Between Two Alerts: Phishing Emails — Don’t Get Reeled In!

Potential attackers are really good at what they do. Security analysts see this firsthand with the amount of phishing emails their organizations see daily. A newly released State of the Phish report reveals that nearly 90% of organizations dealt with business email compromise (BEC) attacks in 2019. End users reported 9.2 million suspicious phishing emails globally for the year.

A BEC attack starts with a hacker spoofing emails to impersonate an organization's internal email alias or a vendor email alias. Security analysts can spot these phishing emails fairly easily, but many employees can not. Hence, they fall for the trap and click on links within the email that they think are trustworthy. Once this happens, cybercriminals request personal or company information through what looks like a legitimate business transaction. Because it looks legitimate, the employees comply and the security analysts are left to clean up the mess.

What This Means

A successful BEC attack can result in the loss of sensitive information such as passwords, credit card numbers, account data and customer information. In a previous post, we highlighted that working from home has led to an increase in BEC and phishing threats. If organizations aren’t actively monitoring for threats — or are simply training their employees to report suspicious-looking emails to the cybersecurity team — attacks can and will fall through the cracks.

When employees report emails to the security team, this creates a manual workload for the Security Operations Center (SOC). This could result in 10-15 email investigations per day for a small organization, and up to 1,000 per day at a large financial institution. Each analyst could spend anywhere between 10 and 40 minutes to complete each investigation. That represents an overwhelming time commitment for even a large security team. It’s almost impossible for security teams to keep up, especially if they are forced to manually investigate these threats. 

Consider an average SOC with around 10 full time employees who have to follow a manual process of investigating suspicious emails. The work is soul-crushingly tedious. These security analysts generally have to look through each email, pull out the attachments and/or web links, and then paste those artifacts into other security tools to find out if they are “known bad” or exhibit unwanted behaviors. Security tools like web reputation services, threat intelligence services, endpoint security, and sandboxes are all used simultaneously, or in a sequence, to investigate and resolve a phishing threat. 

Analysts need to assemble all of this information, evaluate it, and then act to prevent further harm to the organization. It’s time-consuming and tedious. 

How can security analysts accelerate their investigations and reduce their manual workload?

Don’t Get Reeled In

There’s a solution to this problem: orchestration and automation. Splunk’s security, orchestration, automation and response (SOAR) solution, Splunk Phantom, can automate otherwise manual security tasks. 

Let’s consider a phishing investigation. Users will forward suspicious-looking emails to your centralized phishing mailbox. Phantom connects directly to Office 365 and ingests those emails from the centralized mailbox. Without pivoting to another security tool, the security analyst can automatically execute various investigative and containment actions via Office 365, including moving emails, deleting emails and blocking senders. The analyst can also run an automated playbook that executes a series of synchronized actions across different tools. For instance, the analyst can run an out-of-the-box Phantom playbook called “Suspicious Email Attachment Investigate and Delete”. This playbook synchronizes the actions of Office 365, VirusTotal and a sandbox to investigate and resolve a BEC event in seconds instead of minutes — with limited human intervention. It’s fast, seamless, and automatic. 

See It In Action

To see how Splunk Phantom can accelerate your phishing investigations, tune in to our Between Two Alerts webinar episode, "Phishing Emails — Don’t Get Reeled In!."

This blog is part of Splunk's always-on digital series, "Between Two Alerts." Click here to see more from the series.

Olivia Courtney

Posted by