This article explains how the IPS security service and Internet firewall in the Cato Cloud security stack protects your network from phishing attacks.

How the Cato Security Stack Identifies Phishing Attacks

Phishing continues to be one of the most dangerous threats to organizations, and phishing attacks can be an initial vector to infiltrate the corporate network or to steal credentials and other private data. The Cato IPS service and Internet firewall in the security stack has different techniques to identify traffic as a phishing attack and block the attack before it enters your network.

IOCs Based on Threat Intelligence Feeds

Cato's Security team creates IPS and firewall protections for phishing attacks based on Indicators of Compromise (IOCs). The IOCs are accumulated from a variety of private and open source threat intelligence feeds that contain domains, URLs, and other data about known phishing campaigns. Any traffic that matches the IOC of a known phishing campaign is automatically blocked by the IPS engine.

Heuristics and Algorithms Based on Traffic Analysis

Another level of protections in the security stack utilizes heuristics and algorithms that are based on the characteristics of phishing websites. The Security team analyzes all this network data and then creates protections that can identify websites which are sources of phishing attacks. For example, a phishing campaign can use a fake Office365 URL to trick users into believing that this link is legitimate. If a user accidently clicks the malicious Office365 link, IPS or the firewall can block the traffic and prevent the phishing attack.

The Security team is constantly analyzing network traffic in the Cato Cloud to improve the heuristics and algorithms and improve the ability to detect new phishing attacks.

Reviewing Events for Blocked Phishing Attacks

You can review Security events in Analytics > Event Discovery and find any phishing attacks in your account that were blocked. There are different event sub types for phishing attacks blocked by IPS and by the firewall. For IPS events, the threat type can be classified as Reputation, or as Phishing.

This is an example of an event for a phishing attack blocked by IPS:

• IPS event fields for a phishing attack:
  • Event type - Security
  • Event sub type - IPS
  • Threat type - Reputation
    • Threat name - Domain reputation based signature – Phishing
  • Threat type - Phishing
    • Threat name - Name that the Security team gives for this phishing attack
  • Internet firewall event fields for a phishing attack:
    • Event type - Security
    • Event sub type – Internet Firewall
    • Categories - Phishing

For more information, see Analyzing Security Events According to Threat Reputation.

Cato Blocked a Phishing Attack - Now What?

This section contains suggested next steps if you discover that IPS or the Internet firewall blocked phishing attacks for your account.

1. Identify which endusers in your organization were the target of the phishing attack.
2. Talk to the endusers, and identify what type of information they were sharing with this website.
3. Tell the endusers to take the following actions:
   • Change their passwords for the website
   • Initiate a hard log off from all services that are related to the website
4. Check if any data that was shared (or potentially shared) represents any risk.