Spear Phishing

Video Activity

Attackers that send spear phishing emails often register and use "lookalike" domains (e.g. rapld7.com) to appear more credible to their targets. In this 3-minute video, learn how InsightIDR relentlessly hunts threats, including detection for phishing attacks.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
24 minutes
Difficulty
Beginner
Video Description

Attackers that send spear phishing emails often register and use "lookalike" domains (e.g. rapld7.com) to appear more credible to their targets. In this 3-minute video, learn how InsightIDR relentlessly hunts threats, including detection for phishing attacks.

Video Transcription
00:00
>> [MUSIC] In this video,
00:00
let's take a look at one of the spear phishing
00:00
detections available in InsightIDR.
00:00
Let's start with what the alert looks like.
00:00
Here, if we look at alerts by attack chain,
00:00
every alert you receive is prioritized based on
00:00
where that behavior falls in the attack chain.
00:00
Let's start with infiltration and persistence.
00:00
Here, we can see all of the alerts of
00:00
an attacker potentially trying to
00:00
get ingress onto the network.
00:00
By scrolling down, we'll
00:00
see Account Received Suspicious Link.
00:00
Something to note is that for
00:00
every alert, whenever possible,
00:00
will show you the users
00:00
and the assets involved with this alert.
00:00
Clicking in to get more information,
00:00
we can see that the alert fired
00:00
>> on September 27th on 5:54
00:00
>> where account dwalker associated
00:00
with Deborah Walker received this email,
00:00
and then a minute later,
00:00
that account revisited the link.
00:00
But we're also presented with notable behavior.
00:00
That's the new asset logon events
00:00
that we can see on the bottom.
00:00
We can see on the day before,
00:00
Deborah Walker logs onto
00:00
>> a new asset for the first time.
00:00
>> InsightIDR, when it ingests and
00:00
correlates all of your user activity,
00:00
it identifies notable behavior,
00:00
saves it, and will present it to
00:00
you automatically for every investigation.
00:00
That gives you the context to quickly
00:00
validate and learn more
00:00
about the users and assets involved.
00:00
From here, we have a couple options.
00:00
We can go ahead and bring in
00:00
endpoint data when possible, network data,
00:00
search across raw logs,
00:00
or we can go ahead and click on
00:00
Deborah's user page to
00:00
learn more about her recent activity.
00:00
This combines information from Active Directory,
00:00
her Cloud service usage,
00:00
endpoint data, and that's all
00:00
correlated together to paint this complete picture.
00:00
Here, for alerts, we can
00:00
see that account receives suspicious link,
00:00
account revisits link, and then also,
00:00
we can see malicious process on asset was detected.
00:00
We know that this is an incident
00:00
that we're going to want to follow up with.
00:00
Tying this back to the spear phishing detection,
00:00
the reason that this alert fired was because this
00:00
was marked as a tagged and owned domain.
00:00
Let's take a look at
00:00
the Settings page to see how you can configure that.
00:00
What we're looking at here is
00:00
the ability to modify alert types,
00:00
whether or not they show up as
00:00
notable behaviors or alerts.
00:00
You can customize what you receive as
00:00
information to tailor it to your organization.
00:00
Heading down to Tagged Domains,
00:00
these are all of the domains that you own and control.
00:00
You can put them all down here.
00:00
Using a machine learning algorithm,
00:00
if there are any look-alike domains that are
00:00
seen or visited by your users,
00:00
InsightIDR will fire an alert.
00:00
For example, if an email comes from rapld7,
00:00
with an L instead of an I,
00:00
InsightIDR will generate that automatic alert.
00:00
Then from there, it's easy to click in,
00:00
see the users affected,
00:00
and run an investigation from there.
Up Next