Emails – as we know is a very efficient way to communicate without physically visiting the intended recipients. Emails have been with us from many years and initial take for email was to reduce time and effort in communication.
But recently emails are being used for social engineering and phishing. Forget about the good old days where you were receiving emails only from known parties. Now even prince of Nigeria have your email and wants to give you money.
As an security researcher and a SOC analyst, have noticed that email communication is top and one of most used channel to transfer these malicious files. It’s like yelling name John in a crowd. Somebody will eventually respond.
Detecting suspicious emails ?
Language – typos and grammar will be there – sometimes they are not.
Sender domain – may have typo or a legitimate one.
Roll over you mouse to the embedded links in the email and you will see random site.
Attachment – names are too close or suspicious.
The best way to fight this is with user awareness. Emails exploit most vulnerable entity – HUMAN. A mind where curiosity inevitably kills the cat.
Attackers thrives on 2 human characteristics – FEAR and CURIOSITY.
FEAR – we have noticed a suspicious transaction on your account. Please click on this link to change the password.
CURIOSITY – sorry we have missed you and have a package waiting for you. Please open the attached file to get more information. There is package indeed but for your PC – malware I mean 🙂
Other ways to detect :
Mail gateways with proper monitoring
DLP – can be used to monitor the content of the email.
Been security analyst in SOC for more than 3 years. Besides waiting for the alerts triggering from the device such as IPS or end point protection, one can write up rules in SIEM to analyse logs. SIEM needs to be constantly updated with new Intel. Below are few things that I look for for a customer during hunting remotely or on-site. Understand Incident response and threat hunting can be integrated.
Central logging place such as SIEM logs from various network devices.
Traffic violating security standards.
Traffic going to or coming from countries where customer does not do business with.
Access/running executables or confidential files on hosts/servers – this can be done by acceptable use monitoring.
Threat intelligence and/or threat feeds – open source and subscribed and matching against the logs.
Endpoint protection logs – especially the ones that are cleaned or quarantined. We need to understand how endpoint and/or AV vendors are identifying or logging these entries to get a broader picture and what type of tools or malware are being used against you.
Publicly available information for the customer and analysing how that information can be used to target customers and monitoring those open doors.
Windows logs – privilege escalation, failed attempts, user accounts on the system, which user logged into the system, what services/process running, one can also make list of folders that should not have any executables or services starting from.
Proxy and/or DNS logs – suspicious packets, HTTP request, large/similar number of bytes in and bytes out, any traffic going via clear-text protocols such as 22. Look for specific keywords in DNS logs, also check what DNS servers requests are going – may find some foreign DNS.
To identify IOCs and/or malicious entities independent of any customer logs:
Randomly accessing websites on top-level domains to identify any suspicious/malicious re-direction – the traffic is passed to the interface being monitored by snort. Windows machine will also have procmon with Virus Total integration and ofcourse wireshark.
Analysing spam emails and run it over Security Onion to see if any alerts gets trigger. Extract domains and IP address and use them in the SIEM.
Check specific parameters in the URL/HTTP requests that can be used to exploit web applications – although the IDPS may trigger the rule for it but there are instances where we do not get IDPS logs.
Lastly, honeypot to identify bad actors.
Lurking on private forums, IRC and dark web – hell yeah.