Phishing is one of the primary ways attackers steal credentials. For example, they can set up a fake Outlook Web Access page to harvest Windows domain credentials that enable them to access the network via VPN, to read emails, or to send highly credible phishing emails from an internal address by replying to existing email threads. UserInsight has some great features to help you assess and mitigate the risk of getting compromised through a phishing attack:
- Understand your risk through phishing simulations: Through its integration with Metasploit Pro, UserInsight can understand each user's susceptibility to phishing attacks. To do this, send out a benign phishing campaign with Metasploit Pro, measure user click-through and submission of passwords on a fake page, and pull the results into UserInsight to have each user's risk and trending at your fingertips as you're investigating an incident. The screenshot on the right shows a user's susceptibility to phishing attacks over time.
- Detect known threats in email: UserInsight consumes various threat feeds and screens your users' inboxes for emails containing known malicious URLs. When it finds a match, it alerts the incident responder that a user is at risk. Together with the knowledge of how susceptible a user is from your previous phishing simulations, you can get a first gut feel about how likely it is that they clicked on the link.
- Highlighting newly registered domains as a threat: Known threats will be flagged through threat feeds, but many attackers constantly register new domains to avoid getting flagged by blacklists. In other words, phishing URLs are usually either on a blacklist or a newly registered domain. Rapid7 gathers lists of newly registered domains through Project Sonar, a community effort led by Rapid7, to improve security through the active analysis of public networks. A user reaching out to a newly registered domain will be shown as an alert in UserInsight.
- See vulnerabilities by user: If you are using Nexpose to scan your network, UserInsight can display which vulnerabilities are present on the user's assets, both on their laptop and their mobile devices, to see how likely it was that a phishing email exploited a client-side vulnerability. This ability to instantly connect vulnerabilities with a user, not with an IP address, is a key advantage of UserInsight when investigating attacks. Otherwise, DHCP makes it very difficult to research which user had which IP address at what time.
- Gain quick visibility into malware alerts by user: UserInsight integrates with endpoint protection platforms to correlate malware alerts to users. If you suspect a phishing attack, you can quickly see if known malware has been detected on the endpoint to inform your incident response.
- View who else received a particular phishing email: You can quickly and easily search for other users who have received the a particular malicious URL to determine which other users may have been affected.
- Contact users to follow up: UserInsight gives you the user name, department, office, and the name of the user's manager to quickly enable you to follow up with a user currently under attack to warn them or have them help you contain the attack, e.g. by undocking their laptop and switching off WiFi. It sounds simple, but speed is key!
- Detect scanning from an infected machine: Before moving from one machine to another, attackers typically run a ping or port scan on the network to detect what other machines they can get access to. UserInsight offers production honeypots that you can easily deploy as virtual machines on your network to detect attackers planning their next step. Once deployed, honeypots require zero maintenance and update themselves.
- Detect lateral movement: Phishing is often the first step of a larger attacks. If an endpoint has been compromised with a payload, attackers will typically steal credentials and move laterally across the network, for example by taking the local domain administrator's password hash and using a pass-the-hash attack to gain control over other machines on the network. UserInsight will detect these type of attacks, and gives you a clear picture which other machines an attacker may have spread to. Local credentials will leave no trace in Active Directory logs, so getting endpoint logs is critical. UserInsight leverage's Nexpose's proven endpoint scanning technology to collect this information without requiring an endpoint agent (or a Nexpose license). This screenshot shows which assets authenticated to a particular machine, where it authenticated to, and highlights suspicious authentications to certain machines (red circles).
Here are some other Rapid7 solutions that can help you combat phishing:
- Nexpose Enterprise
- Scan endpoints to detect client-side vulnerabilities in your Browser, plug-ins, and Office applications
- Integrate with UserInsight to display vulnerabilities by user to help with incident investigation
- Get visibility and detailed advice about how to harden your endpoints, and track your progress
- Metasploit Pro
- Run phishing simulations to gauge user risk and test the effectiveness of security awareness trainings
- Deliver training to end-users during a "teachable moment", right after having fallen for a phishing email
- Integrate with UserInsight to take a user's phishing risk into account as part of an incident investigation
- Run client-side exploits to test whether your systems are sufficiently hardened
Many large breaches have started through phishing attacks. One of the most memorable examples is the RSA breach a few years ago, which disrupted not only the company itself but also its customers. With UserInsight, Rapid7 applied its knowledge of the attacker through its leadership of the Metasploit project and penetration testing expertise to constantly add new types of detection. By detecting phishing attacks early, you can contain them and reduce damage.
If you are interested in finding out more about how to better detect and investigate incidents on your network, please contact us to schedule a UserInsight demo.