Reported phishing emails are useful for plenty of reasons.
They help you measure cyber risk, study common attack trends, and even provide inspiration for your own phishing simulations.
One of the security functions that benefit most from reported phishing emails is threat hunting, the process of identifying threats quickly so they can be contained before any major damage is done.
Reported phishing emails are a rich source of intelligence, which can be used to enhance your threat hunting capability.
But first…
Why Hunt Threats?
One of the most persistent problems with cybersecurity is that it's often reactive. There are preventative measures that can be taken — firewalls, filters, training, etc. — but beyond this, there's not many options but to respond to threats as they arrive.
Once you realize this, the question becomes “how quickly can we respond to a new threat?"
Unfortunately, the answer to this question is far from ideal. According to the SANS Institute, the median time-to-detection/resolution of cyber threats can usually be measured in days. Meanwhile, threat actors have no such delays, once a cyber attack has commenced, the time-to-compromise often takes mere minutes.
This is where threat hunting comes into play.
When a cyber incident occurs — a phishing attack, in this cases — it only makes sense to investigate it thoroughly. For example:
- How many endpoints are affected?
- How many users were targeted?
- Are any suspect processes running on affected machines?
- Are any external connection requests occurring?
Answering these types of questions will enable you to identify primary or secondary infections so they can be fully removed before the incident is closed.
Two Ways Reported Phish can Aid Threat Hunting
Reported suspicious and potential phishing emails are valuable to the threat hunting process for two primary reasons:
1) They Lead you Right to the Scene of the Crime
When a security incident arises, how often do you get a helpful memo to let you know? Almost never, right? You have to go searching for them.
When a user reports an email, not only are they letting you know that an incident might occur right now, they're also telling you precisely where it occurred. Malware infections could spread, certainly, but at least you know where the source is.
In a world where time-to-detection is routinely measured in days, it's difficult to stress just how important these early warnings can be.
2) They're a Rich Source of Indicators of Compromise (IOCs)
IOCs are the heart of threat hunting.
In simple terms, they're artifacts found on a network that (with a high degree of confidence) predict a security breach has occurred. Typical IOCs include malware signatures of MD5 hashes, or IP addresses/domain names known to be associated with malicious activity.
So where do IOCs come from? Often from intelligence sharing schemes or threat feeds.
But there's a more direct route: your own analysis.
Analyzing reported phishing emails for IOCs will provide you with the ammunition you need to thoroughly investigate phishing incidents. What better way to identify malicious processes on an affected endpoint than by studying the payload from the email which caused the incident?
And that's not the only use for phishing IOCs. They can also be used to enhance common security technologies such as SIEM and network forensics tools. Over time, this process will enable the tools to automatically detect a wide range of payload-related attacks, speeding your incident response efforts even further.
Phishing Threat Monitoring and Forensics
Most organizations never realize the full value of reported phishing emails. To make sure you don't fall into this category, PhishLabs Founder and CTO John LaCour has hosted a webinar on phishing threat monitoring and forensics.
To learn how suspicious emails reported by employees can be used to quickly identify and stop attacks that would otherwise go undetected, register for the on-demand webinar today.