Review: SlashNext is like shooting phish in a barrel

SlashNext is a dedicated platform for combating modern phishing attacks. It does that one thing and it does it very well.

Using social engineering in conjunction with malicious program delivery, a technique known as phishing, remains one of the biggest threats to the cybersecurity landscape. If human users can be tricked into taking an action such as downloading malware, connecting with a compromised website, or even providing their credentials directly to criminals, it often overrides many of the automatic protections that cyber defenses offer. It’s become so popular and so successful that the most recent Verizon Data Breach Investigations Report puts phishing and social engineering attacks at the center of 93 percent of breaches in 2018.

Because of this, most comprehensive cybersecurity defenses try and include at least some from of phishing protection as part of their overall offering. Traditionally this is done mostly with e-mail clients, looking for telltale signs such as outbound links not matching the headers in a message. It is also sometimes done through blacklisting known phishing sites as they are discovered.

The problem with this kind of add-on approach is that the criminals participating in phishing scams tend to specialize in their trade, while the defense programs do not. This often puts the bad guys a couple steps ahead of phishing protection. In fact, a recent Webroot Quarterly Trends report puts the number of new phishing sites created every day at about 46,000, with many of them only existing for a few hours before fading back into the ether to avoid blacklisting.

Phishing scams now also make use of cloud services to give themselves valid top-level URLs. Another technique used by scammers is to first compromise a valid website and then use that to launch attacks. And e-mail, while still a primary phishing delivery method, now shares time with other communication channels such as instant messaging, social media platforms and even web-based advertisements.

SlashNext is a dedicated platform to combat modern phishing attacks. It can work by itself or in conjunction with other cybersecurity tools. There are two products available to organizations. The first is a detailed and dedicated phishing threat feed that can be used to block phishing sites as they pop up. The second is an appliance that provides even more protection and is able to halt even targeted attacks aimed at a single organization that wouldn’t trigger any other kind of alert. The appliance can even stop attacks aimed at a single person at a single organization.

Testing SlashNext

Both offerings have the Session Emulation and Environment Reconnaissance (SEER) engine at their core. SEER exists in a dedicated cloud and proactively scans the internet for phishing-related sites and activity. SEER taps into multiple sources and scans through billions of internet transactions and URLs every day. It then visits webpages using a virtual browser and inspects them using behavioral analysis, optical character recognition, computer forensics, natural language processing, image recognition and other technologies. The engine also uses machine learning to tap into its experience of outing millions of other phishing sites for over four years. It then makes a binary determination as to whether the site is a phishing platform. There are no percentages or gray areas involved. A site is either malicious or benign, and the company says it does not experience any false positives.

SlashNext Warning screen John Breeden II

Although users might be tricked by realistic-looking login pages, SlashNext is almost never fooled. In fact, there are very few controls and no ability to whitelist sites, because the company says that it’s unnecessary.

The threat feed
The threat feed part of the SlashNext offering is available for a flat rate but is divided up into six areas to help organizations control their costs, and so that they can zero in on the specific kinds of phishing attacks that most plague their industry or sector. It’s divided up into credential stealing attacks, scareware (e.g., tech support scams), rogue software (e.g., fake antivirus programs, exploits and malware), social engineering scams (e.g., fake prize giveaways), fake login scams and command and control callbacks from compromised machines.

SlashNext Raw Threat Feed John Breeden II

SlashNext offers two products, a six-part threat feed dedicated to phishing scams, and an appliance that can stop even highly targeted attacks. This is a look at the raw threat feed.

The threat feed can be sent directly into an SIEM or used in conjunction with a next generation firewall to automatically block phishing sites. SlashNext also expires inactive threat sites, since they sometimes only last for a few hours. Doing that prevents firewalls and other security appliances that rely on the feed from becoming overloaded with millions and millions of block definitions.

While the feed can be used with security appliances automatically, there is also a lot of great information in there if an IT team wants to dive into a specific threat. This includes when the threat was first discovered, how long it has been active and the type of threat the phishing site contains.

SlashNext Configure Help John Breeden II

Because users may not know or agree with a blocking action, SlashNext makes it easy for them to contact their local administrator, start a trouble ticket or take any other pre-approved action.

The threat feed is extremely detailed and powerful, but probably won’t help an organization if an attacker is specifically targeting them. In that case, because the attack is only going after one organization or even a single person working there, the attack won’t get picked up by the SlashNext feed or any other protection since it won't be out in the wild at all. For that, SlashNext offers a dedicated appliance to compliment the threat feed.

The TSMappliance
The SlashNext TSM network traffic monitoring appliance is priced by tier, depending on the number of users the device is protecting. While the appliance can access the SlashNext threat feed to automatically block known threats, when a user visits a new site, the TSM appliance will capture that information and send it to the SEER cloud for inspection. SEER will then create a virtual browser and begin the inspection process. In testing, it took about ten seconds for the verdict to come back. If the site is fine, nothing happens. If it’s a phishing site, it is immediately blocked with a report optionally sent to the local administrator. Information about the new phishing site is also shared with the threat feed so that it can be blocked by users around the world.

SlashNext New Phish John Breeden II

Some of the most advanced phishing scams involve legitimate-seeming program downloads that have been corrupted. Here, an active phishing scam at the time of our testing offers to update a user’s video player.

The appliance doesn't require any special installation process and can be up and running in about half an hour. There is also no traffic learning process or other delay. In fact, the appliance was able to detect systems that had already been infected by phishing scams before it was installed. It did this by picking up on the command and control callback processes and examining the site where that traffic was going.

SlashNext Console Dashboard John Breeden II

Although it could almost be considered optional given the fire and forget nature of the service, a detailed appliance console shows what kinds of phishing attacks are hitting a protected network.

In addition to targeted phishing protection, the appliance has a highly detailed management console that can show what kinds of phishing attacks are assaulting a network. It even breaks down individual attacks, going so far as to show a captured screenshot of the phishing site and detailing the probable goals of attacks.

SlashNext Console Report John Breeden II

Every attack halted by the TSM appliance generates a log entry showing details about the threat that was stopped. This includes comprehensive information about the danger posed by the attack, the overall goals of the phishing effort, and how it was configured and deployed.

It’s worth noting however, that while the management interface is very detailed, that it’s technically also optional. Administrators are never required to take any actions. Like with the threat feed, sites are either malicious or benign with nothing in between. There is not even a whitelisting process available, as SlashNext is confident that they will never identify a legitimate site as a phishing scam. As such, the TSM appliance is completely fire and forget. Once installed, it will protect a network and its users from phishing scams with no further human intervention needed.

The bottom line

SlashNext has taken the old adage of doing one thing very well to heart. Its phishing threat feed is incredibly accurate and detailed, proactively uncovering millions of phishing scam sites almost as quickly as they are created, and sharing that information with its subscribers. For organizations that find themselves directly attacked by phishers, adding the TSM appliance adds an extra layer of protection. The fact that the whole system operates independently and accurately without human intervention is just icing on the cake.

SlashNext has found a way to counter and defeat phishing attacks. And given that phishing is so prolific, and also often successful, it’s a technology that is sorely needed in today’s dangerous threat landscape.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!