Phishing attacks are nothing new and a stalwart of the hacker repertoire. The proliferation of phishing attacks both simple and sophisticated continues to frustrate security professionals across the globe. Earlier this year, one of these phishing attacks came en masse in the form of fake Google Docs invites. As word of the phishing scheme spread, the need for a fast, orchestrated response was made clear.
What is Phishing?
In short, a phishing attack is an attempt to steal a person’s private information (such as their social security numbers, credit card information or bank accounts) through a duplicitous email or other online communication. Although Google claims the attack only impacted less than 0.1% of Gmail users, the events catapulted a barrage of alerts and subsequently, dropped them on the doorstep of cybersecurity analysts and experts worldwide.
As analysts deal with the growing volume of Phishing emails, orchestration holds as the most innovative and ideal solution to this use-case.
From Manual to Automated and Back
A typical mid to large enterprise is triaging dozens and often hundreds of phishing emails a day. The starting point to triage these attacks typically begins with the email itself or an alert from a Security Awareness tool (Phishme, etc.) or via a public phishing mailbox.
Once an attack strikes, typically an organization goes through this tedious, manual process involving the following steps:
- Log/tool queries
- Assessing file reputation
- Checking web intelligence of source IP
- Checking file attachment validity
- Blacklisting/Blocking confirmed phishing attacks
- Manually opening & updating ticketing systems throughout the process
- Scrubbing email servers
These steps are naturally suited for automation. But it doesn’t end there. To confidently address the full scope of Phishing attacks a broader Orchestrated response is essential. Consider an actual use-case where one of our customers experienced a rising volume of Phishing email attempts.
Sample Phishing Attack Use-Case
This approach combines the best of both worlds. Accelerating response through automation, yet interjects the analyst where need be, with fully contextualized cases, to confidently address all types of attacks. Organizations with an established protocol in place might be comfortable with relying on fully automated workflows for the majority or alerts and cases, while those who show more trepidation or would like analyst supervision can selectively semi-automate response based on rules or other integrations such as ticketing involvement
For high profile organizations and companies that collect and store sensitive information, this surge of phishing attacks is wildly disconcerting. In this case, your best response is full fledged security orchestration. You simply cannot rely on one method of cyber defense to protect you from the intricacy of today’s phishing attacks. Deploying automation and investigation around these attacks in real-time, on one pane of glass within your SOC has become a necessary step in taking your infrastructure and response to the next level.
Phishing attacks are known to be evasive for the reason that they’re transmitted through email accounts, and host content that appears to be genuine. Pictures and images in a phishing scam may be hardly discernible from an ordinary, harmless email. As well, when delivered through a popup ad, a phishing attack can strike from the user experience of the website you're visiting, meaning it may appear to be asking for pertinent and relevant information. Regardless of the angle from which a specific phishing scheme is working, it takes top-of-the line analysts to properly cluster common traits and characteristics of attacks. Coupled with Orchestration, automation and contextualization, response is maximized. That way, when a rare, high-value phishing attack does happen, a full fledged, lightning speed investigation can be underway before the damage is done.
Closing the Loop
The premier fake Google doc phishing attack has only validated the FBI’s April warning of email scams while putting the collective cybersecurity world on edge. For high profile organizations and companies that collect and store particularly sensitive information this surge of phishing attacks is understandably more disconcerting than it is to your average internet user. This semi-automated approach which combines automation with full lifecycle case management within a broader orchestration solution arms security teams with the best of both worlds to address the growing volume of Phishing attacks.