Automated phishing triage with Material and Tines

Thomas KinsellaCo-founder & CCO, Tines
Chris Long Director of Security, Material Security

Published on October 17, 2022

This article was posted more than 18 months ago.

At Tines, we understand there’s no such thing as a universal workflow. While there are often some standard best practices, whether carrying out a workflow manually or automating it, every team has a unique approach and set of tools to solve challenges.

This is especially true for security teams, who constantly have to evolve their processes and infrastructure to stay ahead of cyber attackers in today’s rapidly changing threat landscape. Many organizations still have immature cybersecurity programs, and phishing is the most common form of cyberattack. Investigating phishing and user-reported emails is still one of the most repetitive tasks for security professionals.

The goal of phishing detection and response is to identify and block malicious messages sent by attackers to gain access to your organization. However, relying solely on blocking incoming malicious messages is no longer sufficient when attackers have multiple ways to compromise an inbox. Material Security takes a unique approach to protect accounts even when suspicious messages do inevitably get through. With Material’s Phishing Herd Immunity, one employee’s report can instantly protect the entire organization with link and attachment speed bumps or blocks without any need for an immediate, manual security review. Some security teams complement this with more in-depth monitoring by manually reviewing reported suspicious emails to identify ongoing adversarial campaigns or leveraging the API to automate threat intelligence lookups or other context-gathering actions.

Automating time-consuming repetitive tasks including phishing triage is a game-changer if you’re working in a field where repetition and efficiency are crucial to success.

Introducing Material Stories & Action templates 

We’re excited to share that we’ve worked with Material to develop some prebuilt Stories for you to use and customize via our Story Library. There's a Story that allows you to query emails through the Material API to get a list of messages that match conditions and apply red flags in the form of speed bumps or suspicious labels. You can use another Story to retrieve email attachments that trigger phishing events in Material, gather details around senders, and analyze attachments in VirusTotal.

Within our no-code platform, Tines also offers approximately 20 pre-configured templates for common Material actions. Like the Stories above, these templates enable users to interact with Material’s API without writing a single line of code. To get started, just log into your Material admin console to create an API token and configure an event subscription to point to a Tines webhook.

Triage email attachments with Material Security 

Let’s explore a triage workflow for analyzing email attachments. This flow will gather information about email attachments and automatically present a summary of the findings to your security team.

When someone flags an email as suspicious in Material, a case gets created in the Phishing Herd Immunity console. A case is a container of messages that share similar qualities (sender, subject, etc.) that can be remediated together. When a case gets created, the event subscription will send a notification to the Tines webhook with information about the case. Tines then makes additional calls against the Material API to gather information about the messages in the case, including information about their attachments. This automation workflow provides SPF/DKIM/DMARC pass/fail results, VirusTotal hash lookup results, and Joe Sandbox dynamic analysis reports.

Loading story...

Getting started with Tines + Material 

Automating elements of a phishing triage workflow is just one example of what can be accomplished using Tines + Material. Material’s API allows you to search for and retrieve email metadata and take different actions against messages. Applying no-code automation to your security operations and these processes can reduce manual work, save valuable time, and decrease burnout across your SOC. Visit Material's blog for more information.

To get started with Tines, sign up for our free Community Edition or book a demo here. To try out Material’s Phishing Herd Immunity, submit the form here.

Built by you,
powered by Tines

Already have an account? Log in.