Listen in and hear how agencies can be equipped with solutions to quickly find, respond to, and remediate phishing attacks in real-time by combining the power of human reporting and high-fidelity AI & machine learning.
Speaker 1: On behalf of Cofense and Carahsoft, we would like to welcome you to today’s podcast focused around The State of the Phishing Landscape: Why Being Intelligence-Led, Human Reporting + AI are a MUST to Protect your Agency. Cofense's Keith Ibarguen, Chief Product Officer, and Mollie MacDougall, Director of Product Management, alongside Carahsoft's Nikhil Gupta, will discuss why threat intelligence is so valuable, and how agencies can overcome a rapidly evolving threat landscape to effectively defend themselves.
Nikhil Gupta: Thank you so much, everyone for joining us today. I'm joined by two wonderful experts today. And I'll get things started in just a second. But, you know, I'm very excited to get this conversation underway. And obviously to talk about today's topic, phishing, of course, and the state of the phishing landscape, right? Why human reporting and AI is going to be both required to protect your agency, right? And we're going to kind of dive into a lot of those details, or we're going to talk about the state of phishing. Today, we're going to talk about, hey, you know, what some of the solutions are, what some of the challenges are, what some of the ways forward are and, and just, again, that human verse, AI element or the human with AI element, you know, to ensure proper security. So, I have the pleasure again, of introducing myself and both are both of our panelists. They know a lot more than I do, so you know where you guys are in for a great treat with a good discussion. Briefly. For myself. I am the demo Specialist Team Lead at Carahsoft. I specialize in our core cyber division with a lot of cybersecurity solutions. I've been at Carahsoft for about four years now. Some of you may recognize me from a different webinar you may have watched. So obviously this one is co-sponsored with Carahsoft and Cofense. And with that, I'm going to introduce both of our panelists today both from our partnership with Cofense. You know, a lot of you may know them as the elite phishing defense platform. So first off, we'll start with you, Keith, Keith Ibarguen. He has over 25 years of diverse technical and managerial experience. As you can see, right now he is the Chief Product Officer of Cofense. He most recently served as the chief engineer for the law enforcement and domestic security division at the MITRE Corporation. So obviously a lot a long history of working in the space. He's worked to develop and enable novel solutions across a number of MITRE sponsor and internal programs start his career, leveraging his expertise in cyber operations, enterprise security, software, software development, and of course, enterprise IT design and deployment. Throughout his years of working in service. He's led activities in the DoD, the intelligence, the law enforcement communities, as well as partner with numerous non for profit and commercial firms. He is a leader in building and running agile teams. He's also worked closely with miters corporate leaders to evolve and advance miners brand, strategic direction and future roles as a leading manager of federally funded research and development care centers. As Chief Product Officer Keith obviously will bring extensive working research and understanding of the subject. He's worked with customers, executed advanced solutions at Cofense. And of course, build and let leading dynamic teams in the Cofense family. So Keith, thank you for joining us. Welcome. It's a pleasure to have you.
Keith Ibarguen: Thank you Next very good to be here.
Nikhil Gupta: Perfect. And then as well, thank you, Keith and last panelist will have for today is Mollie MacDougall. She is the Director of Product Management for Cofense intelligence. So leading that development within the Cofense team and, and she oversees the production and strategic development of all of the Cofense intelligence product. Her mission is to ensure customers have the phishing intelligence they need to inform and implement an effective proactive phishing defense strategy. Mollie has a background in intelligence Policy and Strategic analytics, of course, with prior experience at the United States House of Representatives, and the United States Department of Homeland Security. So obviously, tons of experience in this space and Mollie. She's also a master of arts in Law and Diplomacy from the Fletcher School at Tufts University. So shout out there. Mollie, thank you so much for joining us. And it's a pleasure to have you as well.
Mollie MacDougall: It's wonderful to be here. Thank you.
Nikhil Gupta: Perfect. So that is our speakers. And that's myself, of course, we have a great discussion for you guys. And, you know, let's get into it. Right. Without further ado, right. I know, we have the full hour almost. But we have a lot to talk about. So you know, I'm sure Mollie and Keith are gonna definitely give you guys tons of insights in the space. And, again, happy to have them here with us. So let's go ahead and get started Mollie, and Keith, with the first question, if you guys don't mind, if you guys are all ready to go.
Keith Ibarguen: Nick, thank you very much for that that introduction. It's excellent. And I think one of the things that you touched on is, you know, the public space that we've been in for a long time, the public sector that we've been supporting so much. And one of the beauties of working at Cofense is that it took that sort of focus on the mission that you see often in the public sector and brought it to a career outside and working for Cofense. And I guess I have the honor of having Mollie be the first person that I've ever met in Cofense When I first joined the company and the end of 2018. It's been a good ride ever since. Before we set the stage here. First off, I did want to thank you, Nick. So thank you guys, and Carahsoft as well for your partnership with us and of course for the audience. Thank you guys very much for being here. Getting into setting the stage for the conversation and for the questions, Nick that you're that you're going to be diving into One of the things that Mollie and I were talking about this before the conversation and, you know, obviously very much on our forebrain, around the world for everyone's forebrain is the is the Ukrainian conflict that's going on. And we will touch on that from a phishing perspective. As we go through this conversation, that's not going to be the focus, particularly of, you know, the exclusive focus of this conversation, though, the fact that it isn't the focus doesn't really diminish our thoughts and prayers to that region, you know, we want we're, we're feeling for the Ukrainian people. And as this conflict evolves, there are going to be numerous implications around the cybersecurity space, the impact of sanctions, fiscal impacts, the regional impacts, of course, across Europe and the world. And as that evolves, we're going to be continuing to put out blog posts and notifications through the various channels from Cofense, his marketing team and Mollie's intelligence team to stay on top of that. So even though we may not be touching on, on that throughout, check in with us on a regular basis, and we'll be updating it through that form. Swinging back to the topic at hand here, the challenges that we all face in the public sector, you know, that the DoD at large isn't a massive ecosystem, it's got a huge footprint. And so the amount of vulnerability that exists across that ecosystem, obviously, is invariably large as well. There are tremendous numbers of partnerships, supply chain challenges, and the like, obviously, technology and so forth. As we've been going through for the past couple of years, with COVID emerging and so forth, there's been an enormous pivot to the cloud, in certainly the private sector, but also in the in the public sector, agencies across the board are moving very quickly to the cloud. And that's changing the landscape a little bit as we're seeing it evolve. And we'll talk a little bit about the COVID threat and the things that have been emerging over the past couple of years. But certainly the public sector is highly impacted by that sort of demographic shift from office based populace to more distributed. The other thing that I think is really interesting from a public sector perspective is there has been a tremendous amount of energy and money and so forth spent on deploying technology to help defend ecosystems. And, you know, in some cases, that deployment of that technology has made a dent, you know, obviously, you deploy technology, and it makes can improve, for sure. Um, it also can create friction, in particular, in areas where there are limited resources in your security operations center, where there's a lot of complexity in the ecosystem. When you introduce additional technology, not only are you for every line of code, you're potentially introducing the attack vector, but you also introduce a complexity into that ecosystem. And that can affect how quickly you can, you can respond, it's difficult to orient in very complex environments, it's very difficult to decide where you're going to go next. And it's always difficult to act if you don't know how to take the next step. And so that makes a really difficult ecosystem. The other aspect of it, I think that's really important is there's most phishing attacks are delivered through email, and most ground zero activities that result in a breach, start with email, start with a phish. And so when you think about that, people are receiving the phish, people are clicking the links, they're following the links, they're executing the malware, whatever it is, that happened as a result of that, of that phishing attack. So you can look at this as a human problem. A lot of companies we hear, say, you know, the humans the issue, you can take humans out of the blue, and it wouldn't be a problem. Well, you know, humans are why we have the technology, it's a, it's a human machine pairing, that we exist with him. And so, you know, we certainly recognize the part that human beings play in this whole ecosystem, but it's also a big part of the solution. And we're, we're gonna touch on that at length as we go through this, this conversation. So with that, sort of setting the stage, if you will, I think we can dig into, you know, why this is such a difficult challenge and the like, particularly in the public space.
Nikhil Gupta: Perfect. Thank you so much, Keith, for that. And, of course, for setting the stage for everyone else. Today is going to be an open panel type discussion. Right, we are going to have questions. And of course, Keith and Mollie are going to share their insights with everything. So thank you, Keith, for all those and I know with COVID and just the remote world these days and of course with all the increase in cyber activity, right cyber offense activity, things are a challenge and we there's statistics that I saw phishing was behind 70% of government breaches right? In the public sector. That's crazy, right? To me, that shows you how pervasive the problem is right? And as threat actors continue to innovate their approach, right to learn these end users with clever emails, my question to you and for both of you is, you know, why does phishing remains such a persistent problem in the public sector, right? Well, what is that 70% statistic is crazy, right? So, you know, share your insights, let me know. I'm curious?
Mollie MacDougall: Absolutely, it's threat actor innovation, and how right target the public sector is. I had our phishing threat intelligence team here at Cofense. And we spend our days looking at campaigns that are reaching end users, that's our specific focus. And so we are hyper aware of the tactics, techniques and procedures that are effective in getting that phishing email to the end user. And it is a shocking blend of old tried and true tactics and newer, innovative tactics. It's a bit surprising how much run room though a tactic will work for threat actors. So it's a real mix of the binding things that work and will work over the long term, especially when they're using features that are built into our software to enable and improve effective and efficient business operations, when they're able to weaponize those features, that yields a lot of success that can become such a challenge to block without creating a major inefficiency in business operations. And just how right that the public sector is as a target from so you guys are getting targeted from the broadest array of threat actors from your AP T's that want to understand what the US public sector and US government is doing and who's involved with decision making, where some soft underbelly may exist. So from that espionage angle, to activists and activists that would like to create embarrassment and everything in between, you just have such a noisy threat scape to deal with. And you have so much information from very sensitive, confidential, Top Secret intelligence, to just massive amounts of PII and even intellectual property. So because of that the public sector remains right target and always will be.
Keith Ibarguen: Mollie, that's a, that's a great introduction and description of why this is so challenging. I mean, that innovation is designed to not only trip up the technology, but also to trip up the human beings that are receiving it right. There's a really beautiful poem actually called lost by a guy is a Pacific Northwest writer called David Wagner, and you can look at it look it up, the idea of the poem is, what do you do when you're lost in a forest. And the reason that people get lost in a forest is because they don't have any context around where they are. And the poem basically says, well, you know, you can't get here from there by running around in the forest, and, you know, banging into trees and so forth, you have to sort of standstill and orient, and understand where you are in the environment that you're in. Before you can take that next right step. And, you know, in the environment of the public sector, for instance, where there's a lot of rotational staff, what you'll oftentimes see, and we see this, not only in the, you know, we see this across all sectors is whenever there's a new employee, that dropped into an ecosystem that, you know, is, is very much like being dropped in the forest. Right? It's it is a lot of noise that you don't know how to filter out. And so that's the time when people are often very susceptible. And so with all of that rotation that you see in the government, and particularly you see in the DoD and so forth, keeping training up, keeping orientation, keeping that focus on what to pay attention to, when it comes to the threats that are coming into the ecosystem is super, super important. And we're seeing some of that play out and being recognized by the latest federal cybersecurity guidelines, there's discussion in there on training and ensuring that we, we elevate the workforce. So if they do find themselves lost in the forest, they know to get out they've got a compass in their hands, if you will.
Nikhil Gupta: Definitely, you know, I think providing that compass especially in the world where you know, as you as you mentioned, Keith and you know, the turnover right, the turnover is I hear it on my end and in my conversations and Mollie as you mentioned, right, combining the turnover with the fact that everyone wants to attack us right the US and get information, their hands on, you know, that soft underbelly, as you mentioned, right so Yeah, I definitely I hear it and I think, but I guess, you know, that being said, right, so you know if phishing is pervasive for those reasons, right, who is it coming from? Like, how do we, I guess the next question I want to ask is, how do we truly know our enemy? Right? Is it entirely possible? Or, you know, we're hearing on there and why we're being attacked? How do we help us? How do we protect us? How do we know where it's coming from know the enemy, what type of phishing it is, right? All that kind of all that kind of stuff.
Mollie MacDougall: I would say we can't entirely know our enemy to just like, we can't entirely know each other. I mean, we all have complex brains, we all have our own ability to make decisions, our own motivations, and we can't be inside our enemy's head, we also can't always be really clear on what the objective of our enemy is. And it is that fog of war, the enemy, that your opposition, they get a vote, they get a vote in if they get a certain level of access, what do they do next? They get a vote in how extensive do they want an attack to be if they do have access? Who do they want to target and why. But what we can do is we can make assessments around what our enemies objectives are, who our enemies are, based on all of the data points that we collect that threat intelligence, we try to formulate as much of a puzzle as we can. And the more puzzle pieces that are filled in, the more we can get an image a sense of the image that we're looking at, or that enemy that we're dealing with. And that can really vary how much access to that information that we have. It's further complicated when you're more sophisticated actors can, you know, use techniques that are very low in sophistication, and hide in the noise of generalized cyber-criminal activity up until a point where they need to use their more sophisticated weapons or tactics, or tools. So as they're like hiding in that noise, it can really cloud our assessment of who is behind certain activity. So one thing that's really important to focus on is not just understanding as much as we can about our enemy, but about the tactics that are effective. That's our strength here at Cofense. Because we're looking at what's effective, and getting that email to the user inbox. So we're really focusing on what are the TTPs that are working for threat actors that are that are ranging in sophistication that we're seeing really replicate across all of our customers who are getting targeted. That's a really important element to this too. We of course, we want to understand attribution, as best we can, we want to understand where we're in crosshairs to make assessments around the risk environment as especially the geopolitical winds shift. However, we also really need to not take off our eyes off the prize of the effective TTPs. By that tactics, techniques and procedures.
Keith Ibarguen: Those TTPs are, I think, something that have been elusive to people for a long period of time. And we're starting to see recognition of needing to not just look at your ecosystem from a set of patches, I need to apply on something or CVEs that I have that I have to deal with or, or what have you, but more around, what is the type of tradecraft that is effective, like Mollie was saying against that ecosystem that I'm that I'm defending? I think we've had a history of you know, for probably two decades anyway, of where the orientation is more towards the, you know, the looking at the end point, looking at the, at the routing infrastructure, looking at the firewall, configurations, and the like. And all of that is very important. However, you're effectively defending your goalie, you know, your goal net by facing it, if you're doing that, right. I mean, you're, you're not looking at what's coming at you, you're looking at what's already hit you. And so what is, I think beautiful about the things that Mollie and her team are doing, are really are teasing out that tradecraft by looking at the activity that's coming at our customers that we are witnessing, you know, the evolution of tradecraft right before our eyes. Other thing that I think is kind of interest or should would be of interest to the audience here is that, you know, we do see, as Mollie indicated, a lot of reuse of this this to these TTPs people doing these activities or people, right that they aren't machines necessarily they there is pain in retooling. And so there's a cost to that. So there is an entire sort of economic calculus that an adversaries doing a tradeoff analysis, if you will, of if I put in all this energy, I'm going to get this out, you know, like everyone else, they're going to lean on convenience over something like difficult refactoring and retooling. So I think that's something that, you know, we're seeing, and I'm sure Mollie, you know, you're, you're seeing that what's effective, and you can dig into that.
Mollie MacDougall: We'll be here for the rest of the presentation. And I'm going to speak to some of the top trends that we saw a little bit, but we're seeing a lot of use of legitimate platforms like Google Drive one note, SharePoint, to deliver phishing campaigns, we're seeing a lot of use of that, like I mentioned before, features within our office suite and other software that we rely on a lot for efficient business operations. And we're seeing some of these features that were built for really great business purposes. Being weaponized, maliciously, those types of tactics are, like I mentioned, really tough to defend against when it's a huge risk for the organization in efficiency, to disable those features. So we see a lot of those trends ongoing. And it's interesting to know how we've seen this adapting as well for, for example, for ransomware operations a few years ago, we were looking at the predominance of ransomware as a service operations going on. But as law enforcement got better at tracking bitcoin wallet, and Bitcoin payments, as people got better at analyzing and getting information out on these ransomware, as a service, operating infrastructure, the exposure became really costly to maintain for ransomware operators. So then we saw this shift from, okay, we're going to target everybody for a lower payment to okay, we're going to be really selective in who we target and charge a boatload for them to get their files back so that they could reduce their exposure. And as we've seen that shift, and what we've seen in ransomware, how ransomware operations are conducted has had huge implications on our security as well and made it I would argue, a bit tougher to defend against to then when we were more dealing with the ransomware as a service operations.
Nikhil Gupta: Definitely, you know, as you said, Mollie and Keith, more targeted attacks, but then also using things that we trust, right, as you said, Google Drive, and, you know, I see phishing emails and phishing attacks come all the time, even my personal and let alone in business, you know, operations, I need to keep office 365 or Outlook going and you know, sending what we think is trusted emails are receiving it from a trusted person, right? Just the recipient, and just getting targeted and having ransomware payloads attached, that we that we've that no one's ever seen before, as you mentioned, because, yeah, as you said, the reducing that surface. So you know, I definitely think, you know, looking at the tradecraft looking at the ways, you know, they're coming in and, and looking at, you know, the human element or the approach of how people are getting hacked, right. Rather than going out and understanding you know, the bad guys necessarily, it's a, how can you harden your defense? Or how can you protect against all the TTP? Right? And so I guess, want to kind of expand upon that going into a little bit of what you guys obviously provide with Cofense. So how does how does Cofense identify emerging tactics and techniques, right, that the threat actors use? And, you know, obviously, you guys are on the front foot, but how do you how do you remain on that right to defeat them? And what are you guys looking for?
Mollie MacDougall: Yeah, we are, I'm gonna have, like, Keith will talk more in depth about how we're approaching the phishing threat to give some understanding as to like what is our expertise rest upon, but the intelligence Team is essentially taking every campaign that we can get our hands on that has reached an end user and been reported by an end user as suspicious to stay on top of what are the most frequent trends that we're seeing in phishing and to report out IOC s on individual campaigns to help everyone stay as far ahead of these threats as possible. We want our customers to know of an emergent tactic that's being used or a tactic that may be proliferating and increasing, taking up more market share, I guess, tactics, techniques and procedures to reach inboxes. That's really important because as organizations are, I once heard someone describe it. As you know, it feels like we're trying to find a forest fire with water balloons. And what we're trying to do is provide the spotlighting into where they need to focus those water balloons here are the hot spots that you want to put out before it grows into a forest fire. And having an organization able to align their resources to the right priorities to the right major threats that are actually likely to face them, if they're busy focusing on things that their technology is likely to block on its own. That's not where their eyes need to be, they need to be at the tip of the spear of what's working with phishing. And so that's the insight that we're working to provide. But that I'm going to turn it over to Keith, talk about how we get that insight, how we have that visibility.
Keith Ibarguen: Sure, Thanks, Mollie. This isn't a marketing pitch by any means. But I do want to at least dive into the way we go about doing some of the stuff. We're very much a proponent of the idea of gathering energy and power and understanding from the collective community we have, you can think of this as it's crowd sourced threat intelligence, Mollie mentioned that we try to understand what's coming at us from all of our users. And so what we try to do as a company is empower those users. And we think this is an important thing writ large across, you know, if you're thinking about how you want to build a cybersecurity, particularly email security solution, there are elements of this or principles that you have to make sure that you nail one is you've got to ensure that you've empowered your end users to be able to see something and say something, you know, it's you hear that in, you know, in law enforcement, you know, see something, say something, it's the same thing with phishing. And we also want to not only enable that portion of it, but once you've had your user base, say something, you want to be able to act on it, you know, basically in real time very, very quickly, and evolve your understanding of the threat coming at you and respond to so appropriately, in very, very short order. We use the term dwell time, often in in our conversations and dwell time indicates the amount of time it takes from when a threat hits an inbox to when we've actually pulled it out of that inbox and mitigated that threat. We want to make that dwell time be as tight as it possibly can be. And the only way to do that is to ensure that we not only can recognize something, but we can act on it very quickly crowdsourced threat intelligence, the way our CEO Rohit Balani the way he describes it, and I really like the approach that he takes, he likens it to the proliferation of ways. If any of you guys use Waze, the mobile app, when Waze first came out, Waze was a really nice mapping application, you'd load it up, it put you on a map, yeah, you know, you could change your car and color a car, and all that was cute, and so forth. That's great. But it really didn't become extraordinary until people until this ecosystem, were able to say, hey, there's a pothole here. I mean, right here, not somewhere on, you know, I 95. But right here, and this is what it is, this is where it's located, or, you know, there's a speed trap here, or a construction zone here. Once you got the entire community contributing to that big picture, everybody was getting value from that. And that's exactly the same model that we use, we have 30 million plus people who are effectively Waze users driving around in the car, they're sitting in their Outlook Client, clicking the report button, which is effectively dropping pins on the Waze map, it's equivalent to that. We train those users through simulations to ensure that they can recognize as much of those opportunities to report as possible. And we also then take that information and where Mollie's team comes into play, is they get visibility into all of those things that all those pins that were dropped inside the ways applications go up to a central enrichment service that then allows them to distribute that information out to the rest of the ecosystem. And I'm not going to talk about the individual products, per se, I'll talk about effectively what they do and why they're important to a cohesive phishing defense program. I'll start with phish me, phish me is our training ecosystem. It allows you to send simulations to your users so they can recognize a pothole, if you will. Reporter is the pin dropping tool. If we're going to stick with the Waze analogy that allows that user to say, hey, I don't like this, this doesn't feel right. Let me report it. Triage is the tool that catches that report. It's effectively the cloud service that that we're would use to say, Yeah, that's a valid and legitimate you know, pin drop No, obviously there are no pins that should be dropped in the middle of the ocean that say there is a, you know, a pothole. So they clean all that stuff out and they don't they focus on the stuff that's truly bad. Triage is built to get too bad really, really quickly. And vision is designed to once you found something bad, how do I get it out of my ecosystem? The obvious next question for anybody that runs a sock is, oh, I've got a phish in my ecosystem. I know this is bad. Who the heck outs got this thing? Historically, that takes day hours, at a minimum days, usually, oftentimes, even weeks and some people don't even bother. They just, you know, they'll say, Oh, well, there's a URL in this in this email, let me just throw a firewall rule up and I'll block it on the outbound. You know, that's still leaving that threat inside your ecosystem, people can forward those emails they can be used, and they bring them home, whatever, that we think is a is a bad idea. Vision, lets you search and quarantine and mitigate that threat. So when you think about the OODA loop, if you're talking DoD, that's the ACT side of the OODA. Loop. Triage is the Orient and decide side of it. Validator is a tool that uses our threat intelligence information to test your segue stack, your secure email gateway stack. So what it does is it takes the real threats and sends them into your ecosystem to a predefined inbox inside your enterprise. That inbox is designed to be safe to receive valid threats, it actually responds back to validate or to say, Yeah, I got it. And it deletes immediately. So it doesn't dwell in your enterprise. But what that does is it creates a closed loop process to see what makes it through your secure email gateway is a very powerful tool to determine how to tune it's a very powerful tool to say, if you're making a decision as to whether or not you want to stack segues, a lot of organizations will say I want Microsoft i.e. five, I want iron port, and I want a proof point box in a row, we find that that's really just throwing money away. You don't get a lot more value out of that. And Mollie's actually going to touch on that a little bit later.
Mollie MacDougall: I think that like the two biggest takeaways here are that phishing defense absolutely requires a human reporting element in conjunction with technology that can eliminate as much of a threat from the get go. But what we see is that threat actors will innovate. And you will always need to have your users educated to report to identify and report those suspicious campaigns. Because without them being reported, you can't know who else may be targeted in the organization. You need that feedback loop 100%, you need to be able to launch a quick investigation and get a quick turn analysis so that you understand threats that have reached your users and are in your environment that is absolutely, Lee critical. And the second thing is that like we can't we can't be waiting for a silver bullet technology that will completely obliterate the phishing threat. It's to Iterative to innovative. That's why Nikhil you set cited that stat earlier that public sector breaches 70%, are assessed to have originated from phishing campaigns. That's exactly why. And so this is what we really, really want to drive home. And then the third point is we wanted to show you why we feel so confident speaking to making those points to you all today. It's because of the abundance of phishing threats that we are seeing, analyzing and getting reporting out to our customers on every single day. The volume is incredibly high. And it has not as we've seen more technology arrived to the scene, we're not seeing it decrease. So we need to empower ourselves to stay on top of it to keep the threat in check and to be available for that tip of the spear. Technology helps us be available that tip of the spear, but the tip of the spear will always require human eyes.
Keith Ibarguen: That's, Thanks, Mollie. I think you nailed it, you close the circle really nicely. So I think it really is that total view of both technology, augmenting humans and humans augmenting technology. It's that interplay back and forth that allows that rapid evolution. The ability for technology to keep up with that emerging tradecraft is, is it's meant you have to have the people in there recognize that to be able to drive that loop. Tech is important. I mean, I'm, I'm a bit head with the best of them. But I also recognize that it's not the be all end all.
Nikhil Gupta: Yep, yeah, exactly Keith and Mollie, I was about to say, you know, what, zero days, right? And something that we've never seen before, right? That's where you need the human element to do that reporting. And if you just look at any, any major framework when it comes to Zero Trust, or NIST, right? Everyone says, hey, you can't just get away with detection, right? You need protection, proactive, right reporting, and you need to be able to train, I think training is one of the biggest thing that people lose sight on, just because it hardens your agency, right, it hardens everything you're trying to do. And it's gonna be your best defense against anything like that.
Keith Ibarguen: And it's training, it's training with your users, but it's also training with any of your AI algorithms that you might have deployed as well. I mean, we just purchased a company that does computer vision, AI detection, machine learning detection. And one of the big reasons that it's, you know, that that we were really interested in this company is the amount of data that we have that can be used to train those models. It's not just human training. It's both via both.
Nikhil Gupta: Yeah,
Mollie MacDougall: Yeah.
Nikhil Gupta: Perfect. Yeah. So you know, want to take a step back, obviously, good points. Everyone. Want to mention a couple things. I know. So one thing on top of mind that I wanted to bring up to you guys is I know Cofense Obviously, does their annual phishing reporting. I know it's a it's a big thing that I actually look for personally, and I know a lot of the team does. And so I just wanted to, you know, briefly if you guys, you know, what are some two or three key findings that definitely stand out from that? And, you know, what do you guys look and maybe give us shed some light on that?
Mollie MacDougall: Certainly. And, we'll be, this the report will be really released in the coming two weeks, you'll be able to dig much more in depth on any of the things I'm about to speak to a few things really stood out. First is the predominance of credential phishing threats across what’s with reaching end users. Credential phishing campaigns reach end users at a much higher rate. And we know this both from a view of our phishing defense Center and our validator just mentioned our validator product is basically sending campaigns that the intelligence team has put out reports on through into our customers environments to see what gets through. And here you can see that those campaigns, credential phishing type campaigns definitely reach end users at a much higher rate, our phishing defense center they operate Farage and vision for their customers so essentially their customers users to report a suspicious phish. Our phishing defense center does all of the analysis on reported phishing campaigns and let them know what was a threat what wasn't a threat and removes and quarantines hot threats in their customers environments. Last year of campaigns that reported into our PDC 67% were confirmed to be credential phishing campaigns, interestingly, of those 52%, or Microsoft branded, which makes sense. And the number is actually likely higher than that we, when we can absolutely confirm that what type of campaign a suspicious phish was, sometimes we'll get a can't we'll get something reported. It looks like a phish and it smells like a phish. But the page has been taken down. And so we can't do a full analysis. We won't then catalog that as a credential phish. But of those, it's very likely we have an even higher representation of credential phishing campaigns. And so they are extremely prevalent, they are easy for threat actors to send out they are a lot cheaper to it's much cheaper for threat actors to change the infrastructure that's hosting a credential phishing landing page, then say, malware, malicious infrastructure, malware infrastructure and C two infrastructure and much more nimble. So it's kind of cat and mouse from phishing threat actors and security researchers and organizations. Just so easy to set up a new credential phishing page and just stay a step ahead. And then also, the value of getting the keys to the castle is immense. So that's why we see credential phishing at such a high rate. A second key takeaway, I would say from this report is that phishing defense can be a fun event based, we have a really good example of two really good examples of this one ransomware, how ransomware has shifted. There's now a lot more space between the phishing event and gaining access to an intended target, whether that's by ransomware operators themselves or just by other cyber criminals who will then sell that access to a ransomware operator. There's much more space between the phishing event and a ransomware deployment on to an intended targets network. That means that when you're asking about ransomware IOCs, you're already behind the ball, you need to be always at the helm of your phishing, defense and always on alert, because that is so far upstream to the ransomware event. Secondly, great example is on the Ukraine, Russia crisis, conflict, as the Russians were launching their invasion in Ukraine, we got a lot of questions from public, from journalists, some from customers around, you know, what is the phishing threat now, as this Russian invasion is occurring, and any access that the Russian government wanted to have, or military wanted to have lined up to us as part of the conflict they would have already had? So to be asking, Okay, what do we need to do in reaction to the news unfolding, that an invasion is taking place and our understanding of the geopolitical landscape, and the threat landscape is changing. We can't be in reactive mode all the time, or we're too late. Like I said, if there was going to be a large cyber warfare angle to this conflict, which we have not seen to date, but if there were to have been, that access would have already been achieved. And for all we know, they may have had or may still have options on the table with a cyber Nexus. I have a theory as to why we haven't seen that so far. But, and then third, sec limitations and single technology limitations is another key takeaway from our report. This is sourced from our phishing defense center. And here you can see the breakdown of different types that we've seen reach different secure email gateways, and we don't pick on one. And we're also the reason that we don't show who made it through what set and most is that, you know, some sets have more market share than others. And so it would look worse for them than smaller sags and we're not in that business of, of one or the other. But you can kind of see some evenness across the board around the types of threats that are reaching in users across different secure email gateways. And so again, to reiterate a point that we really put stomped probably at Nazim. At this point, you have to have those human reporters at the ready.
Nikhil Gupta: Perfect, Mollie, thank you so much, obviously, for going to that report and going over some of the details. Okay, so I think with that, you know, I can't believe we're at the end of time, of course, but, you know, Mollie, Keith, thank you so much for a wonderful discussion.
Speaker 1: Thanks for listening. If you would like more information on how Carahsoft or Cofense can assist your organization, please visit www.carahsoft.com or email us at cofense@carahsoft.com. Thanks again for listening and have a great day!