Phishing incident responseOrhan Sari
Incident response is an approach to addressing and managing the effects of a security breach or cyberattack. The purpose of incident response is to control consequence of the situation after cyber attack in a way that limits violation and deterioration, plus decrease revival time and price.
The incident response activities are mosty conducted by the organization’s computer security incident response team (CSIRT). incident response is Important because any event that is not correctly handled can pave the way for a bigger issues such as system fail. However, retaliating to an attack speedily can help an organization minimize its losses as well as alleviate vulnerabilities.
Keepnet Labs Incident Responder
This service analyzes suspicious e-mails (automatic or manual mode) reported from users’ e-mail boxes with advanced integrated threat analysis modules. There is an active response feature to block traffic.
How Does It Work ?
1. Thanks to its plugin, Keepnet Phishing Reporter allows user to report suspicious e-mail with one single click.
2. The Incident Responder service receives this email and analyses it with the following steps.
- Spam control with integrated antispam services
- Anomaly detection
- URL reputation control
- Malicious content detection
- Detecting suspicious content with artificial intelligence
- Known malware control with Antivirus services
- Detection of unknown malware with Anti Malware Sandbox technology
- Detection 0-day file format exploits with Anti Exploit technology
3. According to malware result, it creates attack signatures in the following kinds for alarm generation or blocking active security devices;
- Snort Rule
- Yara Rule
- Antispam Rule
- ACL for Firewalls
- Logs for SIEM Solutions
Build-in Integrated Services
- Virustotal: Analyze suspicious files and URLs to detect types of malware including viruses, worms, and trojans by 56 different Antivirus Engines
- Zemana Anti-Malware: Zemana is an effective malware, spyware, adware, ransomware, rootkits & bootkits detection service.
- Trapmine: Trapmine is combination of malware detection and exploit prevention against both known and unknown (0day) threats.
- Roksit DNS Firewall: Roksit DNS Firewall provides Active / Passive Botnet C&C, malware and phishing url detecting.
- 3rd Party Services: If you have any threat analyze service like Fireeye, Bluecoat, Palo Alto that we can integrate them to autotomize this analysis actions and save your time.
- You can search and detect which users the suspicious e-mail belongs to, and take preventive measures with just one click. The SOC / IR Team member can access malicious content and receive preventive measures with any filter that an e-mail can contain, by writing an advanced query, with phishing reporter installed in the e-mail reader.
Phishing reporter provides you to destroy malicious e-mail with one click . But in order to detect and prevent the harmful activities that are anticipated in your network, you should pass the necessary rules to Antivirus, Antispam, IPS, SIEM, DLP, Sandboxing products. This subject, which requires serious expertise and consumes hours, is resolved with phishing reporter in seconds with one click, and it allows you to orchestrate with your security solutions.
To help you take precautions, if the email you analyse is suspicious;
|Snort Rule||Generate Snort rules that you can use this rules with best-known IPS (intrusion prevention system) to block malicious activity.|
|Yara Rules||Yara is a tool designed to help malware researchers identify and classify malware samples. It’s been called the pattern-matching Swiss Army knife for security researchers (and everyone else). Many of cyber threat prevention tools or services compatible with Yara rules.|
Reverse Engineering Support
We provide expert support with our professional phishing and malware analysis team and with the power of other SOC companies around the world that we have agreement. In various SLA time, you have opportunity to get an in-depth analysis of phishing e-mails and malware from a specialized team.
We offer sophisticated malicious software analysis support with SOC teams based UK, USA, Estonia, Bosnia ve Turkey.
The traditional protection methods are inadequate. However, this technology offers the most effective cyber attack detection and defense services with multiple alternatives, to protect you against ransomware, spear phishing and 0-day exploitation attacks targeting your email.
Benefits to the security operation center (SOC):
- Cost-Effective: With built-in integrated services, you do not need to invest in any other anti-malware sandbox and anti-exploitation solutions.
- It will reduce the effort that you spend to analyse malicious e-mails for hours.
- Unwanted e-mails can be deleted from the user’s e-mail box with information received from the command center.
- It reports which e-mail message is in an e-mail box of users.
- If the existing security measures are inadequate for analysis, detection and prevention, it gives the occasion to benefit from Keepnet’s analysis service.
- It provides more effective security measures with integration with third party systems (SIEM, Firewall, DLP etc.)
Direct benefit to email user:
- Employees report aggressive attacks with a single click.
- Early “Phishing” warnings are taken from users and a “sensor” network is created.
- The user is notified of this correct action when he/she clicks the “Report Phishing” button in a simulated phishing security test.
- It allows the user to send a suspicious e-mail to analysis services and get a risk score.
- Institution’s security culture strengthens.
- Employees receive immediate feedback that enhances their training.
Features Comparison Chart
|Build-in Threat Analysis Engines||✓||x|
|Third-party Service Integration||✓||✓|
|Incident Investigation on Client||✓||x|
|Expert threat analyst||✓||✓|