By: Jane Wasson

The threat that most often breaches defenses is the phishing attack. One of the biggest challenges for security teams and SIEM security is to quickly and effectively detect these attacks, and then efficiently investigate and respond to prevent damage.

Advanced Threat Protection Demands Deep Insight and Visibility to Phishing Attacks

Security Information and Event Management (SIEM) solutions are an important tool in a modern day security operations center (SOC) team’s arsenal, providing visibility into suspicious activity and attack attempts. They help teams continually assess an organization’s security posture and identify areas of focus to fortify defenses.

SIEMs do this by aggregating event logs from across an organization to carry out monitoring, reporting, investigation, and incident response. SIEM monitoring and event correlation bubble up suspicious activity for investigation. Thus, when a breach is discovered, SIEMs provide the clues for security teams to investigate, report on, and respond to attacks.

Area 1 Horizon anti-phishing service detects and blocks phishing attacks and when integrated with a Security Information and Event Management (SIEM) solution, security teams can:

  • Get deep insight and visibility into phish detected and blocked by the Area 1 service
  • Quickly and effectively uncover related advanced threat activity organization-wide
  • More efficiently investigate and respond to incidents
  • Provide visibility into threat actor behavior and trends
  • Facilitate and customize threat reporting
Effective advanced threat detection

Security teams that integrate the Area 1 Horizon anti-phishing service into their SIEM platform can more effectively protect from advanced threats.

Area 1 Horizon proactively hunts for and discovers phishing campaigns and infrastructure in the wild, discovering malicious sites and payloads on average of 24 days ahead of industry benchmarks.

Area 1 Portal Dashboard

The service tracks threat actors and provides in-depth information about their activities, delivering real-time insight into attack campaigns and infrastructure: who the targets are, how and when they deliver their attacks, and then takes action to block attacks, including email, web-based, and network-based phishing attacks, before they impact end users.

By integrating the Area 1 Horizon anti-phishing service API with a SIEM platform, security teams gain deeper insight and visibility into phish detected and blocked by the Area 1 anti-phishing service. Security teams can monitor Area 1 phishing detections from their SIEM, and drill down for in-depth threat insight. Events can be correlated across the organization to help identify, visualize, and report on phishing activity and campaigns during the earliest phase of the attack cycle to more effectively protect from advanced threats across the organization.

SIEM Dashboard for Area 1 Phishing Detections

For example, in the above screen shot, the Area 1 Horizon service detected and blocked a phishing email with the subject “Job Opportunity”. Drilling into the detection details indicates the email was judged malicious because it has an attached document containing malicious VBA code that originated from a compromised sending server.

SIEM Drill Down for Area 1 Malicious Email Detection

Executing a SIEM query on the email’s attributes such as the sending server, file hash, and attachment file name can uncover whether the phishing attack has impacted other parts of the organization and help determine if an incident investigation and response is called for.

Improve SIEM incident response efficiency

When a phishing breach occurs, security teams investigate the incident to determine what happened: Which data and systems are impacted? Who perpetrated the attack, and what is their objective? What action is necessary to remediate damage and prevent similar attacks?

SIEM search queries uncover the history of an incident to speed response and remediation. With Area 1 providing its early insight into phishing campaigns and infrastructure, security teams can more efficiently detect and respond to attacks. Area 1 provides in-depth, historical information on malicious domains, IPs, URLs, file hashes, and email addresses, that are critical to investigating incidents. This includes:

  • Threat type and threat actor, if known
  • Domain WHOIS information
  • Timestamps of when an indicator was discovered
  • Items associated with the indicator, such as URLs and files
  • An infections map, displaying infection names and number of times seen

Area 1 Portal Threat Actor Profile

Using Area 1 Security threat insight and SIEM queries helps uncover the history of users or systems that interacted with malicious domains or IPs. The team can also: identify users who interacted with malicious links or downloaded malicious files, gather additional context should a phish go under audit at either the corporate or legal level, and even identify lateral breach activity. If the Area 1 service detects a malicious email, the content of the email can be accessed via the SIEM, as necessary, for further investigation or to retain for evidence. This information helps security teams more efficiently investigate and respond to a cyber breach.

Visibility into Threat Actor Behavior and Trends

An important task for security teams is to keep current in regard to the threat landscape and any active threats and vulnerabilities. The Area 1 service API, integrated with a SIEM platform, continuously updates threat actor information. This enables the security teams to visualize and drill down into threat actor activity, motivations, and techniques from their SIEM platform, helping them stay current and better understand and defend from attacks.

Facilitate and Customize Reporting

In addition to event monitoring, incident investigation, and response, SIEMs also perform security reporting: capabilities vary from real-time views of an organization’s security status to weekly or month roll-ups of significant events or weekly metrics.

By integrating Area 1 Horizon with your SIEM, security teams can report on real-time phishing attack activity. The team can use a common, familiar interface and easily include phishing attack detection and threat indicator data to reports, such as weekly or monthly roll-up reports of significant events or weekly metrics.

Splunk Dashboard Reporting Area 1 Detections

If your security team relies on a SIEM to monitor, investigate, and respond to cyber threats, deploying the Area 1 anti-phishing service and integrating with your SIEM can improve effectiveness and efficiency of advanced targeted phishing attack detection and incident response across your organization. To learn more, watch the webinar “Accelerate SIEM Phishing Detection and Incident Response”.