In the world of credential theft, phishing continues to be a popular method of attack and is on the increase, as malicious actors become more sophisticated and targeted in their methods. In fact, 64 per cent of global firms have experienced at least one disruption as a result of malicious activity in the last year and more than half of these attacks were caused by phishing.
Modified login pages of a website and clever social engineering is all a threat actor needs to launch such an attack and the primary delivery method for phishing links is email. Although, it is also possible to access phishing pages while web browsing.
For the enterprise, employee education is the key to defending against these types of attacks. However, businesses can take their defence a step further by utilising and leveraging information from phishing emails to learn more about why these attacks are happening and from where.
Categorise and prioritise phishing emails
Dividing phishing emails into categories is the first step. Are the emails blindly canvased and untargeted? Limited to an industry, or do they include specific information about a business? Are they directed towards a particular employee or application? If the emails seem to be industry specific, it is worth sharing this intelligence within a trusted ISAC or community to alert others to the attack.
Any additional insights can be gleaned from other businesses who may have also been targeted and the scope of the attack can be determined. If the email has been confined to a specific business, then searching for a credential dump of accounts, exfiltrated data by a breach, or insider attack may be warranted.
If a threat actor knows a business’s environment well enough, they may be trying to get users to install a specific exploit in a company application. It will take a little investigation by IT professionals to figure out if the app is targeted because it’s seen as an entry point into the infrastructure, or simply because it was detected as an exploit. More commonly, it is the latter. Even if it appears to be an opportunistic attempt against an app, there are a few common actions a business can take to prevent it in the future:
Remove any unnecessary application signatures from errors, status, default pages, banners etc. as this information helps attackers more than a business.
Update the apps in known Common Vulnerabilities and Exposures (CVE) severity order, i.e. updating the most vulnerable first. This is a catalogue of known security threats and is likely the same priority order an attacker uses.
Segment the employee and systems networks with firewalls. If a staff member does click on something, download and/or install malicious software, it is beneficial that it is as isolated as possible.
Very targeted emails require a different approach
Personalised and targeted attacks always require more detailed investigations. Questions asked may include: Are they targeting the person or their position? What action did they try to invoke? What are they after? Money, disruption of service or privilege escalation?
Once a motive has been established, then it is time to collect information from the email itself, including headers, links, domains and IPs where possible. These finer details can be plugged into a threat intelligence platform to help give the information context and show if they have been associated with past malicious activity against the company.
It is, however, common to have a new domain used in an attack, which has an unknown history. In these cases, the rest of the infrastructure and ownership chain will still have background which shows the domains of their past misdeeds.
Launching the counterattack
Active intelligence gathering or the ‘phish back’ fills in the blanks and potentially removes layers of clever camouflage that threat actors hide behind. For instance, if all evidence points to a compromised server, the owner may not be the culprit. To get to the person behind the attack, replying to phishing can start a conversation, as the bad actor will need to engage if they hope to gain information or money.
Appearing to comply, while subtly requesting more information, or requiring them to perform a small action can be beneficial to the overall analysis. The resulting information that they unknowingly reveal can then be entered into a threat intelligence platform to help determine who is behind the attack.
Bolstering defences with intelligence
Investigations into phishing attacks can be very revealing, and the information gained can be used to inform a carefully crafted defence strategy. Companies need to invest in employee education and implement comprehensive policies. This includes limiting access of personal devices to critical networks, isolating the employee system from critical services and encouraging staff to use personal email services that are good at detecting spam and phishing.
Small businesses can implement Unified Threat Management (UTM), which combines multiple security functions into one single system. Any new information on threats can then be fed into this and updated regularly. Some cyber security providers offer free STIX / TAXII feeds that identify IOCs, which phishing information can be searched against to help discover threat actors, campaigns and their techniques. However, it is important not to overstate the role of automated threat intelligence alone. Any subsequent actions must rely on contextual interpretation, such as the geopolitical landscape.
Anthony Aragues is vice president of security research at Anomali