A recent report from FireEye cites the average time from an email phishing breach to detection is 146 days globally, and a colossal 469 days for the EMEA region. According to the report, “At a basic level, the notion that hackers are rooting around in companies’ networks undetected for 15 months is sobering, as it allows ample opportunity for lateral movement within IT environments.”
Unfortunately, this isn’t particularly surprising, given the severe limitation of the cybersecurity workforce, which has resulted in understaffed and overburdened security teams responsible for manually responding to each report of a suspicious email. Then, once an attack is identified, the SOC team must go through a manual forensics process to confirm a legitimate attack, a remediation process to remove the attack and prevent propagation, and a recovery process to restore systems and data.
To most effectively combat the proliferating attacks, however, organizations should consider implementing automation and orchestration into their phishing response strategy. While automation removes the need for manual processes, orchestration integrates security tools and systems to streamline operations and incident response. In our last two blog posts, we discussed the role of automation in expediting the forensics phase and the remediation & prevention phase of phishing response. The third and final part of this blog series will discuss the benefits of utilizing automation in the recovery phase.
To emphasize the need for automation and orchestration in this final phase, let’s first walk through the manual process security teams must execute after the first two phases are complete. Keeping in mind, some of the tasks need to take place in parallel to limit the impact and decrease time response.
- Take all infected machines offline for “virus cleaning” and malware forensics.
- Also, check the sandbox results to track the malware trails. If it is a “zero day,” it will need expert analysis.
- Send an example to antivirus vendors and save an image of an infected machine or a sample for later forensics, either by a 3rd party or the internal team.
- After the machines are clean, make sure they’re not trying to communicate outside systems or networks and ensure all malware trails are removed.
- Check the IPS and network traffic for those infected endpoints, paying close attention to suspicious traffic.
- Then, check mail server mailboxes again for the malicious email, making sure to search both subject line and content.
- If it’s a ransomware case, it will require restoration of the Host from last backup and data, as needed.
- Update Antivirus and all related platforms and reconnect Host to original network segment.
- Call an external expert to check network traffic and malware removal from all servers and end points.
- Start documentation of the forensics process. Based on findings, update management and policy.
- Report full event details in CRM and send mail notifications to systems owners and technical teams.
- Update education materials and make it a case study.
- All team members and parties involved should complete final report right after the recovery phase.
- “Lessons learned” meeting should take place and focus on the final report and the identification of successes and failures during handling, as well as areas for future improvement.
As you can see, after the identification and remediation phases are complete, there’s still a laundry list of action items that SOC teams must execute to fully recover the entire organization from a phishing attack. Further, some of these steps can be arduous and time-consuming, requiring the SOC team to start as soon as possible and make decisions very quickly in order to mitigate the risk. To alleviate the SOC team burden and expedite the recovery phase, organizations should implement automation and orchestration into its phishing response strategy.
According to Siemplify, the best response to the proliferation of phishing attacks is “full-fledged security orchestration.” Instead of relying on one method of cyber defense, it says, organizations should deploy automation around these attacks in real-time. IRONSCALES’ automatic phishing response technology, for example, removes the need for manual response, relieving the SOC team and expediting the time from detection to enterprise-wide remediation from months to seconds. In addition, it opens up communications between other devices, which is a key advantage in the immediate removal of a legitimate attack from all endpoints on the network.
IRONSCALES’ suite of anti-email phishing solutions integrates seamlessly, and because it enables the communication of all devices on the network, it essentially becomes a central command center used by the entire security ecosystem for intelligence gathering and sharing.
Ready to enhance your phishing response strategy? Start your free trial today and see for yourself how automation and orchestration accelerate the phishing response strategy from identification, through remediation and, ultimately, recovery.