Reading:
Top 5 Phishing Resources for SOC Teams

Top 5 Phishing Resources for SOC Teams

July 6, 2022

Phishing is a cyber-attack in which attackers defraud their victims through email, text messaging, phone calls, or websites. Attackers redirect their victims to well-crafted fake websites or malicious links using technics like social engineering.

Passwords, financial information, login credentials, and other sensitive personal information of the victims are captured. This information can be used or sold for hacking, identity theft, or other malicious purposes that result in direct financial losses.

What are the 5 Categories of Phishing?

The five most common types of phishing are categorized as follows:

  • Email Phishing: A seemingly legitimate email message that tricks anyone, no matter who they are, into clicking a link to obtain their personal or identity information. It is the most widely used type of phishing.
  • Spear phishing: Personalized attacks that target a single person or a small group. Targets tricked by messages containing personal information obtained from research on the target person or group provide information for more significant attacks.
  • SMS phishing (SMishing): Smishing is an attack in which victims are tricked by phishing tactics delivered via text messages or short message service. Attackers can impersonate a well-known person or service and conceal malicious links using shortening techniques commonly used in messaging communication.
  • Voice phishing (Vishing): A phishing attack that uses voice communication channels. The attacker poses as a customer service or government agency official by obtaining sensitive information from the victim or gaining financial profit.
  • Whaling: A phishing attack that targets senior executives in the C-suite (such as the CEO, CFO…etc.). It is preferred due to the ease of obtaining sensitive information or high privilege access.

Top Phishing Resources for SOC Teams

Addresses that are very similar to the original ones, suspicious names, links that lead to a different address, domain names that are close to the original but incorrect, and suspicious attachments are all common indicators of phishing emails. Furthermore, the messages contain intimidating wordiness and urgency, grammar and spelling errors, and requests for login information, payment information, or sensitive data. A phishing email can be detected by identifying these suspicious situations.

The primary methods for detecting phishing attacks are to perform artificial intelligence analysis of incoming email content, compare the content with known threat libraries, and report end-users who visit suspicious websites or receive suspicious emails. Cyber security professionals, such as SOC teams and IT personnel, use various phishing analysis tools to manage this process, which can be summarized as phishing analysis.

Phishing analysis tools are a set of cybersecurity instruments that detects threats and allows for necessary mitigation before attacks cause damage. These tools automatically detect known Phishing threats and automate remediation processes to address the threat. This automation process gives cybersecurity professionals more time to manage false positives and prioritize critical threats.

Here are five tools to help SOC teams with phishing investigations.

VirusTotal

VirusTotal is an online service that uses antivirus engines and website scanners to analyze suspicious files and URLs to detect malware and malicious content.

This tool also analyzes any ongoing phishing activities. Meanwhile, it offers Phishing, Anti-Fraud, and Brand monitoring services by detecting attempts that imitate organizations’ assets, intellectual property, infrastructure, or brands. VirusTotal is free for non-commercial use.

Urlscan.io

Urlscan.io is a service that scans and analyzes URLs for free. Its mission is to make it simple and safe to analyze unknown and potentially malicious websites. It logs the activity generated by the URL in question and flags it as potentially malicious if it targets one of the hundreds of brands it monitors.

Any.Run

Any.Run is a sandbox for interactive malware analysis. It identifies, analyzes, and monitors cyber threats. Users can control the flow of the analysis because it is interactive. As a result of the analysis, it provides a detailed report.

AbuseIPDB 

AbuseIPDB is a project that aims to control the malicious internet activity. Its mission is to help secure the Web by providing a centralized blacklist of IP addresses associated with malicious online activity. Any illegal, abusive, or inappropriate activity detected from an IP address is classified as malicious by AbuseIPDB. These malicious activities include DDoS attacks, various types of spam, fraudulent orders, hacking attempts, phishing, spoofing, and SQL injection.

Cuckoo Sandbox

Cuckoo Sandbox is open-source software that automates file analysis. Suspicious attachments can be studied for phishing using the Cuckoo Sandbox. Any aspect of the analysis environment, processing of analysis results, and reporting phase can be customized thanks to Cuckoo’s open-source structure and comprehensive modular design.

Phishing attacks are widespread cyber security issues that affect everyone, from individual users to giant organizations. The fact that a single attack can target multiple victims at the same time can result in massive damage. Security actions must be taken in this respect. Phishing analysis resources can be more effective in security activities to detect and prevent phishing attacks.