Silo for Research allows for interactive viewing of malicious sites
A carrier that values speed and precision, the company can’t afford even momentary interruptions of their critical software systems. In addition to rigorous security policies and protocols, the company has established dedicated SOC and Threat Intel groups, ultimately rolling up to the CISO’s organization. Both teams share a mission of helping locate and neutralize potential threats, but when a phishing attack is reported, it’s the SOC that first jumps into action, using Silo for Research to investigate malicious sites to gather information about what happens after the user takes the initial bait.
“Our job is to put in mock credentials, and observe where it all goes,” says the cyber security manager. “We want to see what happens at the second and third hop; if there’s a malicious download or a drive-by download; which domains the users are taken to when they click on that phishing link.” The SOC team can use proxy logs to see how far the users have gone to help them determine whether their computers have been compromised. “If we find a malicious payload on the third hop, and our users didn’t get that far, we know there’s no need to reimage their machines or change their passwords,” explains the cyber security manager.
The SOC team typically responds to phishing alerts that are generated by its secure email gateway. The alerts are also added to the company’s SOAR (security, orchestration, automation and response) platform where incidents are analyzed and triaged. If the SOC team finds indicators of malicious activity, they switch to Silo for Research to dig deeper into the threat to determine the perpetrators’ intent. All data and indicators of compromise (IOCs) collected with Silo for Research and through OSINT sources are fed back into the SOAR system, and specific domains are passed to the company’s DNS blacklisting solution. “With Silo for Research, our SOC analysts’ identity is hidden, even when they interact with the dark web,'' adds the cybersecurity manager. “And all the data we collect helps protect our employees from future attacks."
“Our #1 priority is isolation from malware!”
Remaining anonymous is key for the SOC analysts, but even more important is having the company’s researchers’ machines and their networks completely isolated from any potential malware. “We are knowingly interacting with malicious websites,” says the cybersecurity manager. “Being isolated from malware is our #1 priority.” The team also uses Silo’s capability to manipulate user agent strings, making it appear as if investigators are connecting from a specific location in the world and bypassing sites’ geo-blocking restrictions. The SOC analysts are then able to observe and document how the sites behave when the user connects from different locations or devices.
In the future, the company plans to expand its use of Silo for Research and share best practices with its counterparts in Europe.