Phishing attacks now account for 90% of all data breaches, according to a study conducted this year. In fact, 76% of businesses reported that they had experienced a phishing attack in the last year alone.
Regardless of a company’s size, phishing emails remain one of the most frequent, easily executable, and harmful attacks. It is thus apparent that organisations must address the imminent threat that phishing now poses.
Responding to phishing attacks
A whitepaper from Demisto observes that phishing attacks have the potential for devastating financial damage, which is real and immediate. Indeed, security analysts also face a number of challenges while responding to said attacks.
For example, this entails handling attack numbers without burning out and switching between multiple screens to coordinate a response. Analysts must also avoid errors while completing mundane tasks and standardise their response and report procedures.
However, security orchestration platforms are able to employ “phishing playbooks” that execute repeatable tasks at machine speed. In addition to this, these platforms can identify false positives and prepare the Security Operation Centre (SOC) for standardised phishing response at scale.
Implementing security orchestration
In effect, security orchestration provides analysts with more time to deal with genuine phishing attacks through quick identification and the resolution of false positives. An orchestration platform can also ingest suspected phishing emails as incidents from a variety of detection sources, such as SIEMs and logging services.
Companies can then implement a mail listener integration if the SOC aggregates all suspected mails in a common mailbox. Once the platform ingests the email, it triggers a playbook and goes through the necessary steps to automate enrichment and response.
In order to update the end user, the playbook sends an automated email to the affected party. By assessing the “ingredients” of an email, such as title, email address and attachments, the playbook determines the incident’s severity by “cross-referencing these details against external threat databases.”
Next, the playbook extracts out IOCs and scans for any “reputational red flags” from existing threat intelligence tools. Once enrichment is complete, the playbook checks if any malicious indicators are present before proceeding to respond.