Time
24 minutes
Difficulty
Beginner

Video Description

Attackers that send spear phishing emails often register and use "lookalike" domains (e.g. rapld7.com) to appear more credible to their targets. In this 3-minute video, learn how InsightIDR relentlessly hunts threats, including detection for phishing attacks.

Video Transcription

00:05
in this video. Let's take a look at one of the spear phishing detections available in inside Out E R.
00:11
Let's start with what the alert looks like.
00:14
Here you look at alerts by attack chain.
00:17
Every alert you receive is prioritized based on where that behavior falls in the attack. So let's start with infiltration and persistence.
00:28
Here we can see all of the alerts of an attacker potentially trying to get ingress onto the network. So by scrolling down, we'll see account received suspicious link. And something to note is that for every alert,
00:42
whenever possible will show you the users and the assets involved with this alert
00:49
clicking in to get more information, we can see that the alert fired on September 27th on 5 54
00:56
where a Count de Walker associated with Debra Walker received this email. And then a minute later, that account visited the link. But we're also presented with notable behavior, and so that's the new asset log on events that we can see on the bottom so we can see on the day before
01:15
Debra Walker logged on to a new asset
01:17
for the first time,
01:19
And so inside idee are when it ingests and correlates all of your user activity, it identifies notable behavior. Saves it, and we'll present it to you automatically. For every investigation that gives you the context to quickly validate and learn more about the users and assets involved.
01:38
So from here we have a couple options. We can go ahead and bring in and point data when possible, Network data search across raw logs. Or we can go ahead and click on Debra's User page toe. Learn more about her recent activity, and so this combines information from active directory, her cloud service usage,
01:57
endpoint data
01:59
and that's all correlated together to paint this complete picture.
02:05
And so for here, for alerts, we can see that account received suspicious link account visits link and then also we can see malicious process on asset was detected, so we know that this is an incident that we're going to want to follow up with.
02:22
So tying this back to the spear phishing detection. The reason that this alert fired was because this was marked as a tagged and owned domain. And so let's take a look at the Settings page to see how you can configure that
02:37
what we're looking at here is the ability to modify alert types, whether or not they show up as notable behaviors or alert. So you can customize what you receive as information to tailor it to your organization,
02:51
heading down to tag domains, these air, all of the domains that you own and control, and so you can put them all down here
02:58
and using a machine learning algorithm.
03:01
If there are any local like domains that are seen are visited by your users. Inside, I D r will fire an alert. So, for example, if an email comes from rap, hold seven
03:13
with an L instead of an IE inside I. D R will generate that automatically learn. And then from there, it's easy to click in, see the user's affected and run an investigation from there.

Up Next