training that you’re employing to best educate those end users. Collective defense embodies that entire, more holistic defense posture that our company is really about.

It doesn’t matter whose research we read, it’s pretty much consistent across the board from different studies that the majority of breaches begin with phishing. That is why we are very, very focused and a bit niche when it comes to phishing defense.

Now, the threat intelligence team, we are providing real-time, actionable intelligence about phishing and the phishing campaigns out there to our customers so that they can best defend themselves. We pride ourselves very much on being very timely and very high fidelity. All the indicators that we send to our customers are human-vetted by our analysts who ensure a very low false positive rate. Then, we also support our other offerings within Cofense. We send real, intelligence-driven examples to our simulator group within the company so that they can help companies train their users and educate their users with examples of the real phishes that are out there today, potentially targeting these companies’ users.

Dave Bittner:

Can you give us a sense for what the spectrum of phishing threats is out there? Who are they targeting, and what’s the range of sophistication?

Mollie MacDougall:

That’s a great question. Both are answered with a very, very wide range, right? You have your script kiddies — you have people who are purchasing very simple script, very publicly available, inexpensive phishing tool sets to try to get anyone and everyone with very, very generic lures. And then, you have more sophisticated actors who are putting a lot of resources into crafting very, very believable looking phishing narrative messages, but are also … Have enough resources to constantly tweak the campaigns as they go along so that if you have a phishing campaign that goes out today, or let’s say, three weeks ago, and threat actors have enough resources to tweak that campaign ever so slightly so that they can pretty much use a lot of the same tools and tactics, or same phishing lures … So, it’s very low maintenance, but they have enough resources to tweak the campaigns that they are sending out. It makes last week’s indicators a lot less useful, a lot less impactful to users, because through these slight modifications, they’re able to overcome the sharing of those indicators that an organization may think are still protecting them today.

That’s why I mentioned … With my team, we turn around indicators from campaigns that we analyze within hours of receiving those campaigns because those indicators will — or often will, at least — become stale very, very quickly. The more sophisticated and well resourced a threat actor is, the more targeted they’re able to be in the phishing narratives and campaigns that they craft. So, the more time they have to research a high-value target, the more tools they have and more time they have to really find the best way to …. Where is that soft underbelly for that target and to achieve compromise thereafter. We really see a range, but more and more, we’re seeing what I like to call this … We’re seeing threat actors find the social engineering sweet spot where they will … And this isn’t anything new, but we’re seeing it more and more with more basic malware campaigns, which is a concern. Where threat actors are putting together phishing lures that are likely to be relevant to a large swath of users. So, for example, any U.K. user, they might imitate prominent U.K. financial institutions, or other brands that many, many … A large portion of the U.K. population would be known to do business with, or shop with.

The same thing will go for targeting U.S. users. They will imitate U.S. financial institutions, or U.S. power companies, or telecom companies to be perceived as relevant and credible by a very large group of people.

Dave Bittner:

Help me understand, how much of the defense against phishing can be technical solutions? How much can be training? What’s the spectrum there?

Mollie MacDougall:

Well, no one thing is going to be sufficient. Organizations think that they can simply turn to next-generation technologies and stop phishing attacks, and the reality is that every time there is a supposedly “silver bullet” technology, we then observe attacks still reach the inbox. They are still rendering technologies ineffective. Threat actors are consistently evolving and finding new ways to do that, to evade these technologies. It’s very much a cat-and-mouse game.

It’s the same with the phishing landscape attack surface, if you will. As technologies come in, whether they are gateway technologies and defense technologies, or simply other technologies like the cloud, threat actors will go to it and find ways to either leverage that, or to bypass these technologies. Actors are increasingly even using business-required platforms as they’re meant to be used — they’re living off the land and using these features for nefarious purposes, or finding ways to abuse them in ways that they weren’t meant to be used and effectively deliver malware.

Those are things that businesses can’t block either, so absolutely, you want to have a strong gateway, you want to have strong technological defenses, but you can’t rely on them alone. That’s why we do have such an emphasis on end-user training and reporting. We don’t want end users to only be trained — it’s best if they are also empowered to report suspicious messages that do reach their inbox.

Dave Bittner:

I suppose part of that is reducing any amount of friction to enable or empower employees to do those things like reporting.

Mollie MacDougall:

Exactly. Having a way for them to immediately report something that has reached their inbox to the SOC … And then it’s even better if you can have your SOC and/or threat intelligence teams aligned with your awareness group so that you can then feed … Let’s say you’re a company, and you see an attack is hitting your organization because these emails are getting through to your end users, and they’re saying “Hello, we see this email, it looks suspicious,” and they send that notification to their SOC. The SOC can then send an example of that template to their awareness folks to, A) get out the word that we may be under attack, and, B) use them in simulations as well so that you are training your users to identify the real phishes that are targeting your information. That’s your organization’s intelligence, that’s your proprietary threat intelligence that you can be using to enhance awareness, and therefore better improve your overall defensive posture as an organization.

Dave Bittner:

Let’s talk a little bit about threat intelligence. That’s one of the key focuses we have here on this show. What part do you think threat intelligence plays in an organization’s defensive posture?

Mollie MacDougall:

Certainly. You have your tactical threat intelligence, and that helps your organization know what to block, or what to look for within your environment. The attack surface out there is massive. It is too vast to cover without signed posts telling you what to look for, what is known bad. It’s also helpful if it can provide enriched context to campaigns. If a victim finds something on their environment, they can know what else to prioritize looking for to enhance effective and rapid mitigation. Then, strategic intelligence provides an in-depth understanding of the phishing threat landscape and of emerging TTPs, or tactics, techniques, and procedures. This can inform decisions about how to evolve defenses for continued protection. It allows companies not only to see that something’s bad, but they then know what the bad is and why — why is this bad?

Robust threat intelligence will inform both your automated defenses and your people, your analysts, to eliminate guesswork and dive in right at the heart of an active threat, which really will cut down an organization’s response or remediation time.

Dave Bittner:

It strikes me that if you look back at some of the threats that we face, and I’m thinking of spam, garden-variety spam, it seems to me like that’s largely a solved problem. Very little of that spam makes it through to me in my email box, but we’re not there yet with phishing. I’m wondering, what’s your sense of how that arms race is going? Do we feel like we’re catching up? Are we treading water? Are we falling behind? What’s your sense with that?

Mollie MacDougall:

I think it’s “cat and mouse.” I think that whenever we do start to catch up, threat actors become innovative and find ways to get more lead time against the information security community. Every few weeks, we see something where threat actors are just finding new ways to be creative, whether it’s ways to distract a user while malicious activity is going on, whether it is finding ways to add modules to already crafted or previously created malware so that it’s much more easy to quickly change and broaden the capabilities of a simple malware. And then, different tactics, techniques, and procedures that we see included in phishing campaigns themselves to avoid detection and reach inboxes, such as including password-protected documents as attachments, and increasing the requirement for human interaction with attachments in order to trigger a malware’s deployment, making it more difficult for an automated gateway … Or to really, fully inspect that document on its way in. And then again, living off the land. We’ve seen a lot of this where a feature within, maybe Microsoft Office, that is used every day for critical business operations is used to deliver malware.

Again, it’s not like an organization is going to fully disable or disallow anything to come into the environment that has any of these features enabled when these features are used for business operations.

Dave Bittner:

Yeah, it’s interesting. I’ve heard people say it’s not reasonable to tell your HR folks that they can’t open emails that have PDF files, because that’s how people send in their resumes. That’s a critical part of how they do business.

Mollie MacDougall:

Exactly. At the end of, I think it was 2017, researchers, for example, they released a proof of concept showing how a protocol within Microsoft Office, a dynamic data exchange protocol, could be abused to deliver malware. This protocol essentially allows two different documents within the Microsoft Office Suite to communicate with each other. Let’s say a change is made in an Excel spreadsheet — it might automatically allow for a change to result in a connected document. You can see how this would have a lot of benefits from a business angle, and might be really relied upon for bookkeeping purposes, accounting. Within a week, within days, we saw this abuse tactic weaponized. Now, changes have been made so that it is, in many parts of Office Suite, disabled by default. But that’s not the case for every single part of the suite, and often will need to be enabled, because like I said, it does have practical business applications.

Dave Bittner:

Right. What’s your advice for organizations that are looking to get started? They know that this is an area that they need to focus on, but perhaps they’re feeling like they’ve been dragging their feet getting on top of phishing. How do you begin? How do you evaluate where you stand and how to get started?

Mollie MacDougall:

I think that you need to have a program when it comes to educating your users. First we’ll talk about educating your users, and then I’ll talk about threat intelligence specifically.

When it comes to educating your users, I think that computer-based training alone is not sufficient. You really need to engage and empower your users, so having an interactive platform … I highly suggest simulation because that gives you a lot of feedback about your users, and what matters is not necessarily your click rate. If you’re enabling your users to report malicious emails, what you really want to think about is your resiliency.

Let’s say you have 500 users, and you have maybe 30 users that you just really don’t think, over time, you’re going to get them to not click on that email. It’s not necessarily about getting that click rate to zero, it’s about increasing the number of reporters who are going to send a flare to your organization that there could be a potential attack scenario in time to mitigate before those potential clickers might have clicked, or so that you could then go and remediate as quickly as possible if they in fact clicked.

Enhance communication about why you’re doing this. We don’t suggest making it punitive. If people do click, you never want people to feel that they should not report or raise their hand if they have clicked on a suspicious email. You want that information. You want that real intelligence for your organization right away. Taking those things into consideration, as you are planning your awareness training program, thinking about what kind of behavior you really, really are encouraging, or you’re breeding within your workforce as you move forward, and be careful about going punitive.

Remembering real phishes are the real problem, so don’t just go for the shiny “Oh, this looks like a really cool phishing narrative,” but really thinking about “What is actually likely to be targeting my organization?” And threat intelligence can help you better understand that. If you are new to threat intelligence as an organization, you want to make sure that you have very high fidelity, and not intensely noisy feeds to begin with, because a noisy feed that’s riddled with false positives could easily present more of a distraction than a benefit to a novice SOC team. It also very much helps to have a good SIEM or TIP to really help you automate how you’re intaking threat intelligence, and then have eyes on it to better understand and enrich that information.

It’s, again, that balance of technology with highly capable analysts that’s really, really important.

Dave Bittner:

Our thanks to Mollie MacDougall from Cofense for joining us.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Zane Pokorny, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.