The SearchInform DLP detects phishing and why would you need this functionality in the DLP class tool?
13.02.2023
Back to blog listWhy the atypical functionality for external threats revelation is required in a DLP solution, which is basically aimed at control of internal threats.
The first prerequisite is a client’s request. We usually develop new functions for our software basing on our clients’ preferences.
The second reason is that phishing remains the most popular intruders’ technique, the cheapest and the most efficient method for hacking a user. The threat is actual for both ordinary users and for corporate segment as well – intruders steal companies’ data via employees’ compromised accounts, infect corporate infrastructure with malware and commit disruptive actions.
The problem becomes even more critical as phishing technologies continue to evolve. At the same time there are no perfect email spam-filters. So, we decided to examine cases when suspicious letters somehow were delivered to employees’ mailboxes. It should be noticed, that it is strictly required to notify information security officers and thus enable them to interfere just in time if such incident happens. What’s more, it is always crucial that security officers manage to do it before users open such emails, follow the malicious links or download infected attachments.
So, the task mentioned was solved in two steps.
The first step was to obtain letters in the email boxes which were potentially phishing ones. In order to do this, we compared two attributes – “mailMessage ID” and “From” in all incoming employees’ emails.
In other words:
- Email identifier is individual for each message and usually contains a unique part and domain. The domain is exactly what we need.
- The sender attribute contains sender’s name in the form in which it is displayed to the user in mailbox.
Both attributes may be viewed if properties of any email are opened.
The point is that a legitimate letter’s domains (everything after “@”) in both attributes should be the same. In case there are differences, then a substitution, domain masking etc. technique is implemented. All these methods may be potentially used by intruders.
The SearchInform DLP solutions reveals all mismatches and marks them as potential phishing attempts. Definitely, such additional security measure is justified.
The second step was to understand, how to use the data mentioned properly? We decided to delegate this task to client’s information security officers. In our opinion, the most important is to provide them with all the information required. A special filter aimed at triggering on “mismatch of email attributes” was configured in AnalyticConsole. This means, that it is possible to examine details on all such cases manually. The security policy was also added to the AlertCenter, it automatically detects such emails, creates an incident, notifies information security officer about it via email or Telegram (one more our recently added useful feature) and enables to briefly look through the letter and view its attachments and background.
You can even go further and create external scripts, which, for instance, automatically delete such emails from employees’ mailboxes. However, such solution should not be considered as a panacea and is not applicable to all companies: in case all the allegedly appealing letters are pulped it may interrupt business processes.
As the result – it is required to deal with cases, allegedly involving phishing in SearchInform DLP manually. Should it be considered as additional work for information security department experts? It depends, probably yes. However, it significantly enhances the chance that an employee will not download a malicious attachment and thus the corporate infrastructure will not fail. One more option for threat detection is not extra for sure.