Today, I speak with Sibe, analyst of the SOC of Tesorion. One of Sibe’s specialities is the detection and mitigation of phishing attacks. Phishing is a form of internet fraud where people are lured to a malicious website in order to leave sensitive information behind, e.g. credit card details or login details of their bank or their work. A login environment was created on the malicious website that often cannot be distinguished from real.
Strong security at the gate and beyond
Phishing often happens via email, however nowadays also ever more often via text messaging (Smishing) or WhatsApp. The customers of Tesorion are also frequently dealing with phishing emails. It can always happen that an employee of a customer clicks on this kind of link and is forwarded to a malicious website.
“How do you actually recognise a phishing attack?”, I ask Sibe.
“With sensors we monitor the network traffic of our customers. If an employee clicks on a link in a phishing email, then the sensor detects traffic to a website that has been qualified by us as a phishing website. Our monitoring system automatically creates a ticket of this’, explains Sibe. ‘One of my colleagues or myself will then examine the ticket. We first check if it really is a phishing website. If that is the case, then we analyse the data traffic to this site in order to determine if login details were left behind.”
“This is not always easy”, continues Sibe. “In case of an http site, we can see it immediately. However, if the traffic is encrypted, as in case of https, then we need to deduce it from the nature of the traffic. Multiple connections and connections that last longer can point to an exchange of login details. With the help of an IP address, MAC address, and potentially also the host name, we identify the device from which the phishing site was visited. In association with the customer, we establish the required measures, e.g. the isolation of an end-point and measures to prevent further steps in the kill chain.”
“So, it starts by establishing if a visited website is malicious. How do you do that?’, I ask Sibe. He answers: ‘We have a database with tens of thousands of websites of which we determined that they are phishing sites. Hundreds of mutations are added daily. At the start of the Covid-19 period, it were even thousands.”
“But this is not done automatically, I assume?’ ‘No’, says Sibe enthusiastically, ‘I developed a tool for this. I will roughly explain to you how it works. Phishing kits are available on the internet. This is software with which the landing page for a phishing campaign can be created. The software contains all sorts of standard components that are being reused on this kind of phishing site. You can recognise a website made with this kind of kit by these components. I use that input to perfect the tooling further.”
Sibe continues: “On sandbox sites, like urlscan.io, you can analyse websites in a secure manner and that is therefore done frequently. Thousands of sites are being scanned daily and the results of these scans, including certain components of the site, are freely accessible and consultable’, explains Sibe. ‘My tool continuously searches the scan results for specific values that I retrieved from the phishing kits. This way, this tool can find the websites that were made with the help of a phishing kit. That is basically how it works”
To my question how this kind of tool is developed, Sibe answers: “Every two weeks, the Detection Improvement Group meets. All SOC-analisten participate in it. We brainstorm about new methods of detection and we review each other’s ideas. Together we coordinate what we elaborate further and what new tooling we will be using. I find these sessions very inspiring and informative, and the amount of ideas we have always surprises me. But that is also necessary: technology does not stand still, and the methods of attack also change constantly.”
“If you could make one wish then what would it be?’, I ask Sibe. He does not need to think long: ‘I could fill the entire day with the development and improvement of tooling. So, if more time would be available for that …”