Phishing sites commonly contain malicious content that can put SOCs and their organizations at risk as they conduct investigations. But with isolated browsing environments and proper management of the digital fingerprint, analysts can safely and effectively perform their research.
The most common cyberattacks SOCs have to respond to are phishing. Phishing attacks can target employees as well as customers, with attackers seeking credentials (usernames and passwords), personally identifiable information (e.g., social security numbers) or financial information (e.g., bank account or credit card numbers). If not properly investigated and stopped, an organization’s reputation could also be collateral damage of the attack.
As such, it’s key that SOC analysts have the proper tools and tradecraft to safely access and interact with malicious sites and content, as well as blend in with common site traffic to protect their investigation. But the process of investigating phishing attacks is fraught with risks.
Phishing sites often contain malicious content that could infect analyst machines or spread within the network. Additionally, phishing site operators could preemptively block certain access or could catch on to the investigation and take steps to block it or retaliate in some way.
Phishing is a cybercrime where criminals emulate reputable organizations or institutions in an attempt to obtain company, personal or financial information from their targets. Phishing attacks usually come in the form of emails, websites, phone calls or texts.
To investigate phishing attacks, SOCs typically follow the workflow below:
Obviously, at several points in this workflow there is the potential for the investigation to expose the analyst — and therefore his organization — to cyber risk beyond the intial suspected attack. That’s why it’s so important to have the proper tools and tradecraft to conduct phishing investigations.
There’s a risk that phishing sites could contain malicious content. It’s important that analysts’ browsing environments are completely segregated from their machine and network to avoid infection to themselves and their organizations.
Phishing sites also may only be accessible to visitors from certain geographic locations (for example, phishing sites often block access from the United States or other countries where investigations into their sites will likely stem from). If you think using a VPN will get you around geoblocking, think again:
To overcome these challenges, analysts conducting phishing investigations need a managed attribution solution like Silo for Research:
Watch how Silo enables SOC analysts to research URLs related to suspected phishing in a secure and anonymized browsing environment.
To learn more about how Silo for Research helps SOCs and CTI teams investigate phishing and other threats, check out these success stories: