Hunting Phished Endpoints with PhishMe Intelligence™ and Carbon Black® Response
While sipping coffee and reading the morning headlines, the CISO notices a global mass-phishing campaign that took place overnight. Picking up the phone and calling the SOC, the CISO asks; “Are there any computers that may have been infected with ‘X’ that I read about this morning? I need answers before my meeting in an hour”.
Can your SOC and IR team answer this question timely and confidently?
PhishMe® and Carbon Black are providing security teams with the ability to ingest human-verified phishing intelligence that can be used to investigate and respond to endpoints linked to phishing indicators of compromise (IOCs). Through this integration, PhishMe and Carbon Black are providing a powerful approach to identifying and preventing potentially damaging phishing attacks.
How to Operationalize Threat Intelligence and Hunt Phished Endpoints
Ransomware, business email compromise (BEC), malware infections, and credential-based theft all primarily stem from a single vector of compromise – phishing. Operationalizing threat intelligence, especially when it comes to phishing, continues to weigh on the minds of businesses regardless of size. Mobility increases this challenge and hunting down these elusive endpoints is vital to cutting off the attacker’s foothold. Security teams must be able to hunt for, and remediate, endpoints compromised by phishing.
Let’s Go Hunt Phish
PhishMe Intelligence extends beyond a traditional data feed that some may be familiar with. Customers receive phishing intelligence. What’s the difference? Intelligence, vs. traditional data.
Information without context is just data. Intelligence is information with context, and context is what security teams require to have confidence in their decisions.
PhishMe Intelligence customers receive indicators specific to phishing and their criminal command and control (C2) and botnet infrastructure associated with malware families like Locky, Dyre, and Cerber. This is backed up by threat intelligence reports with verbose context that provides security teams with insight into attacker TTPs.
PhishMe identifies what is nefarious, but more importantly, why, and what it means.
Hunting Phished Endpoints with PhishMe Intelligence and Carbon Black Response
Deciding whether an endpoint has been in contact with a phishing IOC is effectively done with the ingestion of PhishMe Intelligence via a RESTful API. Cb Response can then match indicators as part of the investigation process or simply through hunting to determine involvement. Cb Response will ingest intelligence from PhishMe (as a JSON file), and can automatically monitor for activity matching indicator severity, or to hunt phishing indicators across managed Cb Response endpoints.
As Cb Response ingests indicators, proactive alerts can generate based on PhishMe’s impact rating. A Major impact rating IOC (the most severe), can be configured to send incident data to the SOC/IR team.
Here’s How to Configure Cb Response with PhishMe Intelligence
To setup Cb Response to ingest PhishMe Intelligence indicators for hunting and response, work through these steps.
Obtain your PhishMe Intelligence API credentials from the phishing intelligence portal (https://www.threathq.com)
(Example API Token Credentials Created in PhishMe Intelligence Portal)
- Next, these values are then placed in a configuration file that are used with PhishMe’s script and polls on determined intervals (example, every 15, 30, or 60 minutes).
Using your preferred polling interval setting, Cb Response will then ingest any new phishing indicators identified by PhishMe researchers (located in JSON file example below).
(Cb Response Intelligence Configuration Example – Username & Password Not Mandatory)
Next, analysts can create watchlists in Cb Response simply based on PhishMe Intelligence indicators. One way is to start off with phishing IOCs with a score of 100. PhishMe researchers vet all indicators which means indicators rated as major; analysts can be very confident in their action decisions and confidently receive alerts for additional hunting and IR actions without the concern of false positives, which often inundate analysts. Results matching this watchlist are indicative of interaction with hostile IOCs – IPs, domains, and hashes.
(Creating Custom Watchlist in Cb Response for Phishing IOCs Matching 100)
Finally, when an endpoint matches one of the major IOCs from PhishMe Intelligence, based on hit preferences – email, syslog, and alerts can be triggered. The example below shows an endpoint alert from an IOC.
(IOC Matched to Endpoint with Score of 100)
- Based on the indicators, security teams can now use capabilities in Cb Response to ban hashes, isolate from the network, and additional hunting and investigation.
Phishing Intelligence Operationalized = PhishOps!
PhishMe Intelligence integrated with Cb Response enables analysts to quickly and accurately identify hosts which have engaged in phishing indicators.
With today’s mobile workforce, endpoints infected outside corporate controls often return to corporate networks. Cb Response analysts will be able to remediate hosts before additional damage is done. Even if an endpoint is compromised, it does not mean that a breach is inevitable. Hunting for and remediating hosts before a breach from phishing is imperative – and possible with PhishMe and Carbon Black.
Phish, Hunt, Remediate, Repeat
PhishMe and Carbon Black have made the process hunting for phishing IOCs on an endpoint a more effective and repeatable process. PhishMe produces timely and accurate phishing IOCs multiple times each day which keeps endpoints and network-based solutions up-to-date with the latest, greatest threats. Enabling this integration allows for a repeatable process when a phish makes it past the email gateway. What is great is that teams can automate the process of ingesting and alerting on phishing IOCs.
The notion that prevention is ideal, but detection is a must, applies here!
The phishing threat is alive and well! Security teams can maximize their investments and operationalize, with low administrative overhead, their phishing defense strategy with PhishMe and Carbon Black.
To learn more about the Carbon Black Response, visit: https://www.carbonblack.com/resource/cb-response-datasheet/.
To learn more about the PhishMe Intelligence, visit: http://cofense.com/product-services/phishing-intelligence/.