Battling Phishing?

It’s Easy As Shooting Fish In A Barrel

 

Request more info

The Challenge

Organizations are dealing with increasingly creative and damaging phishing campaigns. Handling the stream of suspicious emails has become a challenge for security operators, who are already inundated with with email and ticketing alerts.

Reviewing individual phishing emails is time-consuming and inefficient. Anti-phishing tools today help analysts block and tackle, but they don’t help us understand the bigger picture of what the attacker is trying to do. If an unsuspecting employee clicks a phishing email, a security operator’s job becomes more complicated seeking to assess the impact and deal with the consequences.

 

 

TruSTAR’s Solution

TruSTAR helps security teams automate cumbersome processes to speed-up investigations. Suspicious emails discovered by end-users are automatically forwarded into a Private Enclave, which uses scoring to help analysts prioritize cases, and correlates email data to existing security investigations, phishing incidents, and any available internal or external source of data such as OSINT and ISAC feeds. Analysts can then use TruSTAR’s graph visualization tool to quickly triage and determine next steps.

 

 

How It Works

phishing-email-ingestion-workflow 

  1. An end-user sends their suspicious email to an internal email alias (i.e. security@acme.com) or to an existing phishing management tool (i.e. Phishme) through existing in-app functions.
  2. The email is automatically forwarded to a custom TruSTAR email address (i.e. acme_phishing@trustar.co) that automatically ingests the email data in a Private Enclave.
  3. All potential IOCs are automatically extracted from the forwarded email and normalized within the report on TruSTAR.
  4. Email IOCs are correlated against available data sources, including OSINT, closed-source feeds, historical events and other phishing emails within the Private Enclave. Correlations are instantly laid out on TruSTAR’s graph visualization for easy investigation and triage.

What happens next?

  1. Analysts can triage the email by quickly reviewing the content and the context of the email, using any exposed correlations from the extracted IOCs to quickly determine if further investigation is required.
  2. If needed, analysts can obtain additional context regarding the email and its attachment(s) via additional tools such as a sandbox. Alternatively, the process can be modified to use a sandbox or similar in-line prior to ingestion of the email to your Private Enclave, providing all results up front.
  3. The results of the triage or investigation can then be disseminated back to your team, your phishing tool, or any other relevant person or system to close out the event.

 

 

The Outcome

TruSTAR’s phishing workflow significantly cuts down on the time needed to triage suspicious emails. By visualizing correlations between other emails, alerts and events within your Private Enclave, analysts can easily identify patterns and common phishing attack vectors.

Correlating phishing IOCs against all relevant and trusted internal and external data sources gives analysts the confidence they are making decisions with the most relevant data available.

 

 

Ready To Learn More?

Provide your details below to set up a conversation with an intelligence architect to help you structure a workflow.