Light Dark
August 24, 2017 By Satyakam Jyotiprakash 3 min read
Intelligence & Analytics
Fraud Protection

Gone are the days of the Nigerian prince promising fortune to unsuspecting email recipients. Attackers have stepped up their phishing game and evolved their tactics to entice employees to click links or open attachments, preying on the opportunity to spread persistent malware or compromise credentials. These threat actors relentlessly target employees — both at work and through personal email — in hopes of breaching corporate networks.

A form of social engineering, phishing has been used to steal sensitive and personal information for years, and security teams stay busy tracking and defending against these threats. Security operations center (SOC) analysts are often inundated with a barrage of incidents and must feverishly work to defend the enterprise as malware slips through defenses.

Organizations and their SOC teams continue to look for an effective solution to detect phishing threats and help speed incident response. While the security information and event management (SIEM) solutions in these SOC environments are expected to pinpoint phishing threats, very few do so effectively.

Register for the webinar series to learn more about optimizing your SOC

The Value of Phishing Intelligence

Phishing is one of the biggest risks organizations face, regardless of size and industry vertical. According to a report by security firm PhishMe, more than 90 percent of breaches begin with a phishing email. Security teams require timely, accurate, consumable and actionable threat intelligence to protect employees and corporate networks from phishing attacks.

To be actionable, phishing data has to be presented in machine-deliverable threat intelligence (MRTI) so security teams can determine which indicators pose the greatest risk based on their impact rating. Furthermore, the indicators must provide contextual details to understand why the exploits represent a risk to the business. Human-readable reports illustrate the details behind the attacker’s phishing emails. This visibility can then be used in companywide phishing simulations to ensure that employees are conditioned to recognize and report cybercriminal tactics.

Integrating Phishing Intelligence With SIEM

IBM Security understands the need for reliable phishing intelligence to combat ransomware attacks as the attackers operate their global criminal infrastructure. To help clients, IBM QRadar SIEM is partnering with PhishMe for the PhishMe Intelligence App, a 100 percent human-verified, machine-readable threat intelligence service.

Fundamentally, IBM QRadar SIEM processes the events from various log sources based on correlation rules to reveal the potential offenses. Correlation rules are developed to consider all possible signs of an advanced persistent threat (APT) and detect phishing attacks.

Related: Optimize Your SOC: Evolve Your Next-Gen SOC with Behavioral Patterns and Threat Intelligence

Now, with the PhishMe Intelligence App, QRadar analysts can leverage phishing intelligence that PhishMe researchers develop by vetting possible global phishing threats. This service dramatically reduces the time that analysts would otherwise spend to determine indicator severity and impact. As a result, SOC teams are able to respond quickly and confidently to disrupt the attackers before they can achieve their mission.

The PhishMe Intelligence App, available in the IBM Security App Exchange, consumes phishing source IPs, URLs, hostnames and malicious files hash values. With the app installed, QRadar ingests a credible source of intelligence, and analysts can take action based on indicator impact ratings. The app clearly outlines impact ratings for analysts, which can give them the insights they need to prioritize tasks in their response plan.

PhishMe correlates the criminal infrastructure attackers are using so that security analysts can visualize the overall hierarchy of malware campaigns. This is much more effective than random indicators that don’t offer analysts the insights they need to take action. Additionally, the PhishMe Intelligence app provides links to human-readable malware reports with executive and technical details about the malware campaign. These contextual reports provide security leaders and analysts with information to make informed decisions and defend the enterprise. Machine- and human-readable reports offer visibility into phishing campaigns that is efficiently consumed by QRadar and easily interpreted.

Spotting Phish in the Deep Blue Sea of Cybercrime

Phishing defense is a never-ending battle of criminal versus recipient, and there is no one-size-fits-all solution to this challenge. However, partnerships such as the one between IBM and PhishMe integrate industry-leading solutions and services to provide organizations with the support they need to protect their business. PhishMe’s human-focused solutions strengthen and complement existing security investments to protect against nefarious criminals.

If you want to better arm your organization to combat phishing, download the app from the IBM Security App Exchange and attend the Sept. 14 webinar to learn how to clearly see the phish through the murkiness of the cybercriminal underground.

View the infographic: Put your SOC in order, in short order

 |  |  |  |  |  |  |  |  |  | 
Satyakam Jyotiprakash
Portfolio Marketing Manager, Security Operations and Response Solutions, IBM Security

More from Intelligence & Analytics
October 30, 2023

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

September 12, 2023

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

September 7, 2023

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature