Black Hat insights: Deploying ‘human sensors’ to reinforce phishing email detection and response

Human beings remain the prime target in the vast majority of malicious attempts to breach company networks.

Related: Stealth tactics leveraged to weaponize email

Cybersecurity awareness training is valuable and has its place. Yet as Black Hat USA 2021 returns today as a live event in Las Vegas, it remains so true that we can always be fooled — and that the prime vehicle for hornswoggling us remains phishing messages sent via business email.

Cofense, a Leesburg, VA-supplier of phishing detection and response solutions, has set out to take another human trait – our innate willingness to help out, if we can — and systematically leverage our better instincts to help fix this while combining advanced automation technology to stop phishing attacks fast.

I had a lively discussion about this with Rohyt Belani, co-founder and CEO of Cofense, which started out as PhishMe in 2011.

Inspired by Homeland Security’s see-something-say-something anti-terrorism initiative, as well as by crowd-sourcing services like Waze, Cofense has set out to squash those phishing messages that circumvent Security Email Gateways and fool even well-intentioned employees. It is doing this essentially by training and encouraging employees, not just to be on high alert for phishing ruses, but also to deliver useful reconnaissance from the combat zone.

Cofense has begun to operationalize this front lines intelligence via a highly specialized automated phishing detection and response cloud service. For a full drill down on how they’re doing this, please give the accompanying podcast a listen. Here are the main takeaways from my conversation with Belani:

Segment targeting

One night very recently, a couple of night-shift employees at a Norwegian oil and gas company received an official-looking email notifying them that their single sign-on passwords were about to expire. Suspecting it was a fake, the employees did not follow the instructions called out in the email; instead, they forwarded it to one of Cofense’s Security Operations Centers.

Within minutes, the Cofense SOC manager confirmed that the message was, indeed, malicious and also identified several indicators of compromise suggesting similar phishing messages had been sent to other targeted victims.

“We propagated those indicators throughout our customer base and within a few minutes we actually found and removed the same threat from two of our other oil and gas customers based out of Houston,” Belani says. “The attackers were going after that particular industry segment, but no one had reported it in Houston because it was dawn in Houston and most of their employees were still asleep.”

This was yet another illustration of how Secure Email Gateways, which check inbound emails for malicious content, simply cannot stop 100 percent of phishing email; and only one has to get through and fool an employee to trigger the next SolarWinds supply-chain debacle or Colonial Pipeline shut down, Belani noted.

And it is usually the simplest, potentially most harmful phishing messages, targeting specific employees, that are seeping through, he says.

“The story line in this one was actually pretty simplistic, but they had all the right logos and a very authentic look and feel,” Belani told me. “It was a notice that the employee’s single sign-on credentials were set to expire and that he needed to click on a link to update his password.”

Enlisting employees

There’s no question that cybersecurity awareness training, executed well, has value and should continue to be a component of cyber hygiene best practices. In its first few years operating as PhishMe, Cofense delivered training content that dramatically reduced the percentage of employees susceptible to being victimized by phishing: from 50 percent down to 5 percent. Yet, in a large enterprise, 5 percent can translate into a few thousand employees.

For large organizations, the diverse way people learn tends to works against even the most well-crafted curriculum. “Some of us are visual creatures, some of us learn by reading, it’s different for everyone, and when you have to run training programs at scale it gets quite challenging,” Belani says. “Zero susceptibility is impossible to achieve.”

Contemplating this phenomenon, Belani and company co-founder Aaron Higbee struck on the idea of borrowing from law enforcement’s long standing see-something-says-something campaigns. They figured, why not enlist employees’ assistance, since they’re the target? Cofense began including a suspicious email reporting tool as a free service to its enterprise customers.

And then Belani and Higbee set out to pioneer a phishing-specific orchestration, automation and response platform to back it up. In late 2020, Cofense formally launched a very distinctive security solution, called the Phishing Detection and Response platform. The Cofense PDR platform extends its legacy PhishMe training modules, based on real-life incidents, to deliver automated quarantine capabilities to stop phishing attacks instantly. The PDR platform is also offered as a managed service to give organizations a choice that best serves their needs.

Human sensors

Cofense’s phishing reporting tool has been delivered, at this point, to around 30 million trained employees around the world who are generating hundreds of thousands of alerts each week; and roughly 15 percent of those reports turn out to be malicious phishing attempts, ala the recent attempts to breach the networks of oil and gas companies in Norway and Houston.

“We just give them an easy button in the email client, whether it’s the mobile client or Outlook or Gmail, where they can just click this button and say, ‘I think it’s suspicious,’” Belani told me. “So, we turn them into human sensors.”

Cofense supports this very specialized email security service, which includes leading-edge automated detection and response capabilities, with five dedicated SOCs operating 24 by seven, in the US, Australia and Europe. And it designed this service to integrate with existing SOAR, SIEM and XDR technologies — which many large organizations already have up and running and don’t wish to unduly disrupt.

“Our customers understand that we’re willing to plug in,” Belani says. “It’s not that they have to redo any of their processes or do something different. The findings from our offering . . . will go right into their single pane of glass, be it the XDR, or the SIEM or the SOAR.”

Cofense is also working with independent managed service providers (MSPs) who cater to small and mid-sized businesses. Heading into Black Hat, it had just launched Cofense Protect MSP – a service designed to make it easy for MSPs and MSSPs to distribute the horsepower of the Cofense PDR platform to SMBs.

Says Belani: “Our company mission is to Stop Phish.  Thus far, we’ve been very focused on the enterprise and upper market. And now we’re moving downstream via our managed services partners — not to compete with them — but to give them all the technology we’ve used in that higher segment and let them leverage it to protect their tens of thousands of SMB customers.”

Phishing won’t tail off anytime soon; having employees, who after all are the targets, serve as lookouts is making a difference, and that’s a very good thing. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: