An unprecedented level of cyber attacks and phishing attempts makes the security needs of SOC teams greater than ever
The 2022 Phishing and Fraud Report reported a 220% increase in phishing attempts from the previous year. The COVID-19 pandemic and a shift in workplace dynamics to more people working from home is credited for the spike, providing unseen opportunism for cybercriminals. COVID-related phishing emails spiked, some posing as fake charities, harvesting credentials and delivering malware. The upward trend is extremely concerning for companies and their security teams.
Security operation centers (SOCs) at many companies are bearing the brunt of these unprecedented levels of phishing attempts, exacerbating existing issues around investigating suspected phishing sites:
- Maintaining security while accessing malicious sites
- Limiting attribution and avoiding attacker TTPs that block investigations (e.g., geoblocking)
- Mixed levels of expertise among team members to operate advanced tools
- Overcoming cumbersome workflows to access and use such tools to isolate and anonymize investigations
As cybercriminals evolve, practitioners must keep up with the trends. The old school DIY approach, (e.g. using “dirty networks”) is no longer a good option to overcome these challenges — it’s ripe for error, expensive to adopt and maintain (with the SOC most often doing the work themselves and distracting from their intended goals). It’s also cumbersome to access (especially with a distributed workforce), configure and connect to other investigative workflows and tools.
Safety is paramount, but many tools, especially homespun DIY ones, require extensive expertise to use properly. The disconnect of an analyst from their primary workstation cuts off collaboration between teams, making workflows cumbersome, time-consuming and difficult.But by shifting expectations of how SOC’s online research should operate, organizations can streamline SOC workflows, improve the efficiency of investigations and improve security. So what’s the solution?
SOC analysts: 3 non-negotiable needs for online investigation
SOC teams realize the need for isolation and anonymity when investigating suspected phishing sites, typosquatting and other malicious destinations on the web, and have sought to bridge the gap with DIY solutions.. However, what’s been viewed as good enough should actually be viewed as non-negotiable necessities. Whether it’s protecting the organization, creating manageable and efficient workflows or making sure the investigation doesn’t tip off an adversary — these three aspects should never be on the chopping block.
1. Nothing short of 100% isolation
The security approach to investigating potentially malicious sites needs to be bullet proof. Analysts need a 100% isolated web browsing environment to ensure company assets are not exposed to toxic content. A do-it-yourself or piecemeal approach leaves too much room for human error.
The simplest fix is a cloud-based browser offered as-a-service rather than a patchwork of DIY tools strung together. With a cloud-based browser isolation solution, all web code is executed off-network, leaving zero chance for a SOC investigation to lead to a cyber incident itself.
Purpose-built solutions that meet the needs of analysts help make sure toxic content never breaches the perimeter or an analyst’s device. All the data gathered, whether it be from open-source or deep corners of the dark web, can be isolated in a user-friendly browsing environment. Prompted downloads can be analyzed and opened without letting them ever touch a machine in sandbox mode. Collected data can also be securely stored in the cloud and shared via Silo Secure Storage.
2. Anonymity needs to be a guarantee
Patchwork solutions like using a combination of dirty networks, lines or machines, supplemented with VPN and Incognito Mode leave plenty of room for error. Further, these approaches offer only a very basic level of anonymity, webmasters can still collect data during a site visit, leaving practitioners and their organizations vulnerable to being discovered. A site visit can also be traced back to that machine, which then has to be reimaged, creating a costly problem and amounting to lost time in the investigation. Some sites may simply block access from VPNs altogether, leaving analysts stuck on the outside and unable to collect valuable data.
SOC analysts need to protect themselves from being blocked by website owners or from seeing the data that a victim would normally encounter, resulting in a dead end in their investigation. With the ability to fully manipulate your point of presence (i.e., internet egress location) and digital fingerprint, researchers can appear to access sites as in-region visitors — thereby avoiding geoblocking — and see how content displays to intended victims with a similar digital fingerprint.
Cutting the link – keeping analysts anonymous
The anonymity of analysts is not just crucial to the investigation, by not tipping off the target, but to the safety of the company and analysts themselves. Anonymity requires:
- A global access network and non-attributable IP addresses keep researcher unattributed to the organization
- Detailed manipulation of digital fingerprint: browser, OS, device, time zone, language, keyboard settings
- Secure, anonymous and compliant dark web access
3. Smoothing workflows
Many homegrown or piecemeal solutions make for a bumpy, if not absolutely debilitating workflow. In order to efficiently conduct investigations into malicious sites, analysts need to have access to their toolkits within the browsing environment and be able to securely store and collaborate on collected data.
Purpose-built solutions for online investigations should include a workflow that works for analysts. Analyzing data and collaborating on findings can help shorten response times to investigation, creating a safer workplace.
Workflow in mind
Sometimes in cybersecurity what’s secure and what’s convenient can be at odds. Silo for Research is built by researchers with an ease of workflow in mind. Secure capabilities also offer features to help assist analysts in their investigation and create more efficient investigations.
- Content capture and analysis inline with web code analysis and packet capture
- Ability to store files with a native UX and access them, while keeping all data off-network
- Detailed audit logs
A complete solution
Good enough is not enough to protect SOC analysts, their online investigations or their company. Using a combination of techniques by piecing together spoofs of certain attributes here and there is a dangerous game that lets vulnerable, key information flow through to adversaries.
Don’t let patchwork solutions throw off your investigation or slow down your team’s workflow. By using a purpose-built, all-in-one solution, security or anonymity is never at risk. Analysts can safely collect and analyze the data they need to focus on your company’s security.
The solution is a fast, easy-to-use, “as-a-service” platform that offers complete isolation and anonymity. Ease of use both frees up time for the analyst to focus on their investigation and protects the company from the potential for human error. Most importantly, devices and networks remain secure without cost ineffective and burdensome burner machines.
To learn more about how you can build a solid strategy for keeping your team’s online investigations secure and anonymous, try Silo.