Safely investigate phishing sites without getting hooked

Phishing sites commonly contain malicious content that can put SOCs and their organizations at risk as they conduct investigations. But with isolated browsing environments and proper management of the digital fingerprint, analysts can safely and effectively perform their research.

The most common cyberattacks SOCs have to respond to are phishing. Phishing attacks can target employees as well as customers, with attackers seeking credentials (usernames and passwords), personally identifiable information (e.g., social security numbers) or financial information (e.g., bank account or credit card numbers). If not properly investigated and stopped, an organization’s reputation could also be collateral damage of the attack.

As such, it’s key that SOC analysts have the proper tools and tradecraft to safely access and interact with malicious sites and content, as well as blend in with common site traffic to protect their investigation. But the process of investigating phishing attacks is fraught with risks. 

Phishing sites often contain malicious content that could infect analyst machines or spread within the network. Additionally, phishing site operators could preemptively block certain access or could catch on to the investigation and take steps to block it or retaliate in some way.

What is phishing and how is it investigated?

Phishing is a cybercrime where criminals emulate reputable organizations or institutions in an attempt to obtain company, personal or financial information from their targets. Phishing attacks usually come in the form of emails, websites, phone calls or texts.

To investigate phishing attacks, SOCs typically follow the workflow below:

1. An alert from the email gateway creates a ticket or a user emails the phishing alias 
2. If the phishing attack directs users to a URL, some teams may initially enter it into a free online scanning tool for quick view of what others have reported (e.g., urlscan.io, VirusTotal)
3. Analyst visits the site 
   1. Conducts visual inspection and collects evidence (i.e., screenshots); determines if the site is convincing, contains malicious content, attempts to harvest credentials, etc. 
   2. Analyzes the sites code using dev tools; identifies redirects (i.e., domains and URLs) to be blocked, often collecting screencapture evidence of what the page is loading 
   3. Downloads and stores collected information including files or code; transfers applicable files (e.g., phishing kit) to a sandbox to analyze further 
4. Ticketing system or SIEM is updated with information collected
5. Downstream teams review the tickets to block domains and URLs on web proxy/gateway 
6. The malicious domains and URLs are sent to the threat intelligence team to update the threat intelligence platform’s indicators of compromise (IOCs) for alerting

Obviously, at several points in this workflow there is the potential for the investigation to expose the analyst — and therefore his organization — to cyber risk beyond the intial suspected attack. That’s why it’s so important to have the proper tools and tradecraft to conduct phishing investigations.

How isolation and anonymity can improve phishing investigations

There’s a risk that phishing sites could contain malicious content. It’s important that analysts’ browsing environments are completely segregated from their machine and network to avoid infection to themselves and their organizations.

Phishing sites also may only be accessible to visitors from certain geographic locations (for example, phishing sites often block access from the United States or other countries where investigations into their sites will likely stem from). If you think using a VPN will get you around geoblocking, think again:

• Phishing sites frequently block access stemming from VPNs, as they’re commonly used by investigators and would thwart their geoblocking mechanisms
• Beyond IP address, VPNs don’t give you much control over other details of your digital fingerprint, which together form a “location narrative” (for example, if you appear to be accessing a Chinese website from Singapore, but your time zone shows “U.S. Pacific,” language and keyboard settings are set to English, and your browser and OS are not commonly used in Singapore, you look suspicious)
• VPNs do nothing to protect against malicious content analysts may encounter

To overcome these challenges, analysts conducting phishing investigations need a managed attribution solution like Silo for Research:

• Completely isolate the analysts’ machine from potentially malicious content on visited websites via a cloud-based browsing environment
• Select the appropriate point of presence (i.e., egress) to appear to be visiting suspected phishing sites from the desired region
• Customize the digital fingerprint to match details of the average site visitor’s user agent string

How a Silo for Research fits into the phishing workflow

1. Navigate safely to site using the cloud-based Silo browser, ensuring 100% separation between analyst’s machine and all web content 
   1. Use the built-in screencapture feature to capture data and include the site URL and timestamp
   2. Manipulate the user agent string and egress node to guarantee the analyst is seeing the page as a phishing victim would
   3. Use built in dev tools to analyze HTML 
      1. Use screencapture and annotation tools to capture redirects in the Javascript and CSS
   4. Save collected data in Silo for Research’s secure cloud storage
2. Update ticketing system or SIEM with information collected

Watch how Silo enables SOC analysts to research URLs related to suspected phishing in a secure and anonymized browsing environment.

To learn more about how Silo for Research helps SOCs and CTI teams investigate phishing and other threats, check out these success stories:

• Major US airline investigates phishing, typosquatting, malvertising
• Location, location, location: helping SOC investigate region-specific malware
• Software provider uses Silo for Research in threat triage, research and remediation
• Silo for Research helps content platform provider stay on top of threats and curb illegal activity