Phishing emails are among the oldest and most common types of cyberattacks, and when successful, can have a devastating impact. In 2020, the average cost of a breach caused by phishing was $4.65 million, and the FBI reports that there were more than 12 times as many phishing complaints last year as compared to 2016.

Indeed, some large organizations receive an estimated 10,000+ security alerts daily – phishing emails included. This sheer volume has become a major part of the problem, and with manual triage of a single suspected email taking between 10 to 45 minutes, it’s often impossible for security teams to keep up with the demand.

The challenges are exacerbated by cybercriminals who are continually finding new methods of attack. The security teams tasked with prevention and mitigation must monitor numerous data sources —ranging from logs, emails, alerts and suspected compromised accounts to external resources such as Twitter (among many others). In many circumstances, the manual effort required soaks up valuable time and resources, preventing highly-trained security professionals from applying their skills to more strategic initiatives.

Investigation automation

Clearly, we can’t sustain the current environment and to address the burden it imposes, automating the phishing investigation and response processes has become a priority. Typically, automation objectives don’t just focus on preventing potential breaches from slipping through the cracks, they are also designed to reduce the pressure on overtasked security analysts.

In an automated system, a potential phishing email triggers a specific workflow pattern to help defeat the attack before it has a chance to fully take form. For example, suspicious emails are deleted from an inbox to prevent users from opening them.

We can automate the most time-consuming parts of an investigation even further by extracting indicators of compromise (IOCs) from all parts of an email – headers, body (HTML, text, RTF), sender, subject – as well as the reputation of each mail transport agent (MTA) within the “Received From” headers. Once a reputation gets determined and IOCs are extracted, security teams can further automate the correlation and threat intelligence lookups of these artifacts, such as IPv4, IPv6, URLs, file hashes (MD5, Sha1, SHA256, SHA512, SSDeep), and domains.

When emails are automatically ingested, correlated and processed with all the related information, the emphasis placed on the security operations center (SOC) gets reduced. This extends to the many related tasks that SOCs must track and manage when processing a reported message. By specifically using low-code automation solutions, security teams can unlock automation beyond the SOC, allowing them to streamline alert monitoring and significantly reduce response times, thereby addressing every alert and decreasing risk exposure.

Focus on process accuracy and consistency

Manual analysis of IOCs has become another time-intensive task, and many security professionals are familiar with the effort required to determine if a similar message has already been processed. When they are automated, it becomes much easier to determine if there’s a similarity in any aspect of an email with another that has already been received. An effective automation solution should also identify similarity if, for example, five or more data points correlate, including equating hashes, Levenshtein Distance, and other algorithms.

We need to automate key processes for greater accuracy and consistency. For example, if there’s a known phishing attack, the IT team should automatically open a ticket, remove similar messages from all mailboxes, and if applicable, quarantine any endpoints suspected of executing malicious attachments. If there’s an unknown threat, the system should check any attachments or URLs against threat intelligence and/or submitted to a sandbox for inspection. If the team finds that it’s malicious, they should remove the message from any impacted mailbox as well and quarantine those systems to further protect their organizations.

Automation, specifically low-code security automation, can also address the increasing complexity seen across existing security controls. It’s not uncommon for organizations to integrate as many as 50 technologies to build an effective defense. With consistent automated processes, analysis of the IOCs can be retrieved from the integrated third-party tools, depending on the indicator type, enabling more rapid and effective accomplishment of one or more tasks, such as threat intelligence, investigation, search, SIEM and log management.

Reduce mean-time-to-resolution

An effective automation solution lets security analysts monitor every relevant detail, providing a dashboard for specific users, roles and tasks while displaying all the data needed within a single, concise record.

The solution should also help determine and automate consistent responses. These can include submitting the payload to an internal or external sandbox, isolating a device, changing a firewall rule, notifying the analyst to send an alert email to requisite parties or collaborating with teams outside of the automation solution.

By automating the investigation, responses and collaboration, automation can reduce incident resolution from 45 to as little as five minutes, on average. This means that security analysts can spend more time investigating other critical events, improving prevention and detection capabilities, or gaining new skills — rather than spending time executing upon tedious known processes.

Ultimately, cybercriminals thrive by creating chaos and uncertainty. But when security teams use low-code security automation to address these threats — by accelerating investigations, responses and resolutions — they can reduce the organizational impact of phishing.

Josh Rickard, security automation architect, Swimlane