In this blog we will discuss the effectiveness of the Human Firewall Effect. The concept is when you train your end-users to work as a coalition to stop phishing attacks which have passed through your email security solution. In an excellent whitepaper by Inquest called "The Trystero Project" shows that some of the top email security solutions see a significant miss rate. As quoted by Inquest "You should be augmenting your email security, we'll typically see at least a 5-10% miss rate, some days it's lower than 1% other days it's higher than 40%. Regardless, there's a gap that needs to be addressed."
Your users receive a lot of different types of emails which could later cause an incident. For example, there are typically two categories of phishing we tend to look at: attachments or links. However, some times your users can receive scam or fraud emails. Everyone has heard of the case where a forged document was used to make a fraudulent financial transaction.
An effective way to make your users more aware on a daily basis about phishing threats is to create a human firewall through "User Reported Phishing." We will discuss the solution from an operations perspective in this blog.
In this section we will cover the following topics:
User Reported Phishing integration into the Incident Life Cycle
Integrating user reported phishing into the Incident Life Cycle can be a bit complex because it has a lot of moving pieces. With out getting into too much detail about the integration itself you'll need the following integrations into your SOC or SOAR platform.
Forwarding rule linked to the user-reported phish button that sends emails to a folder specifically for user reported phishing
You'll need a way to visualise important artefacts such as the email itself and any indicators. At NVISO we have used XSOAR for this.
User Reported Phishing emails can be very high volume so integration into your security tooling is important. You can see in the below diagram there are many actions to take when dealing with a phishing campaign. An API connection to Threat Explorer from O365 & Microsoft Security Graph API will give you the ability to delete emails, reset passwords, revoke sessions and other capabilities. Ideally, you'll want to keep all of your capabilities in a single platform. User Reported Phishing can also be handled directly in O365 if you have Defender for Office.
You will want to have your analysts set specific fields for tracking and metrics later on. One interesting metric could be to understand which department has the most phishing attempts. You can set these by an automation or have your analyst fill this out in your case tracking tooling.
User Reported Phishing Handling
User Reported Phishing can constitute a vast amount of junk for your SOC to look at. So setting up the correct handling procedures is vital. I took a sample of 6 months of events at NVISO from the NITRO platform which had 12,250 user-reported phishing emails. Of those emails, 56% of those were false positive whereas 36% were true positive and exhibited some type of malicious behaviour.
In order to scale our operations more efficiently, we came up with an automated analysis playbook which closes false positives. A 30-day analysis of all user reported phishing events shows that we removed 19% of all phishing emails. Although this is a recent addition to the NITRO framework it shows that we could have removed approximately 2,327 from the aforementioned 12k. On average it takes our analysts approximately 10 minutes to handle a phishing event. This is 387 hours of work saved over the course of 6 months.
Before we jump into the recommendations for features in your phishing workflows here is a recommendation for an incident management procedure:
Aggregation Attribute | Sender Domain |
Severity | Medium |
Communication | |
Escalation | This will vary on if you see users that clicked on malicious domains or URLs. Otherise escalation may not be necessary. |
Aggregation based on sender domain (for containing phishing campaigns or widespread spam)
Setting your severity level to medium (not too urgent, but something that should be addressed the same day)
Creating an automation to weed out false positives. I always found it more beneficial to focus firstly on automatically closing false positives rather than automation analysis of true positives. (More about this in a future blog)
Communication to end user of result of their reported phishing email. This will keep them interested and engaged with the process. I recommend to send an automated email back to the user. It will also prevent them from cleaning out their inboxes by abusing the button.
Ensure that you do not FOWARD the emails to your inbox and that you use an inbox forwarding rule as mentioned above. You will be missing vital information otherwise.
Continuous Learning through end-user interaction
The next and possibly the most important part is the continuous end-user interaction. This is what creates the human firewall effect. By using automations to communicate with end-users that share the results of the SOC investigation it keeps them motivated. Ideally, you want to bring you report rate to 40% per each campaign (aggregated by sender domain). This will be sufficient enough for almost every campaign. In fact, I have seen an attack before which crafted 1 payload and targeted two specific users. One of the users reported it and it was enough for us to cut the actor off early enough in the kill-chain. In order to achieve those results you should have continuous phishing awareness campaigns next to the user-reported phishing operation.
Part of the process is by crafting an automated message back to your users thanking them for their submission and updating them on the result of the investigation. Here is an example of what we send from NVISO:
This will accomplish two things:
It will let the users feel that they are part of the security process
It lets the users know that their are humans behind the scenes working on these investigations. It makes them take it a lot more serious and not just use it as a mechanism to clean their mailboxes.
In this next section
Full Incident Flow
