Did you know there were over 1 million phishing attacks just in Q1 of this year? 1,025,968, to be exact! Phishing attacks are getting more sophisticated and involve more clever ways to entice end users to click on those links.
Security operations teams are overwhelmed with the number of suspected phishing emails and the lack of resources to investigate thoroughly. Email attacks are at an all-time high as emails are adapting and changing (think business email compromise or vendor email compromise), while security training has heightened awareness with an increase in reported emails, but these still involve many false positives.
Over the last two decades, the security industry has made significant progress in realizing the importance of threat intelligence to an organization, but despite this, there is still a lack of ability to derive value from this data across security operations teams.
We define “Intelligence-Powered Security Operations” as what results when cyber risk and threat intelligence is given a central role in security operations. Infusing threat intelligence into activities across the entirety of security operations makes it possible for security teams to apply their efforts where they’ll have the biggest impact against the most dangerous threats and the most prevalent attack tactics.
So whether it be use cases such as triaging phishing emails or threat hunting- analysts have timely and relevant insights into Intel data to make smart decisions. So where do you start? How do you implement Threat Intelligence into your phishing analysis and response?
How Do You Start?
First, we have 4 Phishing principles:
- Automate, Automate, Automate
- Automation must be at the heart of your strategy. This helps free up analysts’ time from mundane tasks and allows them to focus on other proactive activities. Automation is baked into the ThreatConnect platform to seamlessly allow automation and orchestration of repeatable mundane tasks.
- Business Email Compromise
- Cloud-based BEC solutions are gaining popularity as it enables cost-effectiveness, rapid deployment, and on-demand access to expertise for mitigating advanced threats on email platforms. These services also provide security features, such as advanced phishing protection and Multi-factor Authentication (MFA). ThreatConnect’s automated enrichment provides an additional level of context to any triggered BEC phishing events.
- Diverse your enrichment sources
- Enrichment is a fundamental step in any phishing cycle. Diversifying your sources allows you to understand the value and helps identify any gaps in your enrichment sources.
- Close the threat intelligence loop
- Emails can help populate your threat library with new indicators that can be attributed to adversary groups and used to classify future attacks. New IOCs can easily be stored post analysis within the ThreatConnect platform.
Secondly, our experts have laid out a 5-step plan on how to combat phishing within the ThreatConnect Platform:
- Ingest the Phishing Email
- Automatically ingest reported Phishing emails directly from abuse mailboxes within O365, Gmail, or Exchange On-Prem.
- Parse Logical Artifacts
- Identify logical artifacts and parse from the reported message, including Headers, Body, Attachments, and IOCs
- Enrich Externally from your threat intelligence library, and Optional Sandbox
- Contextualize artifacts leveraging aggregated Intel feeds within the TC platform and initiate third-party analysis with leading enrichment and sandbox vendors
- Incident Declaration and Response
- Coordinate response cycles when signs of maliciousness are identified, including blocking IOCs across defensive controls and notifying key SecOps members via native messaging platforms
- Reporting and Feedback
- Generate Incident reports capturing Case highlights and feed newly discovered Intel back into the main Intelligence Library
Without relevant context derived from Threat Intelligence, and automated response actions to remediate identified phishing emails, analysts will inevitably face prolonged triage cycles while trying to prioritize, and harmful attacks can spread through their organization without timely action.
You can view the on-demand version of this webinar here and hear more from our experts, Lara Meadows, VP of Customer Engineering, and Matt Brash, Customer Engineer, about how Intelligence-Powered Security Operations can help your security team inform, address and defend against current phishing attacks!