Gone are the days of the Nigerian prince promising fortune to unsuspecting email recipients. Attackers have stepped up their phishing game and evolved their tactics to entice employees to click links or open attachments, preying on the opportunity to spread persistent malware or compromise credentials. These threat actors relentlessly target employees — both at work and through personal email — in hopes of breaching corporate networks.

A form of social engineering, phishing has been used to steal sensitive and personal information for years, and security teams stay busy tracking and defending against these threats. Security operations center (SOC) analysts are often inundated with a barrage of incidents and must feverishly work to defend the enterprise as malware slips through defenses.

Organizations and their SOC teams continue to look for an effective solution to detect phishing threats and help speed incident response. While the security information and event management (SIEM) solutions in these SOC environments are expected to pinpoint phishing threats, very few do so effectively.

Register for the webinar series to learn more about optimizing your SOC

The Value of Phishing Intelligence

Phishing is one of the biggest risks organizations face, regardless of size and industry vertical. According to a report by security firm PhishMe, more than 90 percent of breaches begin with a phishing email. Security teams require timely, accurate, consumable and actionable threat intelligence to protect employees and corporate networks from phishing attacks.

To be actionable, phishing data has to be presented in machine-deliverable threat intelligence (MRTI) so security teams can determine which indicators pose the greatest risk based on their impact rating. Furthermore, the indicators must provide contextual details to understand why the exploits represent a risk to the business. Human-readable reports illustrate the details behind the attacker’s phishing emails. This visibility can then be used in companywide phishing simulations to ensure that employees are conditioned to recognize and report cybercriminal tactics.

Integrating Phishing Intelligence With SIEM

IBM Security understands the need for reliable phishing intelligence to combat ransomware attacks as the attackers operate their global criminal infrastructure. To help clients, IBM QRadar SIEM is partnering with PhishMe for the PhishMe Intelligence App, a 100 percent human-verified, machine-readable threat intelligence service.

Fundamentally, IBM QRadar SIEM processes the events from various log sources based on correlation rules to reveal the potential offenses. Correlation rules are developed to consider all possible signs of an advanced persistent threat (APT) and detect phishing attacks.

Now, with the PhishMe Intelligence App, QRadar analysts can leverage phishing intelligence that PhishMe researchers develop by vetting possible global phishing threats. This service dramatically reduces the time that analysts would otherwise spend to determine indicator severity and impact. As a result, SOC teams are able to respond quickly and confidently to disrupt the attackers before they can achieve their mission.

The PhishMe Intelligence App, available in the IBM Security App Exchange, consumes phishing source IPs, URLs, hostnames and malicious files hash values. With the app installed, QRadar ingests a credible source of intelligence, and analysts can take action based on indicator impact ratings. The app clearly outlines impact ratings for analysts, which can give them the insights they need to prioritize tasks in their response plan.

PhishMe correlates the criminal infrastructure attackers are using so that security analysts can visualize the overall hierarchy of malware campaigns. This is much more effective than random indicators that don’t offer analysts the insights they need to take action. Additionally, the PhishMe Intelligence app provides links to human-readable malware reports with executive and technical details about the malware campaign. These contextual reports provide security leaders and analysts with information to make informed decisions and defend the enterprise. Machine- and human-readable reports offer visibility into phishing campaigns that is efficiently consumed by QRadar and easily interpreted.

Spotting Phish in the Deep Blue Sea of Cybercrime

Phishing defense is a never-ending battle of criminal versus recipient, and there is no one-size-fits-all solution to this challenge. However, partnerships such as the one between IBM and PhishMe integrate industry-leading solutions and services to provide organizations with the support they need to protect their business. PhishMe’s human-focused solutions strengthen and complement existing security investments to protect against nefarious criminals.

If you want to better arm your organization to combat phishing, download the app from the IBM Security App Exchange and attend the Sept. 14 webinar to learn how to clearly see the phish through the murkiness of the cybercriminal underground.

View the infographic: Put your SOC in order, in short order

More from Intelligence & Analytics

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…