Today TruSTAR has launched Phishing Triage, a new suite of features designed to automatically ingest, extract, normalize, prioritize, and take action on observables from user-reported suspicious emails, available in the TruSTAR Foundation or Enterprise products.
Phishing Triage is released at a time when phishing is at an all time high. According to numbers from Google, the past few weeks witnessed a three fold increase in the number of targeted emails and web-phishing domains taking advantage of the current situation by using emails as a vector to spread malware, ransomware, or perform some form of compromise.
This uptick in attacks impacts the resiliency posture of security teams that substantially rely on humans to review and triage their emails. Our hope is that this feature will help you accelerate your ability to automate some of these processes and reduce your risk exposures.
Phishing Triage - The Old Way
One of the most pervasive issues we see reported by users is the pain associated with triaging a user-reporter suspicious email when it has somehow made it past your email gateway.
This workflow is a persistent, manual thorn in the side of security operations.
No matter where we go or what size organization we talk to, phishing triage is somehow the clunkiest and least automated workflow inside security organizations today.
The worst part is that this data wrangling often gets pushed onto the shoulders of the highly-trained security analyst.
Without a doubt, the most precious asset in any security org is the PEOPLE, and if we're asking analysts to spend precious time copying and pasting Indicators out of an email and into a SIEM look-up table, we're going to lose.
Phishing Triage - The New Way
So how does TruSTAR combat this issue? The first thing we did is to allow users to auto-forward emails, along with their attachments, into the TruSTAR platform via our Phishing Inbox feature.
User-reported suspicious emails are automatically parsed and observables are extracted and normalized on TruSTAR’s platform. We then take those observables and correlate them against your existing Premium Intel subscriptions on the platform such as Digital Shadows, Virus Total, IBM X-Force, CrowdStrike, Recorded Future, or subscriptions to your ISAC/ISAOs.
These intelligence sources are used to enrich the data sent into the platform and a Priority Event Score is assigned to the email itself on a scale of High, Medium, Low, or Benign. Any indicators contained in the emails that are not benign are then automatically published to a Phishing Indicators Enclave. This Phishing Indicators Enclave helps you tee up confirmed-malicious indicators for automated workflows with SIEM, Case Management, and Orchestration tools.
How Our New Scoring Methodology Plays Into this New Feature
To help simplify and automate an analyst’s Phishing Triage workflow, TruSTAR has developed new scoring algorithms that are now live on the platform.
TruSTAR thinks about scoring on the Indicator and Event level, and we process this data in two different ways:
- Normalize - TruSTAR takes Original Indicator Scores from premium intelligence sources, and then converts them to a Normalized Score scale of High, Medium, Low, or Benign, which can be used for automation and orchestration playbooks.
- Prioritize - The Priority Score is used for TruSTAR’s triage use case on the event level. A Priority Score is the aggregation of all Normalized Indicator Scores in an Event.
- More about our Scoring Methodology here.
By leveraging our new scoring systems, analysts can sort and filter user-reported suspicious emails according to a Priority Score of High, Medium, or Low, helping analysts surface the most relevant emails and reduce email response fatigue.
You can also leverage this new scoring system to simplify Orchestration and automation among tools. For example, you can orchestrate TruSTAR to automatically send non-benign indicators and events into your SIEM and streamline detection workflows.
Phishing Triage is the first of many new capabilities TruSTAR will be launching to help security teams excel at Intelligence Management and take advantage of more automation between tools.