Phishing emails are among the oldest and most common types of cyberattacks, and when successful, they can have a devastating impact. In 2020, the average cost of a phishing breach was $ 4.65 million, and the FBI reported that there were more than 12 times more phishing reports last year than in 2016.
In fact, some large organizations receive around 10,000 security alerts every day, including phishing emails. This massive volume has become a major part of the problem, and with manual triage of a single suspicious email taking 10 to 45 minutes, it’s often impossible for security teams to keep up with demand.
The challenges are exacerbated by cybercriminals who continually find new methods of attack. Security teams in charge of prevention and mitigation need to monitor a variety of data sources, ranging from suspicious compromised logs, emails, alerts, and accounts to external resources like Twitter (among many others). In many circumstances, the manual effort required consumes valuable time and resources, preventing highly skilled security professionals from applying their skills to more strategic initiatives.
Automation of investigations
Clearly, we cannot sustain the current environment and to address the burden it imposes, automating phishing investigations and response processes has become a priority. Typically, automation goals not only focus on preventing potential breaches from creeping through the cracks, but are also designed to reduce the pressure on overloaded security analysts.
In an automated system, a potential phishing email triggers a specific workflow model to help defeat the attack before it has a chance to fully take shape. For example, suspicious emails are deleted from a mailbox to prevent users from opening them.
We can further automate the parts of an investigation that take longer by extracting indicators of compromise (IOC) from all parts of an email – headers, body (HTML, text, RTF), sender, subject – as well as the reputation of each mail transport agent (MTA) within the “Received from” headers. Once a reputation is determined and IOCs extracted, security teams can further automate correlation and threat intelligence searches of these artifacts, such as IPv4, IPv6, URL, file hash (MD5, Sha1, SHA256, SHA512, SSDeep ) and domains.
When emails are automatically ingested, correlated and processed with all related information, the emphasis placed on the Security Operation Center (SOC) is reduced. This extends to the many related activities that SOCs need to track and manage when processing a reported message. By specifically using low-code automation solutions, security teams can unlock automation beyond SOC, allowing them to simplify alert monitoring and significantly reduce response times, thereby addressing every alert and decreasing risk exposure.
Focus on accuracy and consistency of processes
Manual IOC analysis has become another time-consuming task, and many security professionals are familiar with the effort required to determine if such a message has already been processed. When they are automated, it becomes much easier to determine if there is a similarity in any aspect of an email to another that has already been received. An effective automation solution should also identify similarity if, for example, five or more data points are related, including equation hashes, Levenshtein distance, and other algorithms.
We need to automate key processes for greater accuracy and consistency. For example, if a known phishing attack occurs, the IT team must automatically open a ticket, remove similar messages from all mailboxes, and, if applicable, quarantine endpoints suspected of carrying out malicious attachments. If there is an unknown threat, the system should check any attachments or URLs against threat information and / or sent to a sandbox for inspection. If the team detects that it is malicious, they should remove the message from any affected mailboxes as well and quarantine those systems to further protect their organizations.
Automation, especially low-code security automation, can also address the growing complexity found in existing security controls. It is not uncommon for organizations to integrate up to 50 technologies to build effective defense. With consistent automated processes, IOC analysis can be retrieved from integrated third-party tools, depending on the type of indicator, enabling faster and more effective execution of one or more activities, such as threat intelligence, investigation, research, SIEM and management register.
Reduce the average resolution time
An effective automation solution allows security analysts to monitor every relevant detail, providing a dashboard for specific users, roles and tasks and displaying all the necessary data in one concise record.
The solution should also help determine and automate consistent responses. These may include sending the payload to an internal or external sandbox, isolating a device, changing a firewall rule, notifying the analyst to send an email alert to the requested parties, or collaborating. with teams outside the automation solution.
By automating investigation, responses and collaboration, automation can reduce incident resolution from 45 to just five minutes, on average. This means that security analysts can spend more time investigating other critical events, improve prevention and detection skills, or gain new skills, rather than spending time running tedious known processes.
Ultimately, cybercriminals thrive by creating chaos and uncertainty. But when security teams use low-code security automation to address these threats, by accelerating investigations, responses, and resolutions, they can reduce the impact of phishing on your organization.
Josh Rickard, security automation architect, Swimlane