The Phishing Kill Chain – Triage and Mitigation
Part 6 in a series on being “Left of Breach” in the Phishing Kill Chain.
In part 5 we looked at the importance of reporting and associated best practices for implementation and measuring success at both the simulation and program trending level. Now let’s shift the focus from the development of our user base as reporters to a more traditional security skill set of detection, analysis and mitigation of threats.
The goal at this stage is to maximize our human informants and shorten the meantime-to-detect and meantime-to-respond to threats in your environment.
Enablers of success at this step:
- Improved awareness of threats in your environment
- Prioritization of suspicious emails
- Threat analysis
- Categorization and prioritization
- Focused response
Measures of success:
- Improved meantime-to-detect to hours, not days
- Rapid containment
- Completeness of response
Your users, by now conditioned to spot a phishing attack, will be your strongest source of intelligence. Customers that have positioned PhishMe Triage™ as an integral component of their security countermeasures have been able to make sense of SIEM alerts faster by coupling it with user reported threats that may be looming in their environment.
Technologies such as sandboxes are great tools to aid your analysis. PhishMe Triage currently integrates with a variety of technologies to help assess threats. But attackers are smart and they know you use these technologies to catch them. Threats that are sandbox-aware will not execute when run in a sandbox, so you need to figure out how to get malware to execute so you can understand how it works and what it does. You can reverse-engineer malware, but skills to accomplish this are hard to come by and it can be time consuming.
Gone are the days where script kiddies were a menace. Attackers are smart and have plenty of tools to choose from. PhishMe Triage does a great job of helping identify previously seen threats, but you should have properly trained security analysts that understand an attacker’s mindset, the target, the attacker’s methods, and the attacker’s objectives process reported emails. While security technologies are far more advanced than they use to be, you still must rely on skilled threat analysts to connect the dots, fast.
Knowing how to respond
Considering the kill-chain, PhishMe Triage is positioned as an effective tool during the delivery phase of an attack. Incident responders that recognize this will treat any threat identified with PhishMe Triage as a priority threat, given that the threat made it past existing controls and into users’ mailboxes. Quick action is warranted. For successful triage and mitigation, well documented procedures and trained responders will greatly improve your ability to mitigate the threat before any costly damage occurs. Consider the following:
- A business email compromise (BEC) is not designed to deliver malicious payload. Instead it aims at tricking the victim into moving money to a specified account owned by the attacker.
- A credential phish likewise is not designed to delivery malicious payload, but if successful the victim could provide the attacker with valuable credentials allowing possible compromise of critical systems.
- Lastly, a phishing attack delivering ransomware could compromise critical systems quickly requiring either paying a ransom, or recovering from healthy backups. Both could be very costly and/or disruptive options.
It is of utmost importance that you have up-to-date procedures to deal with diverse types of phishing attacks. Based on those types, impact to your business varies, and so should your response.
In closing, bear in mind that the Phishing Kill Chain is an ongoing process. The bad guys aren’t going to stop their attempts at using phishing to infiltrate your company, so you must remain vigilant and continue to execute across the attack lifecycle.
As you look back across our kill chain series, note the key factors at each step and that the most successful anti-phishing programs:
- Are transparent and educate users on standard phishing clues and purpose of the program.
- NOTE: Program transparency is key to your success. It builds enthusiasm for the program and a sense of ownership and positive engagement with the organization’s security process.
- Baseline the organization’s technical and business process weaknesses for initial targeting.
- Execute diverse simulations and analyze for risk level (e.g. – high susceptibility to active threats)
- Design follow-up simulations based on known deficiencies and analysis of initial results.
- Stress the importance of reporting in all simulations and awareness activities.
- Close out attacks with appropriate analysis and mitigation of threats.
Remember: As the phishing landscape continues to shift, enabling our workforce as informants and empowering them to report potential threats makes all the difference between being ‘left of breach’ or right in the crosshairs.
Don’t miss another threat – stay updated on the latest malware trends and active threats with our complimentary PhishMe® Threat Alerts! Click here to subscribe.