Phish.AI + Demisto Integration
Phishing links are one of the most frequent attacks that organizations face. Phishing links can slip through emails/slack or any other channel.
A zero-day phishing link is usually reported by a savvy user, hopefully before someone clicked on it and caused damage. The link is then sent to a SOC team which has to respond. SOC teams today are bombarded with phishing links to check. Checking these links usually requires them to visit the website via different environments and identify the phishing website that might be already down.
To help address these challenges in an accurate and timely manner, we integrated the Phish.AI API to Demisto. Users can now combine the zero-day phishing detection capabilities of Phish.AI with the security orchestration and automation features of Demisto for a faster, more accurate incident response process.
You can read more about our API in our previous blog: https://www.phish.ai/2018/04/16/phishai-api/.
To recap how our engine works:
Essentially we have a very big computer vision database of known websites and their legitimate domains. The API surf to a given website takes screenshots of the website and then compares it with our computer vision database; if we detect that it is similar to a known website but hosted on a different domain, we classify it as malicious and classify the targeted brand (the website this site tries to mimic).
Demisto is a leading security orchestration and incident management platform. Phish.AI integration enables the following:
- Automate enrichment of suspicious URLs and classify those into clean/malicious and the targeted brand like Yahoo,Office365 or an offline website (if the website is dead or the hosting provider took it down).
You can add an instance of Phish.AI from Demisto->Settings (If you have the up-to-date content) or upload the YML integration straight from Demisto’s Github:
Here is an example command !url url=facebook.com
As you can see The URL is clean of course and is classified as Facebook.
Here is an example of how malicious result looks like with the following command: ‘!url url=https://diputadosprisinaloa.org.mx/4/OneDK’ (the website might be already down).
As you can see The URL is malicious and is classified as Microsoft OneDrive Phishing attack.
We are excited and look forward to working with the Demisto community to fight phishing and improve the Phish.AI API.