What is phishing mitigation?

Phishing mitigation is a broad term that refers to strategies, tools, and methods that can detect, prevent, and respond to malicious attempts, often in the form of email or SMS messages, to capture sensitive personal or financial information, to persuade the recipient to click a link that sends them to a malicious IP address, or to download malware-infused files.

Phishing as initial access

Phishing is often a technique in service of a broader strategy. Malicious actors will send messages to individuals or organizations with the hope that recipients will determine the sender is legitimate or a known party and follow instructions that initiate a malicious download, send the recipient to an infected website or convince them to share credentials needed to gain system access.

Bulk phishing, in which a malicious message is sent simultaneously to many users, is a method for attackers who hope to increase their success through increased attack volume. However, criminals often target specific individuals in so-called spear phishing or ‘whaling’ campaigns that single out company leaders with extensive access privileges, employees with access to critical data, such as financial information, or customers’ personally identifiable information (PII), or employees most likely to give up credentials.

If the phishing message succeeds in convincing the recipient that it is legitimate, initial access typically follows along one of these attack paths:

• Attachments. The message includes a downloadable attachment, such as a Word file or PDF, that infects the recipient’s system once opened.
• Links. Hyperlinks that either deliver a malicious payload directly, or send the recipient to a host controlled by the criminal that includes malware or to forms or other ways to harvest credentials.
• Requests for credentials. Malicious communications that appear to come from legitimate parties, such as systems administrators or finance officers, can trick recipients into providing their credentials willingly or allowing remote access to their computers.
• Requests for action. The attacker may try to convince the recipient to take actions as part of social engineering scams, e.g., sending gift cards or payments to a location or account of the attacker’s choosing.

Front-line phishing mitigation methods

Phishing mitigation includes training and regular updates that keep the organization informed about ongoing and evolving cyber risk. It also includes investment in cost-effective preventative solutions that can automatically detect and neutralize bulk phishing and less sophisticated initial access attempts. Email security solutions (e.g., Google and Proofpoint), technical extensions (e.g., DMARC, DKIM, sender policy frameworks) and web filters can provide an effective first layer of defense. Verification tools such as multifactor authentication (MFA) provide additional layers of defense that can keep malicious actors, even those who have secured employee credentials, from accessing the system.

However, none of these methods is foolproof. For instance, attackers can convince victims to relay MFA codes to them, essentially rendering the additional factor useless.. This can be a first step in account takeovers and the generation of new phishing communications that originate from a legitimate user in the organization. The combination of attacker evolution and humans’ ongoing susceptibility require that security teams take phishing mitigation to the next level by honing strategies that can detect attempts and initial access before attackers fulfill their ultimate objectives.

How SOCs can detect and mitigate phishing attacks

When email security tools fail to detect phishing, security teams become the next line of defense. Their work may begin with inspection of suspicious emails forwarded by alert employees. By reviewing the text of the message for evidence of typical social engineering tactics, such as demands for immediate response or payment, claims that action is time sensitive, or phrasing that is atypical of the organization or its partners, they can pick up common phishing indicators. (Note: large language models and generative AI tools have enabled criminals to improve the syntax and grammar of phishing messages). Analysis may include:

• Checking authentication records (DMARC, DKIM, SPF).
• Reviewing email headers for anomalies in IP origin, addresses, or domain.
• Inspecting URLs for evidence of typosquatting, homoglyphs, or domain variations.
• Scanning attachments in sandboxes or antivirus tools.
• Checking whether links point to known phishing sites.

Proactive security teams also monitor their networks for evidence of malicious actors who have achieved initial access via phishing and are attempting to escalate an attack. These savvy SOCs are aware that novel phishing techniques can evade email filters and other security controls, to deceive even the most alert and cyber-aware employees.

Investigative tactics can include:

• Behavioral analysis. SOCs can review links and attachments in received messages for evidence that links messages or specific users to unusual activities or uncharacteristic behaviors, such as requesting privileges not associated with a specific identity, which may indicate a compromised account.
• Monitoring network traffic. Inspecting DNS traffic, as well as traffic to/from proxy servers and other network assets can provide security teams with real-time network insights and the ability to detect command and control (C2) communications over HTTP, DNS and ICMP tunneling, as well as malware that uses domain generation algorithms.
• Automation. SOCs in many organizations can easily become bogged down investigating potential phishing messages. This routine but necessary task can benefit from security tools that automate workflows and link intelligence feeds to accelerate investigations and more quickly resolve many phishing threats. Automation can also free up analysts to undertake hunts for evidence of novel, sophisticated phishing attacks that manage to evade signature-based detections, filters, and other security controls.
• Threat intelligence. Access to security databases and can keep security teams alert to emerging threats, phishing mitigation techniques, and detections associated with successful phishing campaigns and phishing kits. Threat intelligence can also provide SOCs with means to expand and automate malware signature detections, which allows analysts to spend more time engaged in more complex threat hunting actions.

How Corelight’s Open NDR Platform supports phishing mitigation

Corelight’s Open NDR Platform provides in-depth visibility across on-premises and cloud environments, delivering contextualized evidence that helps security teams rapidly identify potential threats and expedite remediation. NDR can provide the foundation for a critical security layer on which SOCs can detect stealthy and novel phishing attacks earlier in the attack kill chain and swiftly manage and contain the intrusion’s spread.

The platform contributes to phishing mitigation in a number of ways, including:

• Analysis of email attachments and links. Corelight streamlines and enriches analysis of Simple Mail Transfer Protocol (SMTP). This can help SOCs quickly identify bursts of messages that may indicate phishing within an organization, and provide insight into messages that may have evaded spam filters. SOCs can also determine whether suspect messages included attached files, and review file logs with detailed information, including filename, hashes, the source, and possibly malicious links. Corelight’s platform also incorporates YARA static file analysis functionality to expedite the identification of malicious files at scale. By leveraging YARA rules, SOCs can more effectively classify and identify malware, identifying patterns and characteristics that traditional security tools might miss.
• Analysis of network traffic logs. Corelight helps analysts quickly review network logs for unusual HTTPS traffic patterns, long or multiple sessions, and communications with uncommon, potentially malicious external domains. Our entity collection identifies dozens of applications (e.g., Gmail traffic) that can help security teams monitor their systems for evidence of intrusions related to phishing attacks. The log analysis can deliver essential information such as if or when users clicked on links or followed directions to malicious websites.
• Rapid inspection of hosts and IOCs. Analysts detecting an internal host generating an unusual volume of traffic can inspect it for signs of compromise, including malware or unexpected configurations. The platform’s enriched network telemetry can also help SOCs detect indicators of compromise that may reveal later stages of a successful phishing attack, such as multiple or abnormal login attempts, unusual system behavior, and large data transfers.
• Accelerated triage. Corelight’s Guided Triage leverages AI, enriched evidence and intuitive visuals that help security teams streamline and automate alert triage workflows, which can help them quickly dispatch routine investigations of suspicious emails and more rapidly identify threats associated with phishing attacks. Guided Triage also helps reduce ingest volume to a SIEM or other data management solutions.
• Increased operational safety. When SOCs have more effective tools to detect and mitigate common threats, their organizations can realize benefits to their business operations. Improved detections can lead to fewer and less severe disruptions to operations, and reduced risk of cyber incidents that have financial or reputational consequences.

Corelight’s Open NDR Platform provides a necessary layer of security and analysis that augments email filtering technologies and can help detect phishing attempts in progress as well as the activity that follows successful compromise of an account, endpoint, or employee credentials.