Fidelis Blog

Private: Gerald Mancini
Chief Strategy Officer

Gerald (“Jerry”) Mancini is Fidelis’ Chief Strategy Officer. He brings valuable experience building and leading product development teams in his tenure with Fidelis. Prior to joining the... Read More


Phind and Phight! Detect Phishing in Minutes vs. Months

Watch out! They’re coming for your sensitive data. And your cyber adversary’s job is easier than ever with increasingly remote workforces and the proliferation of BYOD devices on the corporate networks. Remember, it takes just one weak link …

As of 2020, phishing is by far the most common attack performed by cyber-criminals, with the FBI’s Internet Crime Complaint Centre recording over twice as many incidents of phishing than any other type of computer crime.

On the flip side, while you may be armed to the hilt with more security tools than you can shake a stick at, it can still take anywhere from 280 to 315 days for an organization to detect and contain a breach caused by a malicious attack. The preponderance of security solutions can create more work for people, not less. Security teams are inundated by alerts indicating potential incidents. These products don’t come with job requisitions. They do come with alert overload. To make matters worse, phishing detection is typically spread over multiple solutions, relying on email gateways for SMTP and POP, while web analysis products are required for web-based email. The threat is the same, yet multiple products with multiple decision processes require more staff and expertise.

Defenders can’t quickly validate whether an alert is real or not because they have little context – or useful insight – from the alert. Without that context, it’s a challenge to determine the potential impact of that alert. Plus, it can often take days or weeks to retrieve and analyze threat data. 

Metadata is Your Secret Weapon

Rich metadata can answer many questions about what is happening and has happened on your network. It is yet another way that Fidelis Cybersecurity helps to shift the advantage from your cyber adversary to you. In fact, metadata is the answer to three of the most challenging challenges:

  • How can I find everyone who received a phishing email?
  • How do I verify that we haven’t already been compromised by a particular tactic?
  • How do I protect against web-based and corporate email without additional overhead?
  • How do I detect credentials in the clear?

Phishing is a prolific threat. Where there is one phishing email, there have been many more. Metadata can help you figure out who else would have received an email with a similar subject line and “from” address. 

Context Helps You Detect Phishing in Minutes

Fidelis Network® captures rich metadata about every event it sees on the network over all ports and protocols in a single solution. Using this metadata, you can easily conduct an incident response exercise to scope the event and gain the context necessary to act on the alert. Fidelis Network’s dashboard enables you to see a number of malware alerts and easily pivot from alert to root cause in only a few clicks. You also get details about related alerts, giving you even deeper insight into the active threats against your organization. 

The extensive forensic information provided in the alert detail facilitates and expedites the investigation process. This allows users to put context around an alert to answer questions such as:

  • Where did the phishing email originate? 
  • When did our users receive it? 
  • Which users received it? 

The decoding path and channel attributes can reveal more aspects about the event – including that the sender is masquerading as “Company Y”. It can also look for other events in the environment. A couple of pivots and a few quick searches, and you detect phishing in minutes. In fact, with Fidelis Network metadata, in less than two minutes you’re able to find all the phishing emails related to an event.

Metadata can Also Reveal Past Attacks 

It really is a magical thing … and it’s vital for stopping attacks on the network. 

Rich metadata allows you to apply new threat intelligence and indicators of compromise to all traffic – including historical traffic – to determine if the organization is affected by the threat. 

Fidelis Network creates and stores a hash of all objects crossing the wire, including attachments and compressed files, plus executable files and all file types. Referencing a report containing intel about newly identified malware, we can obtain a list of hashes for malicious files observed in the campaign. Using a hashtag from the threat intelligence report, we plug in the hash, select a timeframe and run a search against all metadata stored by Fidelis Collector. Within seconds, you will know with absolute confidence whether a known threat has impacted your environment. Searches of 90 to 120 days of metadata deliver results in minutes.

Fidelis Network Makes It Simple to Detect Phishing in Minutes

Not only can threat intelligence look backwards, Fidelis Network applies past learnings to future traffic. Simply create a rule for the hash fingerprint to operationalize threat intel data feeds. When an event matching the intel occurs in the future, you’ll automatically get an alert.

Fidelis automates the collection, analysis and storage of your network data so it’s ready for you to investigate immediately. The rich metadata that Fidelis Network captures about every session on your network makes it possible to detect phishing in minutes and investigate suspected incidents in seconds – and gives you answers to questions that were previously impossible to know.

Automated Response is a Critical Component

Phishing detection is only part of the story. An automated response is equally important since it can remove the threat before a user is tempted to read or click the email that opens the door to the attack. 

Using the Fidelis Mail sensor, phishing email can be quarantined or dropped to eliminate the threat early in the attack cycle. Using the Fidelis Network sensors, web-based email traffic can be dropped, using a common detection and tuning process across all delivery methods.

Fidelis also operates bi-directionally, to allow analysis of outgoing network traffic to detect later stages of the attack, such as command and control, lateral propagation, and data exfiltration. As a result, Fidelis provides a complete solution over the full attack life cycle, beginning with early detection and response.

Fidelis Network Metadata Gives You Proactive Cyber Defenses

Fidelis Network is a core part of the Fidelis Elevate® platform. It helps users find and neutralize threats before they impact business. This open and extensible active XDR platform was purpose-built for proactive cyber defense. It unifies deception technologies with detection and response on endpoint (EDR), network (NDR), and cloud. Fidelis Elevate uses telemetry, metadata and integrated deception technologies to provide contextual visibility and asset discovery across your IT environment. This helps SOC analysts quickly detect and block attacks, perform deep inspection/analysis of the environment to assess whether any systems have been compromised, and return impacted systems to normal business operations as quickly as possible. 

Not only will you be able to confidently answer the question, “Are we safe?” the next time the CEO asks, you’ll be able to detect phishing in minutes, along with malware, ransomware, and insider threats that other solutions can’t even see.

Learn what is hiding within your metadata and how Fidelis Network and Fidelis Elevate can help. 

Stay up to date on all things security

Subscribe to the Threat Geek Blog