Phishing Incident Response – Back to the Past, Present, and Recorded Future
Attackers like to boast about their accomplishments as well as announce their plans. They leave trails of evidence across the open web just waiting to be discovered, if you’re looking in the right places. Similarly, as events occur, researchers and those attacked begin to share information. Employees within our organizations are a primary target of attackers with well-crafted spear phishing emails and some of which may stem from over sharing or whatever is personally newsworthy. Indicators of compromise (IOCs) help security teams in their incident response process. Has this been seen before? When did it start? Are there any indicators that this attack will be used again? This is valuable information to help determine the validity of the attack and what may be next.
Employees, when properly conditioned, are able to detect and report indicators of phishing (IOPs). Employees can be a formidable line of defense when technology does not detect the attack. They’re able to contribute and enhance the incident response process when they discover suspicious email aimed at compromising accounts and endpoints.
PhishMe customers strengthen their defenses when they condition employees and change their behavior against the top threat leading to many of today’s high profile breaches – phishing. PhishMe customers know that by empowering their employees to report suspicious email, they create a rich source of actionable intelligence for incident responders. On top of this, Triage provides security operations center (SOC) analysts and incident responders with a way to automate the identification, prioritization, and remediation of these phishing threats. This threat intelligence can then be shared with other teams/customers to better protect their enterprises.
Now factor in the ability for security teams to search a global open source repository and pivot from an enormous collection of events from over 720,000 sources, down to finite details. This is what Recorded Future provides and where security teams can match employee-reported incidents with that of open source activity. Analysts can start with the macro view of IOPs and IOCs and get as granular as they want through searching and navigating through Recorded Future’s OSINT platform.
Employees Discover, Analysts Uncover
Talk to security leaders and they’ll tell you they want complimentary solutions to maximize their security investments. PhishMe and Recorded Future have partnered to do just that – maximize our mutual customer’s security investments by integrating Triage with Recorded Future’s OSINT platform. Security teams using Triage can ingest reported suspicious email from employees and pivot into Recorded Future to search on IP addresses, file hashes, domain names and URLs, or email content reported by an employee. This insight helps an analyst quickly see patterns and tactics used by the attacker and where they may be focused next.
Our mutual customers now have the ability to leverage the power of human intelligence with the global network open source intelligence of Recorded Future. And it starts with conditioning employees to “see something, say/report something”. Here’s how this combination works:
- Employees report suspicious email with PhishMe Reporter™.
- Security analysts start investigating as PhishMe Triage automatically analyzes and prioritizes reported email threats.
- Recorded Future’s enriched OSINT repository, in 7 languages, is quickly accessible from within Triage to lookup suspicious attributes within the email. Simply choose Recorded Future from the integration dropdown menu, and the analyst can now search, validate, and report from within the web-based platform.
- Analysts can quickly view which files, domains, URLs, and IPs, and their historical, present-day, and future attributes consist of and indicating additional research.
HUMINT and OSINT – a Winning Combination!
Conditioned employees provide security value by detecting threats evading upfront security controls and centralized open source intelligence brings security events front and center when paired together. The end result is that an analyst can now make an intelligent, actionable decision to help reduce the likelihood of a breach due to host or credential compromise. Integrating technology solutions allows security leaders to maximize their investments and not just have a point solution, but rather a security infrastructure that involves harnessing the power of people with open source activity.