What is phishing?
Cybercriminals use phishing campaigns to trick their victims into sharing personally identifiable information, login credentials, passwords, bank account details and credit card numbers, by impersonating legitimate organizations or personal contacts. Phishing emails can also contain links to malicious websites that download ransomware, or other forms of malware for the purpose of extortion. Malicious actors use social engineering to appear genuine, using names and addresses that closely resemble contact details for someone in the victim’s organization or a frequently visited website and often create a sense of urgency, pressing the user to click quickly, without considering the repercussions. And while some phishing emails are easy to recognize based on their author’s bad grammar or outrageous claims, many are so well executed that unsuspecting victims are only alerted that something might be amiss when it’s too late.
Why is it so hard to prevent phishing incidents?
Spam filters, encryption, blacklists, antivirus software and user awareness training have come a long way for preventing phishing attempts. Yet phishing attacks continue to plague companies of all types and sizes. In most cases, it’s difficult to know what to defend against until someone falls victim to a phishing attack and alerts the security teams. In some cases (like spear phishing), cybercriminals do extensive research on their victims to personalize their emails and lure them into a trap. Or they can use credentials stolen in one attack to launch others, appearing genuine with emails coming from within an organization, often from a high-level executive, using words like “urgent” or “immediate action required” to compel recipients to open attachments or click on links without hesitation. The main line of defense against phishing attacks remains educating the users about whom they can and cannot trust and equipping threat hunters and other security analysts with the latest techniques to better understand the hackers’ motives, methods and tools that they use to gain access to information, computers and networks.
Sample phishing campaign incident response workflow using Silo for Research
Let’s look at a typical workflow that a SOC follows in response to a suspected phishing attack.
- A phishing attempt is detected through an email security monitoring system, creating an alert for the SOC, or a user reports a suspected phishing incident using a special email alias.
- If a URL is included in the email, a SOC analyst may enter it into an online scanning tool (e.g. urlscan.io, VirusTotal). This will provide them with a 3rd party view of its potential maliciousness, however, the analyst can’t interact with the site to gain any details about the campaign.
- Using Silo for Research and its isolation capabilities, the analyst navigates to the site to conduct a visual inspection of the page, determine the type of phishing and what kind of information it is targeting. The analyst can also manipulate their user agent string and geographic region to see how the page reacts – perhaps they are dealing with malware that specifically targets mobile platforms, or is designed to go after users in a particular geography.
- Using dev tools the analyst also looks at the redirects that are happening on the site and what types of files are being uploaded through the browser. Silo for Research allows them to capture and annotate screenshots and safely download files for easy sharing and further analysis.
- All evidence that’s been collected is downloaded into Silo for Research cloud storage, away from the corporate network. In the case of files or code, it can later be transferred to a sandbox for a deeper analysis of the phishing kit.
- Once the analysis is complete, researchers update the ticketing system with the information they gathered.
- The security team uses the information provided by malware analysts to block all domains and URLs that were identified as malicious on their web gateways and proxies. Often, security specialists choose to submit information about malicious domains and URLs to the threat intel team to update TIP IOCs to create more accurate and up-to-date alerts.
For more information on phishing and using Silo for Research for incident response, see:
- Major US airline investigates phishing, typosquatting, malvertising: Bad actors use typosquatting to mimic well-known websites to trick users into giving up their information or clicking on malicious links. A major U.S. airline relies on Silo for Research to thoroughly investigate these incidents and work with law enforcement to bring down individuals and groups who are trying to damage their brand.
- Safely investigate phishing sites without getting hooked: Phishing sites commonly contain malicious content that can put SOCs and their organizations at risk as they conduct investigations. But with isolated browsing environments and proper management of the digital fingerprint, analysts can safely and effectively perform their research.