Phishing is the bad act of luring users to visit malicious websites that apparently seems legitimate. The purpose of phishing is to trick users into revealing sensitive and personal information such as usernames, passwords, credit card numbers, and so forth. More often, threat actors carry out phishing attacks by sending suspicious links or attachments through Emails and social media websites. According to the Wombat’s 2018 Survey, 48% respondents belonging to small and big organizations across all industries revealed that the phishing attacks against their employees were increasing rapidly. Symantec’s 2018 Internet Security Threat Report (ISTR) also discovered that 54.6% of all investigated Emails were spam. To prevent phishing attacks, organizations deploy multilayer security that involves antivirus program, firewall, threat hunting, and SIEM solutions. However, these solutions also not guarantee 100% protection against phishing attacks. Therefore, IT professionals involve security orchestration to better respond to phishing attacks.
SOAR platform allows organizations to create playbooks for knowing how to respond to incidents more effectively and efficiently. Likewise, security orchestration, as one of its parts, uses “phishing playbooks” that help security teams in decreasing MTTR (Mean time to Restore Service) and manpower on repetitive tasks, minimizing human error, identifying false positives, and performing automated reporting. Responding to phishing attacks is one of the significant features of security orchestration. The following flowchart demonstrates how security orchestration responds to phishing attacks.
When a phishing Email is detected, the playbook notifies the affected person through an automated Email that involves the information about the Email investigation process. In this step, the playbook checks any Indicator of compromise – IoC (e.g., URL, Hash, and IP from the suspicious Email). As being shown in the above flowchart, the playbook refers the case to incident response team if any IoC is found. After that, the incident response team will respond to the phishing Email and initiate the remediation process. This involves scanning Email attachments, notifying affected employee (s), and purging the malicious Email from Email Server. On the contrary, if security teams do not find any IoC, then they have the responsibility to test false positives. For this purpose, they should run ‘check on’ Sandbox, investigate you SIEM and check why false positive for a legitimate Email was generated, and aware users about this false positive so that they should have the idea about the same situation in the future.