#Infosec16: Visibility Key in Responding to Phishing Attacks

#Infosec16: Visibility Key in Responding to Phishing Attacks

Many hackers today have honed their phishing techniques to evade even the most critical inspection, but the first step to an effective response should be improving visibility, according to Splunk.

The operational intelligence firm’s security evangelist, Matthias Maier, explained during an Infosecurity Europe presentation today that cyber-criminals have become very sophisticated in their crafting of such attacks.

The language is authentic and in the correct corporate font, logos appear to be authentic and even domain names are hard to distinguish from the real thing in many cases, he said.

One specific attack on employees in the State of Michigan (SOM) revealed last year began with an email message claiming that the user’s inbox was full and containing a malicious link encouraging them to increase their mailbox size, Maier explained.

The link took them to a spoofed Outlook Web Access portal designed to look exactly like the SOM custom design where they were encouraged to fill in their personal and log-in details.

He claimed 155 out of over 2000 employees clicked through and a staggering 144 provided their details.

It’s no surprise that hackers are investing more time and effort into such campaigns, given the rewards on offer.

By successfully obtaining the credentials of certain staff they can jump several stages of the typical cyber kill chain and get straight on to the “objectives” phase, Maier argued, adding that in many cases bypassing sandboxing filters is “super easy.”

Visibility is key if organizations are to get a handle on phishing and the cyber attacks that so often start with these email-borne threats, he claimed.

IT security bosses need to be able to answer some key questions to find out: which users have received a phishing email; how many clicked through; whether a proxy blocked the download; if any unknown IP connections were spotted; or if there have been recent changes in endpoint configuration.

“If you can’t scope the attack you can’t provide answers to the press, investors, customers or management,” argued Maier.

He claimed that by looking at web proxies, email records, endpoint logs and time ranges, IT teams can stitch together key information that – with the right analytics – could spot such attacks and help them react quicker.

Source: Information Security Magazine