PhishMe for Analyst
Overall Satisfaction with Cofense PhishMe
We use Cofense PhishMe for capturing the user-reported phish emails. The console is used in a Security Operations Center environment for 24x7x365. Basically, the information security team handles the administration and reported the email triaging part. The Cofense PhishMe plugin is installed on the email client of all the users so that they can report a suspicious email directly from their email client.
We triage the suspicious/malicious reported emails thereby using the different fields it provides like headers, body, URLs, and attachments section. We write custom Yara rules for easy automation.
It addresses the main concern that emails have become a major vector for malicious attacks and making user awareness and after that catching the bad guys we need assistance from a Cofense PhishMe like tool.
We triage the suspicious/malicious reported emails thereby using the different fields it provides like headers, body, URLs, and attachments section. We write custom Yara rules for easy automation.
It addresses the main concern that emails have become a major vector for malicious attacks and making user awareness and after that catching the bad guys we need assistance from a Cofense PhishMe like tool.
Pros
- It gives clear-cut segregation of different parts of an email, header, text and HTML body, URL, attachments, HTML preview and some analytical insight like "similar reports." This distinctive approach actually helps reduce data overload during an analysis.
- The URLs captured here pass through an automatic reputation check [in our case VirusTotal] and add a tag of the reputation. If it is a well-known bad URL the tag helps us take the decision fast.
- For creating automation rules on the reported emails the "Recipes" section is really helpful. We can create easy recipes [or rules ] to handle a huge flow of reports and also we can create more sophisticated rules depending on the Cyber intelligence feed to catch the really bad currently less known attack attempts by malicious emails.
- The "Threat Indicators" section is also useful to use as a threat intelligence source to check the URLs for their maliciousness.
Cons
- Need to add more OSINT APIs to check the reputation of embedded URLs and the hash of attached files.
- "Screen Capture" of the embedded URL links [after clicking on the embedded URL where the URL takes the user] will be really helpful for triaging basic credential harvesting attack scenarios.
- Integration of ProofPoint email gateway to Phishme triage will help us determine the number of email flow from a suspicious sender. This will reduce the requirement of opening another console just to check the number of emails from a particular sender.
- From a normal user's perspective, it's an easy and fast, very very user-friendly phishing email reporting structure. No need to remember any email address, no need for sophisticated handling of malicious emails while sending/ reporting. Just a click and it is done.
- From the admin and analyst point of view: Easy and clutter-free triaging pane, IOC reputation check facility, Rules and Recipes section for automation and focused triaging, Notification to the reporter based on the triaging done is really a helpful feedback loop.
- Overall: Simple to handle, less learning curve, well managed, less administration time, fewer issues, less maintenance time.
I have not used similar kinds of products previously. So this is hard for me to compare anyone here. But as long as I used PhishMe I loved it. The ease of use, the neat designs, and distinct tabs help reduce the clutter. The learning curve to get comfortable with the tool is very less, so we can start using PhishMe early.
Do you think Cofense PhishMe delivers good value for the price?
Yes
Are you happy with Cofense PhishMe's feature set?
Yes
Did Cofense PhishMe live up to sales and marketing promises?
I wasn't involved with the selection/purchase process
Did implementation of Cofense PhishMe go as expected?
Yes
Would you buy Cofense PhishMe again?
Yes
Comments
Please log in to join the conversation