Catching Phish with PhishMe Intelligence and ThreatQ

PhishMe IntelligenceTM Integrates with ThreatQuotient’s ThreatQ Platform

Swimming in a sea of threat intelligence indicators and services, security teams have been working towards effective ways to centralize, de-duplicate, and correlate massive amounts of threat data. The challenge, once this is done, is acting on what matters most. This requires intelligence, not just data.

Human Phishing Defense Tackle Box – PhishMe Intelligence™ and IBM QRadar®

PhishMe® and IBM have teamed up to provide security operations with essentials for their phishing defense program. Security teams don’t want standalone security products; they need holistic security solutions and through partner integrations.

That’s why PhishMe and IBM have partnered to help enterprise businesses defend against credential-stealing, malware, ransomware, and Business Email Compromise (BEC) phishing.

Want to Get In Front of Breaches? Be Like the Marines.

Part 1 in our series on being “Left of Breach” in the Phishing Kill Chain.

Too often in the information/cyber security industry, we focus our efforts on mitigation of breaches after they occur, relying on incident response teams to find the needles in the haystack.

According to “Left of Bang: How the Marine Corps’ Combat Hunter Program Can Save Your Life,” (by Patrick Van Horne and Jason A. Riley; Foreword by Steven Pressfield) The Marine’s Combat Hunter training program works on this premise: by understanding what “normal” looks like, we are much more likely to recognize activities and behaviors that are out of place. That recognition, even if based on “gut feel,” becomes the trigger for acting. This approach relies heavily on front-line human assets, not just automation or artificial intelligence, to detect attacks in progress. Most important, it lets you get in front of breaches before they blow up in your face.

Get “Left of Breach.”

In the Marine’s case, it’s acting to get “Left of Bang,” as in bombs and bullets. In anti-phishing programs, it’s getting Left of Breach—taking proactive steps instead of accepting that hackers and other malicious actors will succeed no matter what. In the figure below, it’s everything left of the bullseye.

With a few modifications, the standard security industry kill chain can resemble the Marine Combat Hunter approach.

As you can see in the Phishing Kill Chain above, we focus on baselining an organization and developing human threat reporters throughout the first four steps. This provides 2 things: a starting point for risk analysis and development of targeted simulations (Enumeration, Design, Delivery); and the development of HUMINT (human intelligence), data collection and reporting of suspicious material to incident response teams.

As your anti-phishing program matures, you’ll combine the data your employees report with human-vetted phishing intelligence feeds in Triage. The net: actionable intelligence enabling you to mitigate threats before they happen.

5 steps to getting there:

  1. Be transparent and educate users on standard phishing clues and the purpose of the program.
    • NOTE: Program transparency is key to your success. It builds enthusiasm for the program and a sense of ownership and positive engagement with the organization’s security process.
  2. Baseline your organization’s technical and business process weaknesses for targeting during initial simulations.
  3. Execute diverse simulations and analyze for risk level (e.g. – high susceptibility to active threats)
  4. Design follow-up simulations based on known deficiencies and analysis of initial results.
  5. Stress the importance of reporting in all simulations and awareness activities.

Taking these simple steps is the quickest, most effective way to protect against phishing. Ready to get Left of Breach? Booyah!

Next: part 2 of our “Left of Breach” series examines the first step in the Phishing Kill Chain, Self-Enumeration.

Stay on top of recent phishing and malware threats and attacks trends, delivered straight to your inbox completely free. Subscribe to PhishMe® Threat Alerts today.

What You Can Do About the WCry (WannaCry) Ransomware

As most of you are aware, a fast moving, self-propagating attack blew across the internet over the weekend, and it’s not over yet. Using an alleged NSA exploit , this malware is able to quickly traverse a network and deliver a ransomware payload affecting hundreds of countries and hundreds of thousands of users.

Does your Incident Response Plan include Phishing?

It’s no secret that 90% of breaches start with a phishing attack. The question is: are you prepared to recognize phishing and respond to it? Many organizations are concerned with how much spam they receive and implement controls specific to spam. But you shouldn’t confuse preventing spam with responding to phishing attacks.

Fortifying Defenses with Human-Verified Phishing Intelligence

Mining Phish in the IOCs

PhishMe® and Palo Alto Networks® are providing security teams with the ability to ingest human-verified phishing intelligence in a standard format that can be automatically enforced as new protections for the Palo Alto Networks Next-Generation Security Platform through the MineMeld application. Through this integration, PhishMe and Palo Alto Networks are providing a powerful approach to identifying and preventing potentially damaging phishing attacks.

The challenge of operationalizing threat intelligence

Ransomware, business email compromise (BEC), malware infections, and credential-based theft all primarily stem from a single vector of compromise – phishing. Operationalizing threat intelligence, especially when it comes to phishing, continues to weigh on the minds of businesses regardless of size. Security teams require the ability to ingest, verify and enforce new protections for potential phishing attacks, all within their existing infrastructure.

Where are the Phish?

PhishMe extends beyond a traditional data feed. Customers receive phishing intelligence. What’s the difference? Intelligence, vs. traditional data.

Information without context is data. Intelligence is information with context, and context is what security teams require in order to have confidence in their decisions.

Intelligence customers receive indicators specific to phishing and their criminal command and control (C2) and botnet infrastructure associated with malware families like Locky, Dyre, and Cerber. This is then backed up by threat intelligence reports with verbose context that provides security teams with insight into attacker TTPs.

PhishMe identifies what is nefarious, but more importantly, why, and what it means.

Integration Tackle Box for PhishMe and Palo Alto Networks

Security teams who wish to easily complement their Palo Alto Networks Next-Generation Security Platform’s security policies with PhishMe Intelligence will need an instance of MineMeld (version 0.9.26 and above) and PhishMe Intelligence API credentials (contact PhishMe for trial access https://phishme.com/product-services/live-demo). MineMeld will ingest intelligence from PhishMe, and can automatically feed new prevention controls to Palo Alto Networks devices, without adding heavy operational burden.

Configuring MineMeld with PhishMe

The following is a step-by-step guide to configure MineMeld in order to ingest PhishMe Intelligence phishing URLs, aggregate them, and construct into an output capable of preventing malicious URLs in security policies within PAN-OS devices. Before we dive into the configuration of MineMeld, it is important to review the three key concepts behind the application:

  • Miners: responsible for retrieving indicators from configured sources of intelligence and data feeds. Miners will bring in new indicators on a configurable, periodic basis, and also age-out any indicators that are no longer needed.
  • Processor: The processor node will aggregate the data obtained by the Miner and conforms the data to IPv4, Ipv6, URLs, or domains. Once aggregated, the data is sent to the output nodes.
  • Output: The output nodes gather data from the processor node and convert the data into a format that is capable of being consumed by PAN-OS (and other non-PAN-OS external services)

PhishMe Intelligence Miner Node

(Image of Miner Node with API credential example and phishme.intelligence prototype)

Processor Node

(Image of Processor Node using the stdlib.aggregatorURL prototype and the PM_Intel input from the configured Miner)

Output Node

(Image of Output Node using the stdlib.feedHCRedWithValue prototype and the agg_URL_all input from the configured Processor)

Configuration Graph Summary

The configuration graph is a summary exhibiting the flow of PhishMe Intelligence. The miner collects intelligence, aggregates, and the output node structures the data to be usefully applied to prevent phishing.

(Example of PhishMe Intelligence aggregated and with output URL data for PAN-OS)

Log Detail with URL Indicator and High Confidence rating of 100

The image below represents an example of URL intelligence received in the MineMeld log. This snippet specifies a malware payload from an OfficeMacro and TrickBot (similar to Dyre) family. If they choose to, analysts can then use the URL to the Threat Report with executive and technical details that explain more about the malware.

The above summarization of the MineMeld setup portrays how easy it is to take very relevant and useful information and structure it so that it can be operationalized with other security investments. Far too often teams have underutilized technical resources or processes that place a strain on the workforce. MineMeld reduces the human burden and provides security teams with the ability to create actionable prevention-based controls.

Phishing Intelligence Operationalized = PhishOps!

Let’s review an example of how to operationalize these indicators of phishing (IoPs) and apply them to a Palo Alto Networks security policy to deny egress traffic to these phishing URLs.

Create New Object in PAN-OS

From the Objects tab, select External Dynamic Lists from the navigational pane. Analysts just need to provide the relevant information to pull in the list of URLs from MineMeld.

(Example of External Dynamic List linking to URL list from MineMeld)

Apply to PAN-OS Security Policy

With the External Dynamic List defined, security policies can now be created based on acceptable criteria. In the case below, inside sources browsing externally and matching the PhishMe Intelligence URLs will be denied.

(Example policy to deny inside to outside web-browsing against PhishMe Intelligence URLs)

FINito! Wrapping up

A similar process can be repeated like the above, with IP lists and domains, and applied according to phishing threats facing the business. The way MineMeld handles the data received makes applying it to Palo Alto Networks Next-Generation Security Platform very effective. Security teams will need to determine where they want to apply the policies once MineMeld has compiled the data.

The phishing threat is alive and very well and the ability for security teams to maximize their investments and operationalize with low administrative overhead should be enticing to tackle the threat.

 

More about MineMeld:

MineMeld, by Palo Alto Networks, is an extensible threat intelligence processing framework and the ‘multi-tool’ of threat indicator feeds. Based on an extremely flexible engine, MineMeld can be used to collect, aggregate and filter indicators from a variety of sources and make them available for consumption to peers or to the Palo Alto Networks Next-Generation Security Platforms.

To learn more about the Palo Alto Networks Next-Generation Security Platform, visit: https://www.paloaltonetworks.com/products/designing-for-prevention/security-platform

To learn more about the PhishMe Intelligence, visit:  https://phishme.com/product-services/phishing-intelligence/.  

 

Three Ways Reporter Can Enhance Your Incident Response Process

Most of us have been in an airport and heard the announcement over the loud speaker; “If you see something, say something.”  The airport has security personnel; however, their agents cannot be everywhere at once.  They collectively rely on travelers passing through the airport to be their eyes and ears in places agents cannot be.  In this way, as an airport traveler, you are a “sensor” watching for, detecting, and alerting on suspicious behavior such as unoccupied luggage.

What does this have to do with information security? Just as passengers can help prevent an incident in the airport by reporting suspicious activity, employees can help prevent a data breach by reporting suspicious email. The key to unlocking this valuable source of threat intelligence is to simplify the reporting process for employees, and to measure the results of your program to prioritize reports from savvy users.