Global transportation company uses Silo for Research to investigate phishing, malicious site exposures

A multinational transportation company employs several layers of security to protect its systems from malware attacks. Yet, hackers continue to target the company employees -– often through well-crafted phishing attacks, enticing people to click on links or open attachments disguised as legitimate business communications. When an attack is reported, a SOC team uses Silo for Research to safely interact with malicious sites, locate the malware and use their findings to blacklist harmful domains.
SHARE ON:
Global transportation company relies on Silo to investigate phishing and malicious site exposure incidents

Silo for Research allows for interactive viewing of malicious sites

A carrier that values speed and precision, the company can’t afford even momentary interruptions of their critical software systems. In addition to rigorous security policies and protocols, the company has established dedicated SOC and Threat Intel groups, ultimately rolling up to the CISO’s organization. Both teams share a mission of helping locate and neutralize potential threats, but when a phishing attack is reported, it’s the SOC that first jumps into action, using Silo for Research to investigate malicious sites to gather information about what happens after the user takes the initial bait.

“Our job is to put in mock credentials, and observe where it all goes,” says the cyber security manager. “We want to see what happens at the second and third hop; if there’s a malicious download or a drive-by download; which domains the users are taken to when they click on that phishing link.” The SOC team can use proxy logs to see how far the users have gone to help them determine whether their computers have been compromised. “If we find a malicious payload on the third hop, and our users didn’t get that far, we know there’s no need to reimage their machines or change their passwords,” explains the cyber security manager.

The SOC team typically responds to phishing alerts that are generated by its secure email gateway. The alerts are also added to the company’s SOAR (security, orchestration, automation and response) platform where incidents are analyzed and triaged. If the SOC team finds indicators of malicious activity, they switch to Silo for Research to dig deeper into the threat to determine the perpetrators’ intent. All data and indicators of compromise (IOCs) collected with Silo for Research and through OSINT sources are fed back into the SOAR system, and specific domains are passed to the company’s DNS blacklisting solution. “With Silo for Research, our SOC analysts’ identity is hidden, even when they interact with the dark web,'' adds the cybersecurity manager. “And all the data we collect helps protect our employees from future attacks."

With Silo for Research, our SOC analysts’ identity is hidden, even when they interact with the dark web.

- Cybersecurity manager

“Our #1 priority is isolation from malware!”

Remaining anonymous is key for the SOC analysts, but even more important is having the company’s researchers’ machines and their networks completely isolated from any potential malware. “We are knowingly interacting with malicious websites,” says the cybersecurity manager. “Being isolated from malware is our #1 priority.” The team also uses Silo’s capability to manipulate user agent strings, making it appear as if investigators are connecting from a specific location in the world and bypassing sites’ geo-blocking restrictions. The SOC analysts are then able to observe and document how the sites behave when the user connects from different locations or devices.

In the future, the company plans to expand its use of Silo for Research and share best practices with its counterparts in Europe.

We are knowingly interacting with malicious websites, so being isolated from malware is our #1 priority.

- Cybersecurity manager

Related Success Stories

success-story
success story

U.S. technology company uses Silo for threat intel, vulnerability management and brand protection

U.S. technology company uses Silo for threat intel, vulnerability management and brand protection Following a complete restructuring and change of ownership, a technology company established a strong security operations practice, with threat intel analysts working closely with the security…

success-story
success story

Enterprise research firm fast-tracks incident response, improves threat investigations

Enterprise research firm fast-tracks incident response and improves threat investigations Despite having a solid security perimeter, the advisory firm continues to encounter phishing emails and ransomware — some common, others targeted specifically at the firm and its assets. Silo for Research…

Close
Close