How to Investigate a Phishing Incident

In early 2018, Legacy Health, a Portland, Oregon-based hospital group, announced it had suffered a data breach. The medical records of 38,000 patients were taken after a successful phishing attack against one of its employees. Phishing attacks typically involve social engineering, which is the use of deception to manipulate individuals into divulging their credentials, clicking a weaponized link, or opening a malicious attachment. For example, a bogus call from the IT helpdesk, where the user is asked by the attacker to confirm their username and password, is a common technique. Triaging phishing emails can be a major drain on SOC resources due to the volume of alerts that teams receive.

In this video, we simulate a phishing incident investigation with legacy SIEM tools using logs collected in Exabeam Data Lake and then compare it with a modern SIEM’s approach by using Exabeam Advanced Analytics to perform the same investigation. The key advantages of conducting a phishing investigation with Exabeam Advanced Analytics include:

• Improved phishing threat detection via behavior analysis (UEBA) of email data and email security alerts alongside data from other security solutions
• Reduced time required to investigate phishing incidents using Exabeam Smart Timelines which automatically stitch together both normal and abnormal behavior into machine-built incident timelines
• Improved mean time to detection and response resulting from automated investigation, containment, and mitigation playbooks powered by security orchestration, automation, and response (SOAR)

This is part of a series of articles about What is Phishing.

Watch the video

Watch the video below for a step-by-step walkthrough of a phishing incident investigation using a modern SIEM.