RH-ISAC BLOG

Analyst Spotlight: TruSTAR Intel Architect Discusses the Evolution of Phishing Attacks

Author: TruSTAR

TruSTAR recently spoke at RH-ISAC’s Retail Cyber Intelligence Summit about best practices and insights about intelligence fusion. A major component to fusion and managing your intelligence is phishing triage.

In this follow-up Q&A, we sat down with TruSTAR Intelligence Architect Neal Dennis to discuss phishing trends, its impact on consumer-facing companies, and how security teams can defend themselves against commoditized phishing attacks.

+++

Neal, before we get started, can you give us a little background about who you are and what you do?

As an Intel Architect here at TruSTAR, I spend my days working side-by-side with security analysts and engineers to figure out workflows, use cases, product integration roadmaps, and more.  I work with sharing communities like RH-ISAC members to make sure they’re getting the best they can out of the platform and get product feedback.

I come from a predominantly military and government contracting background. I started off in the Marine Corps and quickly merged into cyber. And I’ve sat in many a seat and done many things with various intel teams. SOCs, network warfare operations, red team, purple teams. Pick a flavor and I’ve probably poked at it a little bit.

What are the most common types of phishing attacks retail and hospitality companies face today? Why is phishing a tougher problem for consumer-facing companies versus other verticals?

One of the biggest, most impactful trends with phishing is around what comes into your email inbox. Malspam, or malicious spam, comes in many flavors.

Malicious content comes across predominantly with a lot of commodity malware. When I talk about commodity malware, I’m referring to malware being used in opportunistic attacks that target common flaws present in many machines and applications. For example, Hancitor is a really big one. Loaded in there are different types of malware like Emotet and other types of either credential harvesters. Ransomware is always very, very popular. The bulk of malspam and ransomware gets delivered via email mechanisms.

Retail and hospitality companies also have a large brand presence, and therefore are vulnerable to more social engineering hacks. Retailers have to worry about their security, and they have to worry about closing off mechanisms for webmail like Gmail that they may or may not allow their own employees to access through their environment, as well as mobile access.

Retailers have a security responsibility not just for themselves, but also their customers. Campaigns that target potential customer bases are large threats for retail companies because they diminish trust between the retailer and its customer base. Retailers have to think about who is purposely targeting their customers in fraud campaigns that leverages their brand. 

We’ve seen cyberattacks become much more sophisticated. How have you seen phishing TTPs evolve over the last decade?

The construct of phishing attacks hasn’t changed much, but the payloads and the delivery mechanisms have significantly shifted.

If we look back ten years ago, ransomware as an idea for profit really wasn’t extremely prevalent. You had extortion, but actively encrypting someone’s hard drive and requesting financial remuneration for that to unlock, was not really there.

Back then, you may have seen more automated exploit tactics, like launching exploit kits that used adware and other fraudulent tools. Then, as we moved through the technology shift, security teams have gotten wiser. For example, back then, a lot of malware was spread via Excel files with macros enabled. That’s not as popular nowadays because virus scanners can outright notify someone when there’s macros in an attachment. Many security teams have just completely disabled macros across the spectrum. That doesn’t mean that that’s still not being used today, but it’s pivoted more around how the actual payload gets delivered.

The number one way of getting malware delivered to a target is still your email gateway.

Security teams have access to an overwhelming amount of intelligence sources. What are some of the biggest challenges security teams face when trying to get the most value out of their data?

At the end of the day, these things all boil down to, “how can I shave off a little less stress for an L1, L2, L3 responder?” Because there’s this need to get to the data quicker, there’s a need to clean-up and normalize the data faster, and respond to these potential incidences as quickly as possible.

Responders are the people down in the weeds, fighting in the trenches, wrangling all of the data.

I recommend focusing on three things: One, getting your hands on the highest-priority data as quick as possible. Two, if you have a bunch of different intelligence sources, you must normalize them together so that you can enrich and compare data. Three, get in the habit of both sharing and ingesting data from trusted sharing communities. The RH-ISAC threat intelligence exchange is a high-quality dataset that can help analysts identify high-priority threats their peers are also seeing in their environments.

As this process gets refined and intelligence starts flowing to the right teams and toolsets, analyst’s workflow becomes simplified. They can start logging into one centralized platform, as opposed to having 10-15 different windows to triage cases. Distress from an event goes way down, and precious analyst cycles can be saved.

The quicker an analyst can triage alert tickets, the quicker they can decide how to prioritize a case and take action. At TruSTAR, we call this intelligence management.

+++

If you’re interested in learning more about phishing triage, join TruSTAR on Tuesday, November 12, 2019 for a live demo on phishing triage best practices. Register here.