A recent Verizon report shows that 43% of data breaches utilize phishing as a point of entry. With security attacks, phishing and others, on the rise, any organization using email as a means to communicate needs to be aware of how to best protect their environment and date. In this blog, I’ll highlight Phish Hunter, comprised of the newest strategy and insights from Microsoft, aimed to help you guard against the most sophisticated phishing attacks, like Spear Phishing and Whaling, and most importantly combat compromised accounts. Better understand the tools that are available to fight these attacks and leverage new auto-remediation mechanisms against unknown attacks and compromised accounts.
Phishing is on the Rise
One of the key takeaways from statistical data that I referenced in last week’s blog is that the majority of attacks happen because of stolen credentials.
Take a look at these devastating stats:
– It costs a company, on average, $4 million for each data breach incident.
– 300K new malware samples are created and spread every day.
– 87% of senior managers have admitted to accidentally leaking business data.
Phishing is on the rise as it pertains to cyber threats. The FBI reported that business email compromised related economic loss adds up to $5B over the last year alone. There were more than 255K unique phishing attacks in 2016 alone with more than 600 unique brands attacks. In the last nine months, Microsoft has detected about 800M phishing emails against their OWN systems. This type of attack is rampantly evolving making a differentiated and comprehensive approach imperative. This is where Microsoft is uniquely positioned to help organizations.
Looking at the Phishing Landscape
The most basic scams target end users and consumers with attackers asking for financial information or sending false IT support. Then there are Brand Phishing attacks. These typically go after consumer credential accounts, social peer-to-peer systems, and social media accounts. The goal is to get credentials and penetrate as many systems as possible. In these scenarios users typically utilize the same credentials across different social sites making it incredibly easy to penetrate multiple accounts. Then there are more sophisticated and customized SaaS-based phishing attacks. Typically, these use spoofing emails from and impersonate a popular SaaS application in order to get credentials and gain access to sources. Then, there are the most impactful Spear Phishing and Whaling attacks. Attackers target high-ranking individuals’ accounts resulting in a “Trusted User Phishing” attack from a compromised account. Some of the incidences resulted in W2 fraud, wire fraud, and compromised highly ranked accounts exposing highly sensitive corporate information. Whaling emails and websites are generally highly customized and contain personalized information such as the target’s name and job title.
The different threat vectors empowering these attacks span across domain spoof, malware attachments, redirects to malicious sites, fake SaaS Apps and User Impersonation. By applying the ‘Protect, Detect, Respond’ security framework Microsoft is addressing these threat vectors with intelligent mechanisms. Microsoft builds threat protection solutions on a rich set of signals that are seen across the entire Microsoft 365 stack. This empowers very diverse technology signals across the platform with intelligence and then shares that intelligence across various endpoints.
Introducing Phish Hunter
Phish Hunter is designed to provide Advanced Security Flows, Automatic Remediation with Identity Centric protection, Intelligence, and Risk Scoring mechanisms
- Organizations need a comprehensive approach to combat the most sophisticated phishing attacks
- Organizations need a comprehensive approach to combat compromised accounts
- The majority of anti-phishing solutions miss auto-remediation mechanisms
- Organizations are looking for insights into cloud intelligence and edge enforcement so that the intelligence can be used to prevent future attacks
Phish Hunter is not a product but rather a new comprehensive approach for combating compromised accounts leveraging different Microsoft technologies working in integrated and orchestrated manner: Advanced Security Management (ASM), Advanced Threat Protection (ATP), Flow, Azure Active Directory Premium (AADP), Azure Automation (Runbooks), and Power BI.
Phish Hunter will help with the following:
- Fighting against unknown attack scenarios
- Combating compromised accounts by providing automatic protection and automatic remediation
- Overcoming false positives and/or false negatives
- Providing automated and continuous remediation cycle
- Providing intelligent insights and visibility
- Profile and vector attack intelligence
- Providing tenant-specific insights for additional protection empowered by Advanced Threat Intelligence
The idea is to add local insights to cloud intelligence and provide edge enforcement when there is a compromised account. Watch the short video to see the kill chain lifecycle of a trusted user phishing attack.
Here is a break down of each component and how the solution works.
- ATP and AADP P2 provide automatic protection at the edge:
- Advanced Threat Protection helps protect against sophisticated threats hidden in email attachments and links, and ATP provides cutting-edge defenses against zero-day threats, ransomware, and other advanced malware attempts. Rich reporting lets you investigate why ATP flagged a threat, and it gives you details about the users who received malicious emails / malicious links and further clicked on malicious links.
- Azure Active Directory Premium – Provides different types of access controls:
- Grant access controls that govern whether or not a user can complete authentication and reach the resource that they’re attempting to sign-in to. If you have multiple controls selected, you can configure whether all of them are required when your policy is processed.
- Session controls – Session controls enable limiting experience within a cloud app. The session controls are enforced by cloud apps and rely on additional information provided by Azure AD to the app about the session.
- Session sign-in risk is an object that is used by Azure Active Directory to track the likelihood that a sign-in attempt was not performed by the legitimate owner of a user account. In this object, the likelihood (High, Medium, or Low) is stored in a form of an attribute called sign-in risk level. This object is generated during a sign-in of a user if sign-in risks have been detected by Azure Active Directory. Very powerful!
- ASM provides insights into the environment to find attacks:
- Advanced Security Management enables you to set up anomaly detection policies, so you can be alerted to potential breaches of your Office 365 environment. Anomaly detection works by scanning user activities and evaluating their risk against over 70 different indicators, including sign-in failures, administrator activity, and inactive accounts. For example, you can be alerted to impossible travel scenarios, such as if user signs into the service to check their mail from New York and then two minutes later is downloading a document from SharePoint Online in Tokyo.
- Flow and Azure:
- Will provide automatic remediation of compromised accounts based upon known attack profiles and their associated risk profile. Connecting the above-mentioned components with Azure Automation, Flow provides an assessment of incoming triggers from ASM and subsequently execute automation steps in Azure Runbooks. Additionally, you can fine-tune the Flow so that it assesses multiple conditions in combination, in order to provide a smarter response to those attacks.
- Power BI, ATP, and AADP:
- Can then be used to push tenant-specific insights to the edge for additional protection against current and future attacks via Conditional Access and SafeLinks.
Interested in learning more about Phish Hunter or implementing a Proof of Concept for your organization? Click on the button below or contact firstname.lastname@example.org to get the conversation started with an enterprise security expert today.