Share:

Phishing Incident Response – Through Automated Malware Analysis

Conditioning employees to detect and report suspicious email is a strategy security leaders have adopted through PhishMe’s innovative solutions. CISOs have realized that while technology continues to get better at preventing malware, the attackers continue to elevate their game and never rests, and neglecting people as defenders would be a mistake.

With security analysts pulled in many directions, they must be able to prioritize and invoke incident response on ransomware, business email compromise (BEC), malware infections, and credential-based theft emails. They cannot get distracted with benign spam-based email with no malicious intent. No business, large or small, is exempt!

The attackers continue to go after businesses directly or use a soft targeting approach, which is a combination of business email compromise and spear-phishing. Soft targeting involves a tactic where an attacker will tailor their email to a particular business role (e.g., finance) with slight customization towards their target, such as their name in the salutation. PhishMe has seen an increase in this form of attack throughout 2016.

PhishMe and Lastline have partnered to deliver to security teams an integrated phishing incident response malware analysis solution.

PhishMe Triage is the first phishing-specific incident response platform that allows security operation and incident responders to automate the identification, prioritization and response to threats delivered via phishing emails. PhishMe Triage provides incident responders with in-depth visibility into email-based attacks occurring against their organization in near real-time. PhishMe Triage operationalizes the collection and prioritization of employee-reported threats and seamlessly integrates with PhishMe Reporter™. PhishMe Triage integrates with your SIEM to automate the incident response workflow as well as integrating with leading malware analysis sandboxes, threat intelligence, and existing infrastructure.

Lastline is focused on real-time analysis of advanced malware and knowing the Internet’s malicious infrastructure. Lastline leverages this threat intelligence to create advanced malware defenses for companies of all sizes. By focusing on cloud-based automated systems and processes, Lastline has developed the technology to analyze advanced malware at an unprecedented speed and volume. This gives Lastline the ability to analyze binaries and web content in real-time as it enters the Enterprise network, as well as the ability to map the Malscape at a level of accuracy and relevance not previously available. Lastline’s higher level of accuracy and attention to the everyday requirements of IT managers allows for the delivery of actionable threat intelligence to security teams and to companies that rely on managed security services for their protection. Lastline has received recognition from both Forrester and NSS Labs for the strength of the company’s product offering (receiving a patent in June).

“We’re excited to be partnering with PhishMe! By combining PhishMe Triage and Lastline Analyst, we’ve made it efficient for our mutual customers to automatically and accurately identify malware much faster. An added benefit is that our customers increase the value from existing security investments,” said Brian Laing, Vice President of Business Development and Product, at Lastline.

Combined, PhishMe and Lastline distinctly organize and analyze suspicious emails aiding in the incident response process. Mutual customers can choose to configure PhishMe Triage to send files hashes, URLs, and attachments, to Lastline (hosted or on-premise) for investigation. Lastline detects and correlates with thorough inspection of the contents and then provides analysts with reports that specify if the email is benign, suspicious, or malicious. Quickly, customers can determine if the reported email was designed with malicious intent and eliminate benign reports from uselessly taking up an analyst’s time. Attributes of reported email can be streamlined and incorporated into the security team’s workflow to alert and take decisive action. Furthermore, Lastline provides rich malware analysis reports to help security teams understand the attacker’s tactics and patterns.

The analysis results produced by Lastline are strengthened when PhishMe Triage collects and prioritizes internally-generated phishing attacks from PhishMe Reporter and maps useful indicators in the workflow. Here’s how PhishMe and Lastline are highlighting incidents which demand analyst’s attention.

  • With a valid Lastline Analyst API key and token, analysts simply choose the file-types they wish to have automatically analyzed at ingestion. The analysis results are then contained within PhishMe Triage and clustered to allow analysts to swiftly respond to what is most critical.
  • Employees reporting suspicious email with links and attachments will get analyzed at ingestion with Triage and will use Lastline’s API to send the suspicious file(s) and URL(s) for analysis. Quickly, the analyst will receive integration results back into PhishMe Triage with summary detail, a risk score, and a link into Lastline’s portal if the analyst intends to conduct further research.
  • With YARA rule matching, reputation of the employee reporting, threat intelligence, and combined malware analysis with Lastline, analysts will be confident in their workflow action. Analysts can now manually or programmatically categorize the malware to follow through on a workflow involving support for leading SIEM providers.

PhishMe Triage and Lastline Analyst is a great example where businesses can use their existing investments and pivot from one source of malware analysis into another and back again. PhishMe and Lastline are excited to provide our customers with valuable solutions that complement each other. For more information, please write to: contact@phishme.com