What is Phishing Monitoring?

Phishing Monitoring: FAQ

• How does phishing work?
• What's the difference between phish and spam?
• Why is it important to have a phishing monitoring program in place?
• How closely attended is phishing monitoring? Is it eyes-on-glass?
• What are the current advanced phishing tactics?
• What are some strategies for hunting phishing tactics in your own data?
• What's the process of investigating a phishing incident?
• Why can't phishing monitoring tools catch everything?
• Is end user self-reporting effective?
• What can you do about phishing emails that are slipping through the cracks?

• 1 How does phishing work?

  Phishing works by deceiving an email recipient into responding in some manner that exposes sensitive information, potentially leading to further compromise of assets. The deception can come in several forms:

  Attackers send an email impersonating an otherwise trustworthy sender. It could be an executive of the target user's company or a legitimate business such as a bank or popular e-commerce retailer. The email may appeal to the target user's sense of urgency by claiming they have an order waiting to go out, but additional information is required to expedite.

  It can also be as blatant as asking for the user's password. Phishing emails can go out in the hundreds of thousands or be customized to trick a single targeted individual. Often it only takes tricking one person to cause harm to an entire organization.

  Phishing emails often solicit a click response of a malicious URL. It could be hidden or obscured in some way to look like a button or labeled in some way to trick the user into clicking. Once clicked, the resulting attack usually downloads some type of payload of malware. This step is usually completely invisible to the unknowing user, at which point the only protection will come from endpoint protection or EDR.

  Phishing is deceptive by nature and designed to not be easily recognized. Identifying malicious URLs can be quite difficult since tactics include hiding them in attachments or on legitimate cloud storage provider like a SharePoint or Dropbox.

  Additionally, fake websites are setup to spoof the real thing. One might assume that a website using the HTTPS protocol is legitimate, but statistics say roughly 20% of phishing sites use HTTPS too.

• 2 What's the difference between phish and spam?

  Spam is usually qualified as unsolicited, unwanted mail. Spam may advertise or provide links to click, but phishing is distinctly designed by a malicious actor to gather sensitive information or trick the recipient into clicking malicious links.

• 3 Why is it important to have a phishing monitoring program in place?

  Phishing is a leading cause of compromise by bad actors, since it leverages the most reliable weakness of an organization: people. This is why many organizations now require mandatory phishing training. A good program also encourages reporting of unfiltered phishing emails by users.

  Ideally, a monitoring program will do two things: limit the exposure of phishing emails to users by catching and filtering them and alert when a phishing link has been clicked. A worst-case scenario is a phishing link that's been clicked, triggered a malicious event, and it goes unnoticed.

• 4 How closely attended is phishing monitoring? Is it eyes-on-glass?

  Phishing monitoring is not actively monitored by analysts until it becomes an incident. That's the nature of the beast. Emails arrive in such overwhelming quantity that it must be automated. The human element is just as critical to mitigation as it is a vulnerability – savvy users report phishing emails that defeat any mitigations in place and help to further refine the tools.

  Often, a special "abuse inbox" is setup where end users can forward suspected phishing emails for review by security analysts. This collection of emails serves as data for analysis of potentially new phishing techniques.

• 5 What are the more advanced phishing tactics used today?

  One of the most effective tactics for phishing attackers these days is to leverage something legitimate for malicious purposes. With the advent of cloud storage, sharing URLs have become a ubiquitous part of business on the Internet. Many organizations rely on popular cloud storage solutions such as Google Drive, Dropbox, Microsoft OneDrive & SharePoint, etc. to share and deliver files with customers and coworkers. These legitimate tools can also be a perfect vehicle to perpetrate a phishing attack.

  Example: An attacker starts by creating a free, anonymous cloud storage account and uploading a document. The content of the document is a URL to a malicious remote server capable of installing malware or some type of payload on the user's machine. The attacker then sends the sharing URL to a target, which sails through any email security filters because it's a legitimate cloud storage URL.

  Another clever tactic is what's called delayed weaponization. This is where a legitimate sharing URL exists for a period of time, serving legitimate content. At some point it undergoes a bait-and-switch and begins serving malicious content. In a phishing attack, this can avoid detection until the delayed attack is executed.

• 7 What's the process of investigating a phishing incident?

  Identifying and investigating a phishing incident is similar to most other cybersecurity event investigations. It generally breaks down into the following steps:

  • Classify the incident: Is it phishing, spam, or malware
  • Quarantine the emails in question
  • Review the firewall logs to determine which users clicked or which machines the links were clicked from
  • Once identified: Block malicious domains, URLs, and IPs associated with the phishing link(s) at the firewall/proxy level
  • User account maintenance: Reset passwords for user accounts that clicked
  • Review forwarding rules on compromised accounts to ensure mail is not forwarding to bad actors
  • Review outgoing messages on mail server to determine if compromised accounts sent emails

  The extent to which an organization will execute these steps can vary.

• 8 Why can't phishing monitoring tools catch everything?

  Phishing monitoring tools work really well, but the tactics of phishing are constantly changing. Actual humans are on the other end of the attack, engineering new ways to skirt any protections designed for yesterday's phishing targets. Those attackers are intelligent and leverage human nature as a tool for compromise.

  Proofpoint, a tool that monitors incoming email at the perimeter, achieves 98% - 99% coverage for phishing attempts, but the volume of email is so huge that it's still insurmountable.

  Security analysts are needed to handle the 1% - 2% that squeak by filters.

  An example of a phish that's hard to catch is one that comes from a cloud storage provider (Dropbox, Google Drive, SharePoint, etc.) account.

  Scenario: A document is sent through the provider's sharing mechanism and since it's from a legitimate sender it gets past filters.

  The phishing email itself doesn't contain any triggers, but what actually lurks at the cloud storage provider's link? A human analyst is required to decipher content and perform any additional investigation.

• 9Is end user self-reporting effective?

  For any phishing attempts that get past filters, the final line of defense is the sensibility of the recipient user themselves – the target of the attack. Users are encouraged to report or forward identified or suspected phishing emails to an internal email address called an "abuse inbox." This is known as self-reporting. Some organizations use a reward system to keep their users sharp-eyed and looking for phishes.

  Some organizations rely on this method solely to detect phishing attempts, but the challenge with self-reporting is that if no one is watching that abuse inbox, how can you measure effectiveness of user vigilance, or whether a phishing attack was successful in baiting a user?

  You can't. Reported phishing is useless without some measure of structured investigation.

• 10 What can you do about phishing emails that are slipping through the cracks?

  If an email isn't reported and it's not showing as "blocked" by your tools, how do you know about it? These are the most dangerous and potentially damaging types of phishing emails.

  One issue with automated detection is simply the quantity of data being analyzed. To avoid excess noise and false positives, email security filters have a threshold of risk scoring that can be set. Any emails scoring just under the threshold make it to inboxes. It would be beneficial for an analyst/threat hunter to be reviewing those emails to figure out what's causing the medium score.

  Luckily, the top email security platforms address this by providing a constant stream of data for analysts to review. A SOC should be looking at any emails that are scoring near the threshold of risk to determine why.