agari incident response


Hi, I’m Mike Jones. I’m the Senior Director of Product Management at Agari and the Product Manager for our Incident Response product.

Responding to employee reported phishing messages is the most inefficient and unproductive use of your SOCs time. SOC analysts have to spend a lot of time in an Outlook mailbox looking at these reports. They have to decide is this a truly malicious message or did the employees mistakenly report a benign bulk email or spam message. To do this they go through many manual and repetitive tasks multiple times a day. And while they’re spending all their time in this mailbox triaging these messages, dozens of other people in your company could have been compromised by the same campaign.

With Agari Phishing Response™ you’ll never have to sit in that Outlook mailbox again. We’ll give you a triaged view of all of the reports that come into your organization at a glance with all of the elements of the message already automated.

First, you’ll get a quick view of what the message looked like over here on the right side of the screen. Next, we’ll give you a view of all of the elements of the message pre-triaged like the links, attachments, domains, IPs, and the trust assessment from Agari’s Agari Phishing Defense™. We’ll also show you how many other employees in your organization received a message as a part of that campaign. You can quickly identify false reports of benign bulk email by seeing that there are no malicious elements in the message, it has a high trust score, and looking at the text of the message. You can quickly close these from the triage screen without spending any more time on them.

Let’s go back up to the top and look at one of our malicious messages. This message you can see it looks like they’re asking you to do something with an invoice. When we look at the elements of the message, we can see that we have identified a bad attachment with this message through Virus Total, Lastline, and Hybrid Analysis evaluations. You can also see that two of the three domains in the message were triaged as high risk. One of the IPs in the receive chain had a low reputation and the Agari Phishing Defense trust score is very low. In addition, eight other people within your organization also received this message.

So, let’s analyze this bad attachment a little more. We can click into the attachment to see the details. Here you can see all of the engines and Virus Total determined this to be malicious along with the output from the Lastline scan and the Hybrid Analysis scan.

Now that we’ve seen the negative elements of the message, we want to spend some time looking at the impact of the campaign at the other eight people who received it. So, we’ll click on the Impact tab and first we get a visualization of those messages. These octagons on the outside represent groupings of messages based on the “subject” and the “from” domain and then the common elements between those sets of messages. Scrolling down we can see in the table all of the messages that are part of the campaign.

Now that we know what was in the campaign, we can quickly remediate these by going over and enforcing the messages. We’ll select all the messages and choose to delete all of these messages and now they are removed from our users’ inboxes.

Now that this campaign is remediated, let’s close it out and then we can go over and take a look at a summary of all the work that our SOC has done in the Executive Overview. The Executive Overview is a summary of closed investigations over time that your SOC has dealt with. At the top we start by looking at the investigations that have been closed as malicious investigations. You get a quick view of the total number of reported messages, the total number of messages that Agari has discovered for you beyond the reported messages, and the ratio of discovered to reported messages as part of the discovery factor.

Moving down we give you a view of the impact and the risk reduction in your organization by using Agari Phishing Response. We’ll show you how much time you spent on malicious investigations and how much total time you saved through the efficiencies gained with Incident Response. And then finally we’ll give you a summary of all investigations comparing malicious to benign to spam messages.

So, as you can see Agari Phishing Response will drastically increase the efficiency and the effectiveness of your SOC analyst in dealing with employee phish reports.