Gone are the days of the Nigerian prince promising fortune to unsuspecting email recipients. Attackers have stepped up their phishing game and evolved their tactics to entice employees to click links or open attachments, preying on the opportunity to spread persistent malware or compromise credentials. These threat actors relentlessly target employees — both at work and through personal email — in hopes of breaching corporate networks.
A form of social engineering, phishing has been used to steal sensitive and personal information for years, and security teams stay busy tracking and defending against these threats. Security operations center (SOC) analysts are often inundated with a barrage of incidents and must feverishly work to defend the enterprise as malware slips through defenses.
Organizations and their SOC teams continue to look for an effective solution to detect phishing threats and help speed incident response. While the security information and event management (SIEM) solutions in these SOC environments are expected to pinpoint phishing threats, very few do so effectively.
The Value of Phishing Intelligence
Phishing is one of the biggest risks organizations face, regardless of size and industry vertical. According to a report by security firm PhishMe, more than 90 percent of breaches begin with a phishing email. Security teams require timely, accurate, consumable and actionable threat intelligence to protect employees and corporate networks from phishing attacks.
To be actionable, phishing data has to be presented in machine-deliverable threat intelligence (MRTI) so security teams can determine which indicators pose the greatest risk based on their impact rating. Furthermore, the indicators must provide contextual details to understand why the exploits represent a risk to the business. Human-readable reports illustrate the details behind the attacker’s phishing emails. This visibility can then be used in companywide phishing simulations to ensure that employees are conditioned to recognize and report cybercriminal tactics.
Integrating Phishing Intelligence With SIEM
IBM Security understands the need for reliable phishing intelligence to combat ransomware attacks as the attackers operate their global criminal infrastructure. To help clients, IBM QRadar SIEM is partnering with PhishMe for the PhishMe Intelligence App, a 100 percent human-verified, machine-readable threat intelligence service.
Fundamentally, IBM QRadar SIEM processes the events from various log sources based on correlation rules to reveal the potential offenses. Correlation rules are developed to consider all possible signs of an advanced persistent threat (APT) and detect phishing attacks.
Now, with the PhishMe Intelligence App, QRadar analysts can leverage phishing intelligence that PhishMe researchers develop by vetting possible global phishing threats. This service dramatically reduces the time that analysts would otherwise spend to determine indicator severity and impact. As a result, SOC teams are able to respond quickly and confidently to disrupt the attackers before they can achieve their mission.
The PhishMe Intelligence App, available in the IBM Security App Exchange, consumes phishing source IPs, URLs, hostnames and malicious files hash values. With the app installed, QRadar ingests a credible source of intelligence, and analysts can take action based on indicator impact ratings. The app clearly outlines impact ratings for analysts, which can give them the insights they need to prioritize tasks in their response plan.
PhishMe correlates the criminal infrastructure attackers are using so that security analysts can visualize the overall hierarchy of malware campaigns. This is much more effective than random indicators that don’t offer analysts the insights they need to take action. Additionally, the PhishMe Intelligence app provides links to human-readable malware reports with executive and technical details about the malware campaign. These contextual reports provide security leaders and analysts with information to make informed decisions and defend the enterprise. Machine- and human-readable reports offer visibility into phishing campaigns that is efficiently consumed by QRadar and easily interpreted.
Spotting Phish in the Deep Blue Sea of Cybercrime
Phishing defense is a never-ending battle of criminal versus recipient, and there is no one-size-fits-all solution to this challenge. However, partnerships such as the one between IBM and PhishMe integrate industry-leading solutions and services to provide organizations with the support they need to protect their business. PhishMe’s human-focused solutions strengthen and complement existing security investments to protect against nefarious criminals.
If you want to better arm your organization to combat phishing, download the app from the IBM Security App Exchange and attend the Sept. 14 webinar to learn how to clearly see the phish through the murkiness of the cybercriminal underground.