Why the atypical functionality for external threats revelation is required in a DLP solution, which is basically aimed at control of internal threats.
The first prerequisite is a client’s request. We usually develop new functions for our software basing on our clients’ preferences.
The second reason is that phishing remains the most popular intruders’ technique, the cheapest and the most efficient method for hacking a user. The threat is actual for both ordinary users and for corporate segment as well – intruders steal companies’ data via employees’ compromised accounts, infect corporate infrastructure with malware and commit disruptive actions.
The problem becomes even more critical as phishing technologies continue to evolve. At the same time there are no perfect email spam-filters. So, we decided to examine cases when suspicious letters somehow were delivered to employees’ mailboxes. It should be noticed, that it is strictly required to notify information security officers and thus enable them to interfere just in time if such incident happens. What’s more, it is always crucial that security officers manage to do it before users open such emails, follow the malicious links or download infected attachments.
So, the task mentioned was solved in two steps.
The first step was to obtain letters in the email boxes which were potentially phishing ones. In order to do this, we compared two attributes – “mailMessage ID” and “From” in all incoming employees’ emails.
In other words:
Both attributes may be viewed if properties of any email are opened.
The point is that a legitimate letter’s domains (everything after “@”) in both attributes should be the same. In case there are differences, then a substitution, domain masking etc. technique is implemented. All these methods may be potentially used by intruders.
The SearchInform DLP solutions reveals all mismatches and marks them as potential phishing attempts. Definitely, such additional security measure is justified.
The second step was to understand, how to use the data mentioned properly? We decided to delegate this task to client’s information security officers. In our opinion, the most important is to provide them with all the information required. A special filter aimed at triggering on “mismatch of email attributes” was configured in AnalyticConsole. This means, that it is possible to examine details on all such cases manually. The security policy was also added to the AlertCenter, it automatically detects such emails, creates an incident, notifies information security officer about it via email or Telegram (one more our recently added useful feature) and enables to briefly look through the letter and view its attachments and background.
You can even go further and create external scripts, which, for instance, automatically delete such emails from employees’ mailboxes. However, such solution should not be considered as a panacea and is not applicable to all companies: in case all the allegedly appealing letters are pulped it may interrupt business processes.
As the result – it is required to deal with cases, allegedly involving phishing in SearchInform DLP manually. Should it be considered as additional work for information security department experts? It depends, probably yes. However, it significantly enhances the chance that an employee will not download a malicious attachment and thus the corporate infrastructure will not fail. One more option for threat detection is not extra for sure.
SearchInform uses four types of cookies as described below. You can decide which categories of cookies you wish to accept to improve your experience on our website. To learn more about the cookies we use on our site, please read our Cookie Policy.
Always active. These cookies are essential to our website working effectively.
Cookies does not collect personal information. You can disable the cookie files
record
on the Internet Settings tab in your browser.
These cookies allow SearchInform to provide enhanced functionality and personalization, such as remembering the language you choose to interact with the website.
These cookies enable SearchInform to understand what information is the most valuable to you, so we can improve our services and website.
These cookies are created by other resources to allow our website to embed content from other websites, for example, images, ads, and text.
Please enable Functional Cookies
You have disabled the Functional Cookies.
To complete the form and get in touch with us, you need to enable Functional Cookies.
Otherwise the form cannot be sent to us.
Subscribe to our newsletter and receive a bright and useful tutorial Explaining Information Security in 4 steps!
Subscribe to our newsletter and receive case studies in comics!