A Sea Full of Phish
Phishing emails are one of the most frequent, easily executable, and harmful security attacks that organizations face today. With ransomware, lateral movement, and system hijacks still prevalent, the business and security impact of phishing attacks is real and lasting.
Security analysts face numerous challenges while responding to phishing attacks. Handling attack volume without burning out, flitting between multiple screens to coordinate response, avoiding errors while completing mundane tasks, and standardizing response and reporting procedures are all sources of worry.
To help meet these challenges, users can now combine zero-day phishing detection intelligence from Phish.AI with the security orchestration and automation capabilities of Demisto, thus improving their response posture to phishing attacks.
Phish.AI and Demisto Integration Features
- Query Phish.AI from Demisto Enterprise to check whether a URL is malicious/phishing focused and details about the affected brand.
- Trigger playbooks with automated response actions based on the results of Phish.AI queries from Demisto Enterprise.
- Leverage 160+ Demisto product integrations to further enrich Phish.AI results and coordinate response across security functions.
- Run 100s of commands (including Phish.AI commands) interactively via a ChatOps interface while collaborating with other analysts and Demisto’s chatbot.
Fig 1: Demisto's integration with Phish.AI
Automated phishing enrichment and response
There is often a mismatch between the high-volume nature of phishing attacks and analyst agility in responding to them. Phishing attack identification, triage, reputation checks, and response involves switching between multiple screens, mundane and repeatable tasks, and a divergence of response procedures that often results in a variance in response quality as well.
Once suspected phishing alerts are ingested into Demisto, pre-set playbooks go through a set of tasks across security products to automate and standardize the enrichment of and response to these alerts. Users can add tasks in these playbooks that query Phish.AI and automatically get back results regarding URL malice and affected brand details.
Fig 2: Results displayed after running a Phish.AI query from Demisto
Apart from the Phish.AI query, here are some other tasks that users can automate in a phishing enrichment playbook: extracting indicators and checking their reputation using threat intelligence tools, detonating hashes in a sandbox, getting DNS information, updating bad hashes in the EDR database, generating tickets based on incident severity, and sending emails to both the affected end user and accountable security analyst.
Once analysts have reviewed the information at their disposal and taken key decisions on how to proceed, they can trigger other playbooks that deal with response actions. These can include ticket creation and closure, email escalation to other end users, quarantining of affected endpoints, extraction and deletion of malicious files, and blacklisting/whitelisting of indicators.
Fig 3: A phishing enrichment and response playbook
Standardized enrichment and response: Playbooks can provide standardized response procedures and post-response documentation, helping analysts respond to phishing attacks quicker and generate scalable, comprehensive reports based on a rich pool of indicators and investigation actions that are common across incidents.
Improved effectiveness of security product stack: Since playbooks automatically coordinate across multiple security products, analysts can be sure that they’re getting relevant, timely information from these products with minimal tab/screen switching and analysis paralysis. Bidirectional integrations ensure that information gets updated across databases as well.
Faster response at scale: Since analysts don’t need to perform repeatable, menial tasks once playbooks are live, SOCs are better equipped to deal with large-scale phishing attacks since the humans are free to focus on cognitive and strategic aspects rather than having their time eaten away by taxing enrichment.
If you’re interested in learning more about Demisto’s integration with Phish.AI (among other products), you can download the Free Community Edition below.