In an age when attackers create over a million phishing sites each month, and phishing serves as a beachhead for 95 percent of all attacks against enterprise networks, how can businesses respond?
Part of the answer lies in educating users to recognize and report phishing, of course. But user education only goes so far – particularly because the same statistics cited above show that, on average, only 3 percent of users will report phishing emails. Strong anti-phishing education may increase that number, but you’re still fighting an uphill battle if you rely on your users as your primary means of defense against phishing.
Instead, teams should lean as much as possible on automated anti-phishing techniques. By using automation to detect and respond to phishing attempts, businesses can stop the majority of phishing messages before they ever reach end-users.
Keep reading for an overview of five practical strategies for automatically detecting and managing phishing attacks.
Filter Messages Based on Multiple Attributes
Most security and IT teams know that they should automatically filter incoming email for signs of malicious content.
However, the mistake that many teams (and security tools) make in this regard is focusing just on one attribute of messages – typically, the content of the message itself – when performing scans.
Although scanning for signs of phishing like misspelled words or suspicious domain names is one way to detect phishing messages, it’s hardly the only one. A better approach is to evaluate each message based on multiple attributes – its content, the domain from which it originated, whether or not it contains an attachment, which kind of attachment, and so on – to build a more informed assessment of whether it may be phishing.
This multifaceted analysis is especially important for automatically catching phishing attempts, given that attackers have gotten much better at crafting good phishing content. The days are long gone when simply scanning email for strings like “Nigerian prince” guaranteed that you’d catch the phishers.
Detonate Attachments in Sandboxes
If your security tools detect possible malicious content but you need an extra level of confirmation, you can take the automated response a step further by “detonating” attachments — or downloading and opening any links that the phishing content included — inside a sandboxed environment.
By installing the malicious content in a safe, isolated location and evaluating what happens, you can detect anomalies or attack signatures that will confirm that the content is indeed malicious.
Of course, the original content should remain quarantined and inaccessible to your end-users while your tools perform the sandboxed detonation. You can either safely release the content to users or block it definitively, pending the results of the sandbox analysis.
Block Sender Names and Domains Automatically
If you detect a phishing attempt, you can minimize its impact by using automation tools to block the sender’s name and domain as quickly as possible. Doing so minimizes the number of emails or other messages that the phishers are able to send to your users. It also disrupts their ability to engage with any users whom they successfully trick into responding to them.
And, by blocking not just malicious sender names but entire domains, you make it much harder for the phishers to continue their attack using multiple accounts.
Automatically Scan Affected Endpoints
Another step that you should take immediately and automatically upon detecting a phishing email is to scan any endpoints – such as the affected user’s PC or phone – that are associated with it.
Immediate scanning will maximize your chances of detecting and isolating any malware that the phishers may have been able to deploy.
Reset Affected User Credentials
Along with scanning impacted endpoints, you should also use automation tools to reset the login credentials for users who may have been impacted by a phishing attack. By logging them out of any open sessions and forcing a password change, you also mitigate the ability of attackers to exploit accounts that they compromised through phishing.
Automation as the Future of Anti-Phishing
The phishers are only going to get better at what they do. To keep up, businesses need to become more efficient in their responses. That means adopting automated anti-phishing tools that allow teams not just to detect phishing attacks as quickly and as accurately as possible, but also to minimize the potential impact of a successful phishing breach on the IT estate.