How to Stop Phishing Attacks: Lessons Learned From the JPMorgan Chase SOC Team

Phishing attacks aren’t going away anytime soon. The numbers from Verizon’s 2019 DBIR Report and SANS Institute prove only one thing: When you’ve done all you can to protect against phishing attacks, that means it’s time to do more.

It’s not that phishing attacks aren’t being addressed — many organizations make an effort to educate employees as well as implement tools to flag dubious emails. But alert fatigue can be a very real problem that analysts face day in and day out. According to SANS Institute research, excessive reporting makes it that much harder to manage a timely response to real phishing attacks. Time spent (and wasted) on false positives, spam and legitimate messages are also significant factors. 

You’re Not Alone

The Security Operations Center (SOC) team over at JPMorgan Chase knows the impact of alert fatigue first hand and they were ready for a change. The goal was to enhance their SOC so that they could automatically identify, prioritize and mitigate malicious phishing attempts before any damage was done to their employees or to the enterprise. 

The Challenge

The team had a very manual and subjective approach to phishing alerts, even though email was a top attack vector. Employees were expected to forward any suspicious-looking emails (which often ranged from spam to newsletters to internal announcements) to a dedicated mailbox, only for the analysts to receive an average of 30K emails per month — making mailbox triage and an incredibly time consuming and arduous task. 

For every instance, the analyst would have to:

  1. Open the email in question.
  2. Read through the entirety of its contents.
  3. Check if there were any suspicious attachments or links.
  4. Copy and paste the text into 10-12 different tools.

They noticed that the analysts were generally following the same process for a majority of the emails, and subsequently determined appropriate use cases for automating the entire process. 

Deciding where to start with SOC Automation:

  1. Understand alerts.
  2. Prioritize by dwell time, mitigation importance, most repetitive and least amount of logical reasoning.
  3. Verify if analysts follow the standard analytical process. 
  4. Factor in the most common threat(s) that analysts are investigating.
  5. Decide if you can easily remove noise or volume with correct tagging/classification.

After realizing the analysts followed the same process, they created an automated framework leveraging the Splunk Security Suite and implemented a better way to respond to phishing emails.

The Impact

The team’s main goal was achieved. They removed the need for manual investigation and the alert fatigue that came with it. Instead of having a dedicated analyst sift through thousands of emails, they only had to look at the investigations dashboard in Splunk Enterprise Security.

Better yet, they could leverage the code in the backend, which meant continued improvement of their automation framework. The framework not only automated high-fidelity alerts, but also triaged the response, building out a framework and methodology for any type of alert over time.

Watch the the full session for a demo, including more information around the design and details of the primary components used in Splunk Phantom and Splunk Enterprise Security, as well as the supervised machine learning model that we trained to aid the automation engine.

Want more? Check out the .conf19 session: Automate Your Phishing Response With Splunk Enterprise Security, Splunk Phantom and Machine Learning

Jade Catalano

Posted by