Phishing Risks

P
Written By Threat NG Staff

In cybersecurity, a phishing risk refers to the vulnerability of an individual or an organization to a phishing attack. These attacks use deceptive communication, often via email, text message, or other electronic means, to trick a user into revealing sensitive information or deploying malicious software.

A potential phishing risk exists when an organization or individual's information or behavior makes them a target. This can include:

  • Human Vulnerability: Employees or individuals who have not received adequate training on how to spot phishing attempts. They may be more likely to click on a malicious link, open a suspicious attachment, or enter credentials on a fake website.

  • Technical Vulnerability: This includes systems that are not configured to block known phishing indicators. For example, a lack of email security protocols like DMARC, SPF, and DKIM can make it easier for attackers to spoof a company's domain.

  • Information Exposure: Publicly available information, such as employee names, job titles, or company details, can be used by attackers to craft compelling and personalized "spear phishing" emails.

  • Brand Impersonation: A risk exists when a company's brand is easy to imitate. Attackers can create fake websites or subdomains that closely resemble the real ones to steal user credentials.

Mitigating phishing risks involves a combination of technical controls, such as email filters and multi-factor authentication, and user education to build a "human firewall" against these deceptive attacks.

ThreatNG helps manage phishing risks by providing a comprehensive, external view of an organization's digital footprint, identifying potential entry points and weak spots that attackers could use for phishing campaigns.

How ThreatNG Helps with Phishing Risks

ThreatNG's External Discovery capability performs unauthenticated discovery to find an organization's assets. This is crucial for uncovering assets that could be used for phishing, such as forgotten subdomains or domains with similar names to the company's brand.

The External Assessment feature includes several modules that are directly relevant to identifying and mitigating phishing risks.

  • BEC & Phishing Susceptibility: This assessment is specifically designed to determine an organization's susceptibility to phishing. It uses Domain Intelligence, which includes DNS Intelligence capabilities like Domain Name Permutations, to detect malicious look-alike domains. For example, if an attacker registers "exampleccorp.com" to impersonate "examplecorp.com," ThreatNG would detect this permutation and flag it as a risk. The assessment also includes Email Intelligence to check for email security presence and format prediction, which helps identify if an organization's email system is vulnerable to spoofing.

  • Subdomain Takeover Susceptibility: By evaluating the susceptibility of a website to subdomain takeover, ThreatNG can prevent attackers from using an organization's legitimate subdomains to host phishing pages. For instance, if a subdomain for an old marketing campaign is no longer in use, ThreatNG can detect if its DNS record is pointing to a vulnerable third-party service, allowing an attacker to take it over and host a phishing site.

  • Brand Damage Susceptibility: This assessment considers domain intelligence, including domain name permutations, to assess how susceptible an organization is to brand damage. An example would be if an attacker registers a domain like "examplecorp-support.com" to run a scam, ThreatNG would detect this and flag the potential for brand damage and associated phishing risks.

Investigating Phishing-Related Risks with ThreatNG

ThreatNG's Investigation Modules provide detailed analysis to combat phishing threats.

  • DNS Intelligence: This module includes Domain Name Permutations, which detects and groups manipulations and additions of a domain. This is a critical tool for identifying domains created for phishing, such as "secure-example-corp.com" or "examplecorp-login.com". It can find these permutations across different Top-Level Domains (TLDs) and targeted keywords.

  • Email Intelligence: This capability provides insight into an organization's email security by checking for DMARC, SPF, and DKIM records. A weak or missing SPF record, for example, could be a sign that the organization is more susceptible to email spoofing, a common tactic in phishing.

  • Archived Web Pages: This module can find archived versions of an organization's online presence, including login pages and other assets. This can help identify and shut down old login pages or other content that attackers could repurpose for phishing campaigns.

Monitoring, Reporting, and Intelligence Repositories

Continuous Monitoring ensures that ThreatNG consistently tracks the external attack surface for new phishing-related threats.

Reporting provides a clear, prioritized overview of findings, allowing security teams to focus on the most critical phishing risks. For instance, a report could highlight that a domain permutation targeting a key brand is a high-risk finding.

ThreatNG's Intelligence Repositories (DarCache) provide valuable context.

  • Compromised Credentials (DarCache Rupture): This repository contains information on compromised credentials. ThreatNG can use this data to determine if credentials for a specific subdomain have been exposed on the dark web, indicating a potential risk that could be used in a phishing attack.

  • Dark Web (DarCache Dark Web): This repository provides organizational mentions on the dark web, which can include discussions about potential phishing campaigns or the sale of compromised data that could be used in such attacks.

Synergies with Complementary Solutions

ThreatNG's capabilities can work with complementary solutions to enhance an organization's phishing defense.

  • Email Security Gateways: ThreatNG's discovery of malicious domain permutations and email intelligence findings can be used to enrich an email security gateway's threat intelligence. For example, if ThreatNG identifies a new phishing domain, this information can be automatically shared with the email gateway to block all incoming emails originating from that domain.

  • Security Orchestration, Automation, and Response (SOAR) Platforms: When ThreatNG identifies a high-risk phishing-related finding, such as a look-alike domain, a SOAR platform can automatically trigger a playbook. This playbook could include steps like sending a notification to the security team, opening a ticket in a help desk system, and automatically generating a takedown request for the malicious domain.

  • Endpoint Detection and Response (EDR) Solutions: If ThreatNG detects a user visiting a known phishing site, it could communicate with an EDR solution to quarantine the user's endpoint. This prevents the spread of any malware or the theft of credentials.

Threat NG Staff
Previous

Phishing Kit
Next

Phishing Simulation