Tim-Helming-87fe6c43ad984a008d6e32f9d5e447720336106e

Gone Phishin' – Q&A with Tim Helming, Director Of Product Management, DomainTools

What sparked the need for solution specific to hunting for phishing activity, a once very manual/time intensive process?

All too often, the first alert that organizations get about a phishing attempt or campaign is the phishing email itself. That’s definitely not the alerting system you want! PhishEye is designed to help the organization get ahead of phishing attempts, moving from a reactive posture to a preventive one. By identifying domains that are crafted to imitate legitimate domains as soon as they come into existence, PhishEye helps the security team create custom blacklists based specifically on the keywords that matter the most to them–typically their company name or brand names.

How does PhishEye work and who within an enterprise will be using the technology?

Phishing depends on domains, so if you can identify and block the domains in question, you disrupt the attack. PhishEye takes keywords that the user inputs, such as a company domain name or brand name, and generates a list of possible variants of that keyword. The variants include typos (such as domaint00ls, and many other ‘species’ of morphed spelling) and substring inclusions (such as domaintoolsaccount). Then PhishEye searches our database of around 315 million current domains to identify offending domains that exist. Finally, and perhaps most importantly, the user can set up alerts so that they get notified when PhishEye discovers new matching domains. They can take these names and create custom blacklists to deny the phishing traffic, whether that comes in the form of the “from” domain in the phish, or a malicious link, or both. PhishEye users are typically SOC analysts, or security team members who perform “SOC-like functions” in organizations that don’t have a formal SOC.

As cyber criminals become increasingly sophisticated, it seems almost daily that you hear about a “successful” phishing incident. What can and should companies do to mitigate risk (educate staff, leverage solutions, etc.)?

It has to be a blend of tools and processes. Education is definitely a key part of this. Organizations should weave security awareness into the very fabric of their culture. It shouldn’t be an add-on. Poorly trained employees can be a real liability, but well-trained ones can be a sensor network that helps the security team discover badness early in its progress. As far as tools go, email and web filters can certainly cut down on the noise, but one of the reasons we think predictive domain-based prevention like PhishEye is so valuable is because many spear phishes/BEC emails are custom-crafted–so they may not be picked up by reputation/blacklist services that rely on observing the emails in the wild, or on heuristics that could miss a one-off, unique email.

What do you believe makes phishing scams so successful and how will this impact business in the next year?

Phishing attacks are a form of social engineering, and they prey on human traits and habits such as pattern recognition (our brains turn close typos into the real thing sometimes), trust (some spearphishers do a lot of homework to create a very convincing impersonation of a colleague or boss), and distraction. That adds up to people clicking things they shouldn’t. And the phishes with the highest potential for single-event harm–BEC or similar targeted spear phishes–are often done very skillfully. Phishers are skilled at evading technological as well as human filtering mechanisms. APWG finds huge increases in the numbers of phishing domains, so it’s clear that attack rates are going to climb. If enterprises’ catch rates don’t increase at a higher rate than the attacks, then the successes will mount. The good news is that I think enterprises have a chance to drive their successful catch rates up through a combination of training, filtering tools, and alerting tools such as PhishEye.

What other types of malicious cyber activity will enterprises be faced with in 2017?

Certainly the familiar strains of malware and non-malware-based attacks will continue. It’s easy (and interesting) to get caught up in extreme hacking techniques like extracting data based on listening to CPU fan speed fluctuations, but it’s the basics, such as phishing, ransomware, botnet-based DDoS, etc., that are likely to cause the most harm. Personally, I’m intrigued by the idea of attacks that are designed to destabilize systems and undermine trust–not by making one big catastrophic strike, but by making a series of small disruptions or anomalies that cause an enterprise to lose trust in the integrity of their systems overall. This could potentially create various kinds of openings for other exploits.

About

Tim-HelmingDirector of Product Management, DomainTools Tim Helming has over 15 years of experience in cybersecurity, from network to cloud to application attacks and defenses. As the director of product management at DomainTools, he applies this background to helping define and evangelize the company’s growing portfolio of investigative and proactive defense offerings. At WatchGuard, he helped define and launch some of the best-selling SMB security appliances in the market. At Symform, he led definition and messaging efforts for that company’s unique peer-to-peer cloud storage solution. Tim has spoken at security conferences such as BSides Las Vegas, FireEye/MIRcon, and AusCERT, as well as media events and technology partner conferences worldwide.

Leave a Reply

Your email address will not be published. Required fields are marked *