Skip to main content

General Documents

Automated Phishing Email Analysis and Response

Abstract

Download PDF

Phishing email analysis is critical to your organization's overall cybersecurity. The Cyware platform can better protect your organization from cyber attack.

Category: Analytics and SIEM, Data Enrichment and Threat Intelligence, Forensic and Malware Analysis, Endpoint

Cyware Products Used:

  • Respond

  • Intel Exchange

  • Orchestrate

  • Collaborate

Third-Party Integrations Used:

  • AbuseIPDB: To enrich malicious IPs

  • OpenPhish: To analyze phishing threats

  • URLScan.IO: To analyze and scan websites

  • Cisco Secure Malware Analytics: Sandbox to detonate and check IOCs

  • Crowdstrike Falcon Endpoint Detection and Response: Endpoint Detection and Response solution to block malicious IOCs.

  • Splunk: SIEM solution to identify hits to the IOCs and watchlist malicious IOCs

Problem Statement

Phishing emails remain the most common challenge for a modern Security Operations Center (SOC). SOCs process a large number of phishing alerts in a day and even the least critical phishing alert puts organizations at significant risk. An analyst can take up to 30 minutes to resolve a phishing email threat. If an organization receives about 50 potential phishing emails per week would take an average of 25 hours per week of analyst time to resolve phishing email threats. This drastically reduces analyst efficiency as they end up spending a lot of time analyzing and resolving alerts that are of less importance.

Solution

To solve this problem and enable analysts to spend the right amount of time responding to critical threats, Cyware Fusion Center uses the Phishing Email Analysis and Action playbook to automate the complete phishing email analysis and action workflow.

Automated_Phishing_Email_Analysis_and_Response.svg

How do we solve this problem?

The Phishing Email Analysis and Action workflow polls and retrieves the suspicious emails reported by users from the dedicated mailbox on the configurable interval using the IMAP/POP3 protocol. This helps security teams to automatically analyze the indicators present in the suspicious emails, and deploy the required actions. The phishing email playbook performs the following activities.

  1. Poll Dedicated Mailbox: The playbook starts by polling the dedicated mailbox on the configurable interval over the IMAP/POP3 protocol to retrieve the phishing emails reported by the users. You can also configure Office365 integration to retrieve emails. See Office365 integration.

  2. Identifying Threat Indicators: The playbook analyzes the suspicious email for elements in the email headers, body, and attachments and automatically extracts relevant indicators of compromise (IOCs) such as embedded links, files, IPs, domains, email attachments, etc.

  3. Enrichment and Analysis: The collected indicators are enriched with information from several sources including Intel Exchange and other threat intelligence sources. After enrichment, the indicators are automatically triaged using a severity score to find out if it is a false positive or a true positive.

    1. If identified as true positive, the following steps are performed.

      • Runs a check on Cisco Secure Malware Analytics Sandbox. You can configure a preferred sandbox integration. See Forensic and Malware Analysis integrations.

      • Verify the past history of the extracted indicators.

      • Inspect the sender’s domain with the historical DNS information.

  4. Response Actions: When the threat is identified as a true positive, the playbook performs the following actions in real-time.

    1. Blocks the sender’s email address in the email gateway and identified malicious IOCs on Crowdstrike Falcon Endpoint Detection and Response.

    2. Adds the malicious IOCs to Intel Exchange.

    3. Deletes the malicious email from other mailboxes and sends an advisory notification to all the impacted users.

    4. Keeps the threat quarantined for manual investigation.

  5. Defining the Threat Horizon: The playbook automatically performs the retrospective hunt across various security technologies to identify similar threat indicators across the organization. Thereafter, an automated Collaborate alert is sent to the affected users. This ensures not only the response to the current attack but prevents all possible future attacks along similar lines of the kill chain.

Optional Configurations

Configure Third-Party Enrichment Tools for Phishing Email Analysis

The Phishing Email Analysis and Action playbook use third-party tools for enrichment. You can use these tools along with Intel Exchange enrichment to verify the reputation of the IOC received in the email. To configure the third-party integrations, refer to the following documents:

  1. AbuseIPDB

  2. OpenPhish

  3. URLScan.IO

Configure Endpoint Management Tool to Block Indicators

Endpoint management tools provide real-time visibility into the machines on your network, allow you to deploy patches, and additionally block indicators that are identified as malicious. The Phishing Email Analysis and Action playbook allow analysts to block malicious IOCs directly using an in-house Endpoint Management Tool. See Endpoint integrations.

Configure your SIEM to identify Hits to IOC

The Phishing Email Analysis and Action playbook allow analysts to check the Splunk SIEM logs to find out if any user has already clicked or accessed the malicious IOC. After gathering Splunk SIEM logs, the playbook will automatically remediate the threats on the affected endpoints. You can also configure a preferred SIEM tool to identify hits to IOC. See Analytics and SIEM integrations.

Solution Benefits

Analyze Large Volumes of Phishing Emails

By leveraging an automated response process, security analysts can save time and effectively respond to a large volume of spearphishing alerts.

Track Targeted Attack Campaigns

Through automated IOC extraction and data enrichment from multiple sources, analysts can understand and counter the tactics, techniques, and procedures used by threat actors.

Stop a variety of attacks at an early stage

The playbook can analyze a phishing threat in the context of the entire attack lifecycle. This helps analysts to block threat actors that use phishing as a means to infiltrate networks and deploy malicious exploits.

Going Beyond Incident Investigation

The playbook not only just helps the organization respond to specific phishing threats but also helps capture the learnings from the incidents to put in place the long-term strategic controls. This helps organizations to defend against any such future attempts by using the unique capabilities of the fusion center.