Partner Perspectives: Endpoint Phishing Incident Response with Cofense Intelligence and Cb Response

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Mike Saurbaugh is the Director of Technical Alliances for Cofense.

Hunting Phished Endpoints with Cofense Intelligence™ and Carbon Black

Ransomware, business email compromise (BEC), malware infections and credential-based theft all primarily stem from a single vector of compromise – phishing. Operationalizing threat intelligence, especially when it comes to phishing, continues to weigh on the minds of businesses regardless of size. Mobility increases this challenge and hunting down these elusive endpoints is vital to cutting off the attacker’s foothold.

Security teams must be able to hunt for and remediate endpoints compromised by phishing.

As we’ll see, Cofense™ and Carbon Black have teamed up to make this happen.

While investments in technology to thwart malicious email delivery have gotten better, the reality is that attackers are still able to bypass gateway and network defenses. In fact, they do!

We know this because Cofense’s Phishing Defense Center (PDC) found that 1 of out every 10 emails reported to the PDC by customers has malicious intent. Many of these are targeting credentials to gain access to accounts.

But here’s the real value: conditioned employees who reported the suspicious email to the security team.

When you stop and think about it, these are truly malicious emails that bypassed technology and made it to the inbox. The security team now has valuable information to learn from about the tactics the attacker used. Now they can improve defenses and also determine if there are others in the business who have been phished. If that’s the case, the security team will be able to determine who else received it, fell for the bait and gave away their credentials. Then the team can take action to protect against potential damage.

Respond Quickly with Endpoint Data Analysis

A CISO and the security team may learn of a global mass-phishing campaign that took place overnight. The natural question to ask is if any endpoints have come in contact with known phishing indicators.

Can the SOC and IR team answer this question quickly and confidently?

Cofense™ and Carbon Black are providing security teams with the ability to ingest human-verified phishing intelligence that can be used to investigate and respond to endpoints linked to phishing indicators of compromise (IOCs). Through this integration, Cofense and Carbon Black provide a powerful approach to identifying and preventing potentially damaging phishing attacks.

Operationalize Threat Intelligence and Hunt Phished Endpoints

Cofense Intelligence extends beyond a traditional data feed that some may be familiar with. Customers receive phishing intelligence. What’s the difference? Intelligence versus traditional data?

Information without context is just data. Intelligence is information with context that enables security teams to have confidence in their decisions.

Cofense Intelligence customers receive indicators specific to phishing and their criminal command and control (C2) and botnet infrastructure associated with malware families like Locky, Dyre and Cerber. This is backed up by threat intelligence reports with context that provide security teams with insight into attacker TTPs.

Cofense identifies what is nefarious, but more importantly, why and what it means.

Hunting Phished Endpoints with Cofense Intelligence and Cb Response

Determining whether an endpoint has been in contact with a phishing IOC is effectively done with the ingestion of Cofense Intelligence via a RESTful API. Cb Response can then match indicators as part of the investigation process or simply through hunting to determine involvement. Cb Response will ingest intelligence from Cofense (as a JSON file) and can automatically monitor for activity matching indicator severity – or to hunt phishing indicators across managed Cb Response endpoints.

As Cb Response ingests indicators, proactive alerts can be generated based on Cofense’s impact rating. A Major impact rating IOC (the most severe) can be configured to send incident data to the SOC or IR team.

Enabling is Easy

To setup Cb Response to ingest Cofense Intelligence indicators for hunting and response, work through these steps:

  1. Enable Cofense Intelligence API credentials.
  2. Poll Cofense Intelligence API every 15, 30 or 60 minutes for new indicators.
  3. Based on your preferred polling interval setting, Cb Response will ingest any new phishing indicators identified by Cofense researchers (located in a JSON file).
  4. Create watchlists in Cb Response simply based on Cofense Intelligence indicators.
    One way to start off is by phishing for IOCs with a score of 100. Cofense researchers vet all indicators, especially those rated major. This means analysts can be very confident in their decisions, and also in any alerts they receive for additional hunting and IR actions, without the concern of being inundated with false positives. Results matching this watchlist indicate an interaction with hostile IOCs – IPs, domains and hashes.
  5. Finally, when an endpoint matches one of the major IOCs from Cofense Intelligence, based on hit preferences, email, syslog and alerts can be triggered.
  6. Based on the indicators, security teams can use capabilities in Cb Response to ban hashes, isolate endpoints from the network and trigger additional hunting and investigation processes.


Phish, Hunt, Remediate, Repeat

When you need to hunt for phishing IOCs on an endpoint, Cofense and Carbon Black can offer you a more effective and repeatable process. Cofense produces timely and accurate phishing IOCs multiple times each day, which keeps endpoints and network-based solutions up-to-date with the latest, greatest threats.

Leveraging this integration enables a repeatable process for when a phish makes it past the email gateway and enables teams to automate the ingestion of and alerting on phishing IOCs. How great is that?

The notion that prevention is ideal, but detection is a must, applies here!

The threat of phishing is alive and well, as is the need to maximize investments. With low administrative overhead, Cofense and Carbon Black are here to help security teams operationalize their phishing defense.

To learn more about Cofense’s integration with Cb Response, visit Cofense’s page on the Carbon Black Partner Locator.

The post Partner Perspectives: Endpoint Phishing Incident Response with Cofense Intelligence and Cb Response appeared first on Carbon Black.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Carbon Black, Inc.
Carbon Black is the leading provider of next-generation endpoint security. Carbon Black’s Next-Generation Antivirus (NGAV) solution, Cb Defense, leverages breakthrough prevention technology, “Streaming Prevention,” to instantly see and stop cyberattacks before they execute. Cb Defense uniquely combines breakthrough prevention with market-leading detection and response into a single, lightweight agent delivered through the cloud. With more than 7 million endpoints under management, Carbon Black has more than 2,500 customers, including 30 of the Fortune 100. These customers use Carbon Black to replace legacy antivirus, lock down critical systems, hunt threats, and protect their endpoints from the most advanced cyberattacks, including non-malware attacks.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?