Published on July 8, 2021
Working remotely has been the norm for many organizations over the past year and half. While working from home is a major boon to businesses, the impact on cyber security has been less positive, as employees are exposed to more phishing attacks than ever. Yes, phishing emails are not new, but attackers are always learning how to make their emails more authentic. According to the Verizon 2021 Data Breach Investigations Report, 36% of breaches involved phishing, an increase of 11% compared to last year (2020).
Phishing and malware plague enterprises as they are capable of bringing an organization to a complete halt. One of the largest phishing attacks in June 2020, called Avaddon, distributed over one million messages targeting US organizations and demanded $800 in bitcoin for recovering lost data. If organizations didn’t pay, they would lose their data.
Understanding the Phishing Attack Chain
Phishing emails are one of the hardest threats to protect against as attackers targets the user and use psychological and emotional means to influence their actions. They can mimic legitimate email conversations and take advantage of trust relationships. Attackers are constantly innovating to craft more authentic-looking phishing emails. They psychologically influence the targeted users using a variety of lures in subject lines to trick them into opening emails or clicking on URLs. For instance, one ransomware email used the topic of Covid-19 test results to lure victims into clicking a malicious link.
Business Email Compromise
A type of phishing attack where an attacker uses a corporate e-mail account - a genuine account that has been compromised – to defraud the company, its customers, partners, and/or employees into sending money or other sensitive data to the attacker. This type of attack uses the identity of a trusted individual and usually, but not always, targets high-level executives and people working in the finance department.
Typosquatting Phishing Attacks
In this type of attack an attacker uses emails coming from an incorrectly spelled, but visually similar, web address (e.g., “Securonlx.com” instead of “Securonix.com”). When users fall into the trap by opening or clicking on embedded URLs that take the user to compromised pages which are pre-loaded with an exploit kit.
The attacker can also attempt to steal the user’s credentials and use that to gain access to the organization’s network. Once inside the organization’s network, the attacker will move laterally and drops ransomware or malware on selected servers across the network. The end goal of the attacker is usually to exfiltrate data or deploy ransomware to encrypt the organization’s data and demand a ransom to restore lost data.
Securonix’s Approach to Detect Phishing
Securonix’s Phishing Analyzer feature detects phishing campaigns by analyzing email logs and applying machine learning-based analytics techniques such as visual similarity. This technique detects visually similar email addresses at scale with minimal false positives using a modified Levenshtein distance algorithm to detect typosquatting phishing attacks and analyze email sender information against legitimate employee HR records like first name, last name tittles and email address. It detects any mismatch or suspected malicious activity and assigns a risk score. Securonix Threat chains stitch together related alerts in order to prioritize incidents for security teams. Machine learning-based analytics and threat chains work in tandem so that security teams can quickly detect and respond to phishing threats. The solution can also be designed to specifically prioritize email compromise attempts involving executives or other groups of concern.
Phishing Analyzer reviews emails for threats in three stages. As seen below, the first stage involves evaluating the sender’s email address for business email compromise or typosqautted domains. The second stage examines the recipient email address for peer targeting. The third stage examines for embedded URLs or suspicious or unusual IP addresses. Risk-based prioritization helps to reduce false positive alerts, and emails with high risk scores are flagged for review as a potential threat.
Securonix Next-Gen SIEM with Phishing Analyzer uses machine learning-based algorithms to detect advanced threats and risk-based scoring to reduce false alerts, thus improving overall analyst efficiency by reducing the detection time (MTTD). This streamlines security operations and speeds up detection by using advanced analytics to flag potential phishing threats in your environment.
With Securonix Next Gen SIEM’s Phishing Analyzer you get instant notification and automated response to phishing attacks using sophisticated detection techniques. Reduce your phishing attack risk and minimize the effort spent on audit and forensics.