With phishing at an all-time high, organizations need faster, more automated ways to detect and protect against them. SlashNext’s new threat intelligence service aims to meet those needs. Focusing specifically on phishing threat intelligence, the service provides real-time information on credential stealing, scareware, rogue software, phishing exploits, social engineering scams and phishing callbacks.
As CEO Atif Mushtaq explains, the service’s threat intelligence is developed in real time via global dynamic URL sourcing, along with the company’s proprietary cloud-based threat detection technology. Most anti-phishing technologies use URL inspection and domain reputation analysis. SlashNext’s technology, in contrast, uses Session Emulation and Environment Reconnaissance (SEER), which leverages virtual browsers in the cloud to inspect sites in real time using advanced techniques like computer vision, optical character recognition, natural language processing, lexical analysis and active site behavioral analysis.
To make it work, organizations get an API authentication key, which allows them to access SlashNext phishing threat intelligence via a web API. Users can select any combination of URLs, domains and IPs. The API also allows them to select the data format (JSON, CSV, plaintext). So when a user clicks a phishing hook or link advertisement, the system checks its database. If the threat is there, it’s blocked. If it isn’t, it analyzes the site in its cloud analytics engine, looking at hundreds of indicators to determine if there are any discrepancies in the content over what it sees in the known good site pages.
According to Mushtaq, security teams can use SlashNext Real-Time Phishing Threat Intelligence for many purposes. For example, they can integrate the intelligence with other information to compare and identify gaps in coverage. They can also ingest it into their SIEM or SOAR and use it to compare incident URLs against live phishing threat intelligence to determine if they are malicious. Other potential uses include:
- Testing URLs, domains and IPs determine if current defenses block them (vulnerability testing, pen testing, gap testing, etc.)
- Integration with blocking infrastructure like firewalls or DNS to protect employees from malicious sites
- Integration with secure email gateways to check if URLs in suspicious emails are malicious
The results are accurate and fast; SlashNext SEER technology can tell if a site is malicious within about 15 seconds, Mushtaq said. That small amount of latency is due to the use of virtual browsers to dynamically inspect page contents and server behavior. But since SlashNext does proactive threat hunting, it often finds phishing sites pre-emptively, before the attack has threatened a particular organization, he added.
The method SlashNext is using is different to those of other systems.
“The traditional reputational-based approach with blacklists relies on time to build a reputation, and no reputation is often perceived as OK,” explained David Monahan, managing research director for security and risk management at Enterprise Management Associates. “The problem is that when the domain pops up and shuts down in bursts, there is no reputation, even though it is bad. By using the approach of machine learning/artificial intelligence, OCR, advanced computer vision and natural language processing, it can identify phishing sites in real time and push the updates out to their clients as they are discovered.”
The speed at which something like this delivers results is important. According to a recent report from Aberdeen Group, the median time to “first click” on malicious email is 134 seconds. The report also found traditional browser blocking and manual remediation to be too slow to be effective. The report concludes that the only solution is more automation, continuous automated analysis, and correlation of data across billions of emails and web transactions per day, “at speeds that are fast enough to turn detection of phishing emails and malicious phishing sites into more effective protection. “
“The superiority that comes from this emerging blend of real-time analytics, automation and integration across a broad observation space reflects the agile, technology-based approach to security that defenders need to have going forward to successfully manage the highly dynamic risk of phishing attacks,” concluded Derek Brink, author of the Aberdeen report.