2020 Was the Year of the Phish. Let’s Make Sure 2021 Isn’t a SequelNOOR BOULOS
2020 was the year of the phish. Well, not officially. According to the Chinese Zodiac, 2020 was the Year of the Rat. But if you look at it from a cyberattack trends perspective, plenty of third parties reported a huge uptick in phishing attacks during 2020. The SANS 2021 Top New Attacks and Threat Report points to both the Microsoft Digital Defense Report 2020 and the 2021 Data Breach Investigations Report as key sources that validate phishing as the most common initial compromise vector. The FBI concurs, stating that phishing was the most common type of cybercrime in 2020, with the bureau receiving 241,342 complaints in 2020.
The sad truth is that 2021 is shaping up to be even worse, with the volume of phishing attacks in the first half of the year running 22% ahead of 2020!
In our first blog to mark Cybersecurity Awareness Month (CSAM), we talked about how everyone of us can help stop phishing attacks if we think before we click. Here, we’ll talk about how the ThreatQ Platform helps security operations teams mitigate risk from these attacks.
The spear phishing challenge
Spear phishing emails contain a wealth of hidden evidence that can be used to track and understand the methods used by attackers to target the organization. By extracting that information, analysts can better understand what to look for to identify other users that may have succumbed to the trick.
Armed with this evidence, analysts can discover associations between multiple spear phishing messages to understand a wider campaign that can be underway. Identifying malware samples across campaigns, and associating them with adversary profiles (and therefore intentions) notably improves the ability to respond.
Conducting this level of analysis can be difficult and tedious. Typically, analysts must discover these associations by manually sifting through messages and correlating the information they discover about the campaign with external data on adversaries and their methods.
How the ThreatQ Platform helps
ThreatQ simplifies the process of parsing and analyzing spear phish emails for prevention and response. With a centralized Threat Library that aggregates all the external threat data organizations subscribe to (including our recent integration with real-time phishing threat intelligence from SlashNext) along with internal threat and event data for context and relevance, analysts are in a position to begin to analyze and determine which emails to focus on.
Recipients of suspicious emails forward the email to an inbox that ThreatQ monitors continuously. Comparing indicators from the email against the data in the Threat Library, ThreatQ determines high risk emails versus low risk, allowing prioritization and noise reduction.
On high-priority items, ThreatQ automatically performs rear-view mirror searches on email logs using SMTP-specific indicators of compromise (IOCs) — email subject, email sender, email filename/attachments. Analysts are able to identify spear phish attacks that might have fallen through the cracks because they were not identified as malicious at the time. Going a step further, analysts can query to identify all the spear phish recipients and then overlap those findings with vulnerability scan results to determine the scope and help accelerate response and containment.
- Triage spear phishing faster and more effectively based on analyst familiarity of adversary TTPs.
- Improve spear phish attribution.
- Increase their understanding of the environment and susceptibility to spear phish attacks.
- Proactively protect against spear phish attacks.
To learn more, watch this webinar on-demand, featuring ThreatQuotient’s APAC Director Anthony Stitt and Threat Intelligence Engineer, Rob Streamer who provide an in-depth demo of how to conduct a spear phishing investigation with the ThreatQ Platform.