Researching URLs in suspected phishing incidents is a costly and time-intensive process, according to a survey* of 300-plus security decision-makers. Nearly half of all survey respondents (47%) reported spending up to 10 minutes per incident researching URLs.
This approach is costly and dangerous for large organizations because social engineering attacks are on the rise, and organizations face a chronic shortage of trained cybersecurity staff. With several hundreds of incidents to research per day, each incident taking more than 10 minutes to resolve, this task can easily consume multiple full-time resources.
Protecting employees from zero-hour phishing threats is especially crucial in data-intensive fields such as financial services, government, defense, and healthcare. Yet only 19% of security decision-makers reported fully automated incident response and threat hunting with real-time threat intelligence. The top concerns of security decision-makers were better detection of previous unknown phishing URLs and definitive, accurate verdicts from their security systems and URL look-up resources.
These results underscore the critical difference between URL scanning versus URL analysis. While it may seem like a simple difference in semantics, the gaps in benefits can be vital in helping security teams protect their organization against today’s advanced threats.
The use cases for more accurate URL analysis are many for service providers to provide more automated services to their customers, including:
- Fully automated phishing URL analysis and enrichment with real-time, on-demand threat detection technology
- Extracting links or domains automatically from suspicious emails and analyzes them on-demand and at scale
- Proactive searches of network, host, and endpoint log data to uncover traffic to phishing sites or communications with malicious C2s from compromised machines
- Automate IR playbook responses to genuine threats, including blocking of malicious domains in existing defenses
Detecting sophisticated, elusive, and short-lived threats requires a more robust URL analysis and enrichment method. To address this need, SlashNext has pioneered and patented behavioral phishing detection technology that uses millions of virtual browsers to detect previously unknown threats with unmatched accuracy. These virtual browsers click on links (like a threat researcher) to follow through on re-directs and do a more thorough run-time analysis of final page contents. Instead of relying on domain reputation or scans of blocklists, it performs a more in-depth analysis of the page using computer vision, NLP, site behavior analysis, and machine learning. This type of URL Analysis offers many advantages over lightweight URL scanning methods, including overcoming evasion tactics to produce more accurate, definitive verdicts on a wider variety of phishing threats. It also provides a wealth of artifacts, enriching URLs with forensics data, which can be used for further analysis and reporting.
The benefits of this URL analysis and enrichment address the deficits the survey revealed:
- Broader, high-fidelity, real-time intelligence on the latest phishing threats
- Highly accurate, definitive, binary verdicts (not simply threat scores), enabling better automation and block-ready threat feed (blocklist) for phishing protection solutions and network controls
- Overcoming numerous evasion tactics such as shortened URLs, multiple redirects, and multi-stage attacks that require user interaction, such as Captchas
- Detection of phishing pages hosted on both compromised websites and legitimate hosting infrastructure
- Rich forensics data for further analysis and reporting. In addition to verdicts and threat status, users can access threat type, first seen/last seen data, Geo IP, screenshots, HTML, and text
*The independent research company, Survata, surveyed 300 cybersecurity professionals. The respondents were certified security decision-makers in large enterprises with a SOC, worked on the organization’s cybersecurity team, and used at least one threat intelligence feed.