Overview: Phishing Triage

Updated 11 months ago by TruSTAR

TruSTAR’s Phishing Triage Intel Workflow is designed to remove the manual, time-consuming tasks associated with the traditional triage process of user-reported suspicious emails. 

TruSTAR automatically ingests suspicious emails, then extracts observables and enriches them from your choice of 15+ intelligence sources to create a single Normalized Indicator Score for each Indicator. TruSTAR then uses those individual scores to assign a Priority Event Score to the email itself, helping analysts surface the most relevant events for automated or human-in-the-loop investigation workflows.

Activating This Feature

To activate the Phishing Triage Intel Workflow, contact your TruSTAR account representative or email support@trustar.co and request activation. The feature activation includes creating two new enclaves:

  • A Phishing Emails Enclave where events (emails) will be submitted and processed.
  • A Phishing Vetted Indicators Enclave where scored events are stored.

Activation Options

Two different methods are available for moving indicators from the Phishing Emails Enclave to the Phishing Indicators Enclave:

  • Automated workflow: Automatically moves all malicious Indicators (Normalized Indicator Score = 1, 2, or 3) from scored emails (Priority Event Score = 1, 2, or 3) to the Phishing Indicators Enclave.
  • Manual workflow: Automatically moves only the scored indicators (Normalized Indicator Score = 1, 2, or 3) from confirmed phishing emails (triage status = confirmed) to the Phishing Indicators Enclave.

By default, TruSTAR will activate the automated workflow when you request the Phishing Triage feature set. If you want to change to the manual workflow, please specify this when requesting activation of the Phishing Triage feature set.


Best Practices

After your TruSTAR account representative has set up the two Phishing Triage Enclaves, you can use the Enclave Inbox feature to set up a dedicated email inbox. You can then use and distribute this email address within your organization as a quick and easy way to submit suspected phishing events.

TruSTAR does not decode URLs submitted to the TruSTAR platform from third party tools that have been encoded. Users who would like to leverage TruSTARs platform capabilities for phishing triage and indicator correlation will need to have their URLs decoded before submitting them to TruSTAR. Please reach out the vendor's support team for help on decoding URL's so it can be useful in TruSTAR

How It Works     

The Phishing Triage Intel Workflow provides a powerful, automated process that extracts the data you need to fight phishing in our organization.

  1. Submit: Use TruSTAR's Enclave Inbox feature to auto-submit suspected phishing emails to a dedicated private enclave.
    It can take up to 4 hours for a submitted phishing email to completely process with enrichment and scores. After the submission has finished processing the report will appear in the Phishing Triage Dashboard.
  2. Extract: TruSTAR automatically parses the submitted emails and extracts these observables:
  • URL
  • IP address
  • Hashes: MD5, SHA1, SHA256
  • Email address
    The Phishing dashboard uses a lite-extraction library to provide a quick preview of the extracted observables. Opening the Phishing report will provide the accurate extraction.
  1. Enrich: TruSTAR takes these observables and automatically queries the external intelligence sources you subscribe to, looking for correlations with historical Indicators.
    The Phishing dashboard will not display enrichment beyond 30 days of the submission
  2. Normalize: Each correlation provides a score, but each source uses a different scoring system, so TruSTAR uses Normalized Indicator Scoring to calculate a single comprehensive score for each Indicator.
  3. Prioritize: TruSTAR indicates the priority of each email by assigning it a Priority Event Score.
  4. Store: Finally, TruSTAR sends the Indicators to the Phishing Indicators Enclave.

You can use the information in the Phishing Indicators Enclave in any number of ways:

  • Detect: Integrate with SIEMs such as IBM Q-Radar for automated hunting.
  • Orchestrate: Create playbooks for advanced response and remediation. Demisto and ServiceNow are two TruSTAR integrations that support the fast creation of phishing playbooks.
  • Disseminate: Automate data sharing with other tools, teams, and groups using TruSTAR's REST API or TAXII server.

How Did We Do?