How to Automate Phishing Investigations and Remediation

Last updated at Thu, 14 Dec 2023 13:59:16 GMT

If your organization has ever been breached, the odds are pretty good that phishing had something to do with it. According to the Verizon Data Breach Digest, phishing attacks play a role in 92 percent of security breaches today. This means more and more security teams are spending time trying to identify and remediate these attacks. But as the volume of attacks continues to grow alongside the laundry list of other high-priority alerts, it’s difficult to keep up.

Repetitive tasks like investigating email senders, detonating attachments, checking URLs, and following up with suspicious requests can often be incorporated into an automated workflow via a SOAR solution. While those tasks are being handled automatically, your team can work on the rest of the investigation and response. It’s efficiency and speed at its finest.

1. Shortening the investigation timeline

Organizations are seeing an increase in user reporting of potential phishing emails (which is great!), but security teams often can’t keep up. SOAR can shorten the time it takes to investigate each alert. When a user hits the ‘report phishing’ button or forwards a suspicious email to a dedicated inbox, SOAR can trigger a workflow that will run through the first steps of a phishing investigation for you, so that you know it’s taken care of. Don’t have workflows created just yet? No problem—SOAR solutions like InsightConnect come with out-of-the-box workflows so you can get up and running quickly.

2. Offloading manual, repetitive tasks

If you’ve been involved in a phishing investigation before, you know it’s tedious work. Parsing out the different indicators of a phishing attack to determine whether it’s legitimate takes time and can be quite mind-numbing, especially for companies that encounter a lot of potential phishing attacks. Security orchestration and automation is designed to relieve teams from the burden of these kinds of tasks.

InsightConnect can parse out header details, IP addresses, URLs, and even attachments. Once these elements are identified, SOAR can then enrich the data from a variety of sources. This means your team can elevate its focus to making decisions and resolving threats, while the machines handle the upfront work to flag true phishing attempts.

3. Seeing the full picture

Many SOAR solutions offer third-party integrations with popular security and IT tools. By integrating with the rest of your technology stack, SOAR can gather the necessary context in order to enrich alerts and indicators and accurately determine which are threats, as well as deliver the right context to security analysts to resolve the attack. Additionally, a good SOAR solution should offer out-of-the-box workflows you can implement to connect your tools without the need to code or figure it out yourself. This means you can spend less time configuring and more time taking action.

See our SOAR Playbook for an example workflow using InsightConnect. Of particular importance is the ability to integrate with threat feeds to enrich the data. For example, InsightConnect offers pre-configured workflows to review IP addresses using WhoIs lookup, check it against open source IP feeds, and even integrate with commercial enrichment tools like Anomaly to provide the full context during an investigation.

4. Reporting and resolution

After routine scans and investigations have occurred, you can configure workflows to trigger a decision point on how to best proceed. A SOAR tool should include steps to send reports to analysts so they can decide how to resolve it. This is where human analysis comes into play and where SOAR solutions bring the capabilities of machines and humans together. Correlating the context gathered during the automated investigation, SOAR can present all relevant data to the analyst within the console or inside an existing ticketing, chat, or email service provider.

If an analyst decides the phishing attack needs to be detonated and remediated, you can also customize SOAR workflows to work with your existing tech stack to delete the original email, delete any matching emails across the server, or even set up a rule to feed these emails into a firewall or email security gateway for future protection.

Getting started with security orchestration and automation

Security orchestration and automation is designed to help teams improve their security posture and create efficiency—without sacrificing control of important security and IT processes. Our new playbook highlights some of the most common use cases for security orchestration and automation, including phishing investigations, as well as useful tips on how to get started.