Tim Condello, senior customer success manager at Siemplify, contributed to this post.
A recent study found that 83 percent of global organizations experienced phishing attacks in 2018.
And yet, as high as that number is, it feels low.
End-users continually struggle to identify deceptive emails, and sinister senders are invariably modifying their bait to be even better at appearing legitimate and evading defense mechanisms. This all adds up to phishing being as optimal of a cybecrime tool as ever.
So, where does that leave the security operations professional? Incessantly besieged, for starters, a feeling that can lead to, among other things, mental fatigue and even burnout. Being in a constant state of alert does no favors for one’s spirit, nor does the time suck involved in a phishing probe.
As our Steve Salinas recently wrote: “Phishing cases are notorious for consuming significant time due to the prep work they require, and their prolific nature is only continuing. The actual investigation of a suspected phishing attack is not all that difficult; however, all the upfront work makes them one of the least desirable cases for an analyst to find in their queue.”
Streamlining the whole process with security orchestration, automation and response (SOAR) software will allow you to automate tedious tasks involved in detecting and responding, such as scouring third-party intelligence feeds and digging through active directory records.
But forgetting about technology for a moment, let’s assess phishing from a table stakes perspective: What are the basic processes you should already have in place to help keep digital impostors at bay?
1) Set up a Spam Mailbox
In the same way that your employees are your weakest link, they are also your first line of defense. End-users are the ones who will be first exposed to phishing attacks that make it past your security tools, so it makes sense that if they see something, they should be encouraged to say something.
A spam mailbox makes the submission process effortless. Instead of a user guessing who to forward a suspicious message to – Their boss? The IT guy they know from the lunchroom? Nobody at all? – both parties can be assured the email is going to the right place, allowing you to take immediate action.
2) Maintain a List of Executives
Even though spear phishing – which targets specific people at an organization, usually high-ranking personnel via what is known as whaling – is one of the least common types of phishing attacks, it costs victims the most money. That is because executives typically carry the highest network privileges and by successfully duping them, via custom emails that are well designed to fool the recipient, attackers are able to score big paydays by persuading them into divulging credentials or clicking on something they shouldn’t.
Keeping a running list of staff with executive permissions will give more visibility over possible targets, and you can use this registry to quickly classify and prioritize dubious emails coming into your SOC queue.
You may want to extend the list to include members of your accounting and finance teams as well, as they are typically the ones on the receiving end of hugely costly business email compromise (BEC) scams. And keep in mind, this list will help support internal reports that your threat intelligence team can also use.
3) Tag Events
While it’s smart to concentrate on higher-value targets like executives, approaching your phishing strategy in broader terms will also pay dividends. To accomplish this, label phishing events by factors such as how they were received (tool detection, spam mailbox, ad hoc, hunting), what the sender’s end goal was (credential harvesting, malware, whaling – remembering to include the option of false positive) and which lines of business were targeted and may have fallen victim (marketing, human relations, etc.). This will help draw you a clearer picture of the work the SOC is doing and help your team be more efficient. It will also help inform other teams that are integral to the phishing fight, including threat intel, penetration testing and security awareness education.
4) Document Process and Standardize Case Handling
Last but not least, process documentation is how you ensure all of the steps necessary to address a phishing case are completed by the entire team, spanning all shifts and geographies. Not only will successful note taking help to pinpoint gaps in your people, processes and technology, but it can also be used to onboard and ramp up your analysts so they are ready when the next fishy email makes it past your filters.
Dan Kaplan is director of content and Tim Condello is senior customer success manager at Siemplify.