29,99 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Fachliteratur
- Sprache: Englisch
Effective threat investigation requires strong technical expertise, analytical skills, and a deep understanding of cyber threats and attacker techniques. It's a crucial skill for SOC analysts, enabling them to analyze different threats and identify security incident origins. This book provides insights into the most common cyber threats and various attacker techniques to help you hone your incident investigation skills.
The book begins by explaining phishing and email attack types and how to detect and investigate them, along with Microsoft log types such as Security, System, PowerShell, and their events. Next, you’ll learn how to detect and investigate attackers' techniques and malicious activities within Windows environments. As you make progress, you’ll find out how to analyze the firewalls, flows, and proxy logs, as well as detect and investigate cyber threats using various security solution alerts, including EDR, IPS, and IDS. You’ll also explore popular threat intelligence platforms such as VirusTotal, AbuseIPDB, and X-Force for investigating cyber threats and successfully build your own sandbox environment for effective malware analysis.
By the end of this book, you’ll have learned how to analyze popular systems and security appliance logs that exist in any environment and explore various attackers' techniques to detect and investigate them with ease.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 392
Veröffentlichungsjahr: 2023
Ähnliche
Effective Threat Investigation for SOC Analysts
The ultimate guide to examining various threats and attacker techniques using security logs
Mostafa Yahia
BIRMINGHAM—MUMBAI
Effective Threat Investigation for SOC Analysts
Copyright © 2023 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
Group Product Manager: Pavan Ramchandani
Publishing Product Manager: Prachi Sawant
Senior Editor: Divya Vijayan
Technical Editor: Rajat Sharma
Copy Editor: Safis Editing
Project Coordinator: Ashwin Kharwa
Proofreader: Safis Editing
Indexer: Tejal Daruwale Soni
Production Designer: Nilesh Mohite
Marketing Coordinator: Marylou De Mello
First published: August 2023
Production reference: 1270723
Published by Packt Publishing Ltd.
Grosvenor House
11 St Paul’s Square
Birmingham
B3 1RB, UK.
ISBN 978-1-83763-478-1
www.packtpub.com
To my beloved wife, Menna, I am deeply grateful for her unwavering support, her infinite patience and understanding, and her selfless sacrifices in cutting from her precious time to allow me to pursue this endeavor. And to my wonderful sons, Omar and Oday, I am forever thankful for the positive energy and boundless love they bring into my life, which has been a constant source of inspiration and motivation throughout this journey.
– Mostafa Yahia
Contributors
About the author
Mostafa Yahia is a skilled and motivated threat investigator and hunter with a wealth of experience investigating and hunting down various cyber threats. He is a proven leader in building and leading cybersecurity-managed services such as SOC and threat-hunting services. Mostafa holds a bachelor’s degree in computer science, which he earned in 2016, and has furthered his education by earning multiple industry-recognized certifications, including GCFA, GCIH, CCNA, and IBM QRadar. In addition to his professional work, Mostafa also shares his knowledge through free courses and lessons on his YouTube channel. Currently, he serves as the senior lead for cyber defence services in an MSSP company, overseeing SOC, TH, DFIR, and CA services.
I want to express my deepest gratitude to my mentors and to the remarkable people who have been by my side and provided unwavering support throughout my journey, with a special mention to my father, mother, and my beloved wife, Menna. Her encouragement, support and unwavering dedication have been a constant source of inspiration and motivation to me, and for that, I am forever grateful.
About the reviewers
Mohammed El-Haddad is a seasoned cybersecurity professional with over a decade of experience in both cybersecurity and information technology. He possesses more than seven years of pure experience in cybersecurity operations center operations, management, incident response, and threat intelligence. He is a results-driven leader who has successfully led and managed cross-functional teams of security professionals, ensuring the protection of critical assets and continuous improvement of security postures. Currently, he’s employed by Export Development Bank of Egypt (EBank) as a full-time CSOC manager.
I’d like to thank my family, mentors, managers, and colleagues for their support, guidance, and belief in me. I would also like to extend a special thanks to my father, mother, and beloved wife for their boundless love, unwavering support, and selfless sacrifices that have shaped my path in immeasurable ways, and I am forever thankful.
Muhibullah Mohammed is a seasoned digital forensics and incident response consultant specializing in cybercrime investigations, data breaches, and network intrusions. With a BSc in information technology and communication, he initially worked as a SOC analyst before advancing his skills through additional training and certifications in evidence collection, data analysis, and malware analysis. As a highly proficient DFIR consultant, Muhibullah excels in uncovering digital evidence and providing expert testimony, reflecting his commitment to excellence and continuous learning in the cybersecurity field.
I would like to express my heartfelt appreciation to my family and friends for their understanding of the dedication and effort required to research and test ever-changing data in my field of work. Their unwavering support is invaluable in my journey as a professional in the cybersecurity field.
Bhuvanesh Prabhakaran has over 11 years of experience in cybersecurity, including 8 years specifically in enterprise-level threat hunting. He has conducted various incident response investigations and enterprise-level IR war calls and served as a principal consultant for brand monitoring. He has completed the SANS 599 Purple Team certification and has been more active in his role as Blue Team lead. He specializes in SIEM content engineering and has a track record of creating thousands of real-time use cases. He also provides technical security training to corporate employees. He was the primary advisor in developing a network defense strategy against advanced persistent threats and plans for defeating advanced adversaries.
I’d like to thank my family and friends for understanding how much time and effort goes into research. Thank you to all of the trailblazers who make this industry a fun place to work every day. We appreciate everything you do!
Table of Contents
Preface
Part 1: Email Investigation Techniques
1
Investigating Email Threats
Top infection vectors
Why do attackers prefer phishing emails to gain initial access?
Email threat types
Spearphishing attachments
Spearphishing Link
Blackmail email
Business Email Compromise (BEC)
Attacker techniques to evade email security detection
Social engineering techniques to trick the victim
The anatomy of secure email gateway logs
Investigating suspicious emails
Investigating the email sender domain and SMTP server reputation
Spoofing validation
Email sender behavior
Email subject and attached filename
Investigating suspicious email content
Summary
2
Email Flow and Header Analysis
Email flow
Email header analysis
Email message content and metadata
Email X-headers
The header that was added by the hop servers
Email authentication
Investigating the email header of a spoofed message
Summary
Part 2: Investigating Windows Threats by Using Event Logs
3
Introduction to Windows Event Logs
Windows event types
Security event log types
System event log types
Application event log types
Other event log types
Windows event log analysis tools
The investigative approach for this part of the book
HELK installation
Summary
4
Tracking Accounts Login and Management
Account login tracking
Windows accounts
Tracking successful logins
Tracking successful administrator logins
Tracking logon sessions
Tracking failed logins
Login validation events
Login validation Event IDs (NTLM protocol)
Login validation Event IDs (Kerberos protocol)
Account and group management tracking
Tracking account creation, deletion, and change activities
Tracking creation and account adding to security groups
Summary
5
Investigating Suspicious Process Execution Using Windows Event Logs
Introduction to Windows processes
Windows process types
Common standard Windows processes
Windows Process Tracking events
Creator Subject
Target Subject
Process Information
Investigating suspicious process executions
Hiding in plain sight
Living Off The Land (LOTL)
Suspicious parent-child process relationships
Suspicious process paths
Summary
6
Investigating PowerShell Event Logs
Introducing PowerShell
Why do attackers prefer PowerShell?
PowerShell usage in different attack phases
PowerShell execution tracking events
Investigating PowerShell attacks
Fileless PowerShell malware
Suspicious PowerShell commands and cmdlets
Summary
7
Investigating Persistence and Lateral Movement Using Windows Event Logs
Understanding and investigating persistence techniques
Registry run keys
Windows scheduled tasks
Windows services
WMI event subscription
Understanding and investigating lateral movement techniques
Remote Desktop connection
Windows admin shares
PsExec – a Sysinternals tool
PowerShell remoting
Summary
Part 3: Investigating Network Threats by Using Firewall and Proxy Logs
8
Network Firewall Logs Analysis
Firewall logs value
Firewall logs anatomy
Log Timestamp
Source IP
Source Port
Destination IP
Destination Port
Source Interface Zone
Destination Interface Zone
Device Action
Sent Bytes
Received Bytes
Sent Packets
Received Packets
Source Geolocation country
Destination Geolocation country
Summary
9
Investigating Cyber Threats by Using the Firewall Logs
Investigating reconnaissance attacks
Public-facing IPs and port scanning
Internal network service discovery
Investigating lateral movement attacks
Remote desktop application (RDP)
Windows admin shares
PowerShell Remoting
Investigating C&C and exfiltration attacks
Investigating suspicious traffic to external IPs
Investigating DNS tunneling
Investigating data exfiltration
Investigating DoS attacks
Summary
10
Web Proxy Logs Analysis
Understanding the value of proxy logs
The significance of proxy log investigation
The anatomy of proxy logs
The source IP (src)
The source port (srcport)
The destination IP (dst)
The destination port (dstport)
The username (username)
The log timestamp (devicetime)
The device action (s-action)
The response status code (sc-status)
The HTTP method (cs-method)
The received bytes from the server by the client (sc-bytes)
The sent bytes from the client to the server (cs-bytes)
The web domain (cs-host)
The MIME type (Content-Type)
The user agent (cs(User-Agent))
The referrer URL (cs(Referer))
The website category (filter-category)
The accessed URL (cs-uri)
Summary
11
Investigating Suspicious Outbound Communications (C&C Communications) by Using Proxy Logs
Suspicious outbound communications alerts
Investigating suspicious outbound communications (C&C communications)
Investigating the web domain reputation
Investigating suspicious target web domain names
Investigating the requested web resources
Investigating the referrer URL
Investigating the communications user agent
Investigating the communications' destination port
Investigating the received and sent bytes, the HTTP method, and the Content-Type
Investigating command and control techniques
Summary
Part 4: Investigating Other Threats and Leveraging External Sources to Investigate Cyber Threats
12
Investigating External Threats
Investigating web attacks
The command injection vulnerability
The SQL injection vulnerability
Path traversal vulnerability
XSS vulnerability
Investigating WAF logs
Investigating suspicious external access to the remote services
Investigating unauthorized VPN and RDP access
Investigating compromised mailboxes
Investigating suspicious authentications to web services
Summary
13
Investigating Network Flows and Security Solutions Alerts
Investigating network flows
Investigating IPS/IDS alerts
Investigating endpoint security solutions alerts
Investigating AV alerts
Investigating EDR alerts
Investigating network sandbox and AV alerts
Summary
14
Threat Intelligence in a SOC Analyst’s Day
Introduction to threat intelligence
Strategic level
Operational level
Tactical level
The role of threat intelligence in SOCs
Investigating threats using VirusTotal
Investigating suspicious files
Investigating suspicious domains and URLs
Investigating suspicious outbound IPs
Investigating threats using IBM X-Force Exchange
Investigating suspicious domains
Investigating suspicious IPs
Investigating the file hash
Investigating suspicious inbound IPs using AbuseIPDB
Investigating threats using Google
Summary
15
Malware Sandboxing – Building a Malware Sandbox
Introducing the sandbox technology
Sandbox types
Sandbox installation requirements
Required tools for analysis
Static analysis tools
Dynamic analysis tools
Preparing the guest VM
Guest preparation steps
Tips to evade the sandbox’s detection
Analysis tools in action
Static analysis phase
Dynamic analysis phase
Hands-on demo lab
Scanning the file using YARA
Conducting static analysis
Conducting dynamic analysis
Analyzing the outputs
Summary
Index
Other Books You May Enjoy
Preface
As we continue to rely more on technology, we are exposed to cyber threats that pose a significant risk to our security and privacy. In recent years, cyber-attacks have become increasingly sophisticated, making it more difficult for security professionals to identify and investigate them. This is particularly true for Security Operations Center (SOC) analysts who are responsible for detecting and responding to cyber threats.
Effective Threat Investigation for SOC Analysts is a comprehensive guide to help SOC analysts understand the techniques used by threat actors to achieve their objectives, including initial access, execution, persistence, lateral movement, Command and Control (C&C), and exfiltration. This book also explains how to detect and investigate cyber threats by analyzing most of the possible solutions and system logs that you may receive in your organization’s Security Information and Event Management (SIEM) solution, including email security logs, Windows event logs, proxy logs, firewall logs, security solution alerts, Web Application Firewall (WAF) logs, and more. By using this book, SOC analysts can gain the knowledge and skills they need to be better prepared to detect and investigate cyber threats in their organizations.
The book covers a range of topics, starting with an in-depth analysis of email-based cyber threats and the importance of email header analysis. It also delves into the specifics of Windows account login and management tracking, the investigation of suspicious Windows process executions, PowerShell attacks, and persistence and lateral movement techniques in the Windows environment by analyzing the various Windows logs.
The book provides valuable insights into how to detect and investigate security incidents using firewall logs, proxy logs, and analyzing suspicious outbound communications, including C&C communications. It also covers the importance of WAF and application logs in detecting and investigating external threats, including various types of web attacks and suspicious external access to remote services.
In addition, the book guides SOC analysts in detecting and investigating cyber threats using network flows, Intrusion Prevention Systems (IPS)/Intrusion Detection Systems (IDS) alerts, network antivirus, and sandbox alerts; also, it teaches the SOC analyst how to investigate Endpoint Detection and Response (EDR) and antivirus alerts. The book provides an overview of threat intelligence and its importance in investigating cyber threats. It covers several tools and platforms for investigating threats, including VirusTotal, IBM-XForce, AbuseIPDB, and Google.
Finally, the book provides a comprehensive practical guide for SOC analysts on building a malware sandbox environment to investigate suspicious files using static and dynamic malware analysis techniques.
We hope this book will be a valuable resource for SOC analysts and security professionals who are committed to protecting our digital world.
Who this book is for
This book is written for SOC analysts, incident responders, incident handlers, cybersecurity analysts, cybersecurity professionals, and anyone interested in investigating cyber threats. You should have a basic understanding of cybersecurity concepts, IT infrastructure, and network protocols.
What this book covers
Chapter 1, Investigating Email Threats, provides an in-depth analysis of email-based cyber threats and the techniques used by threat actors to gain initial access. This chapter provides a comprehensive overview of the anatomy of secure email gateway logs and how to use them to investigate suspicious emails.
Chapter 2, Email Flow and Header Analysis, provides an in-depth analysis of email flow and the importance of email header analysis for investigating email-based cyber threats. It then explores the different email authentication techniques, such as SPF, DKIM, and DMARC, and the investigation of email headers of spoofed messages.
Chapter 3, Introduction to Windows Event Logs, discusses the different types of Windows event logs. It then provides an overview of the various tools and techniques that SOC analysts can use to analyze Windows event logs effectively.
Chapter 4, Tracking Accounts Login and Management, explores the critical role of account and login event tracking in detecting and investigating security incidents. It then delves into the specifics of account and group management tracking and the types of events that should be monitored for security purposes.
Chapter 5, Investigating Suspicious Process Execution Using Windows Event Logs, provides a comprehensive overview of Windows processes and different types of processes, and a solid understanding of how to investigate suspicious process executions by using the Windows event logs.
Chapter 6, Investigating PowerShell Event Logs, provides an overview of PowerShell, and how it could be used by attackers to carry out malicious activity on a system. It then delves into the specifics of PowerShell execution tracking events and how they can be used to identify suspicious activity.
Chapter 7, Investigating Persistence and Lateral Movement Using Windows Event Logs, explores attackers’ persistence and lateral movement techniques to maintain access to a compromised system and move laterally across a network and explains how these techniques can be detected and investigated using Windows event logs.
Chapter 8, Network Firewall Logs Analysis, delves into the anatomy of firewall logs and provides a solid understanding of their structure and how to effectively use them to detect and investigate security incidents.
Chapter 9, Investigating Cyber Threats by Using Firewall Logs, covers how to use firewall logs for detecting and investigating security incidents, including four major types of attacks: reconnaissance, lateral movement, C&C, and Denial of Service (DoS).
Chapter 10, Web Proxy Log Analysis, delves into the value of proxy logs in detecting and investigating security incidents. It provides an overview of the anatomy of proxy logs and the various types of information provided in them.
Chapter 11, Investigating Suspicious Outbound Communications (C&C Communications) by Using Proxy Logs, focuses on the key attributes and techniques of suspicious outbound communications, including C&C communications, and provides valuable insights into investigating such activities by analyzing web proxy logs.
Chapter 12, Investigating External Threats, provides insights into various types of web attacks and suspicious external access to remote services. It also covers WAF and application logs and their value in detecting and investigating such attacks.
Chapter 13, Investigating Network Flows and Security Solutions Alerts, guides SOC analysts in investigating cyber threats using network flows, IPS/IDS alerts, network antivirus, and sandbox alerts. Furthermore, the chapter explores the techniques to investigate alerts generated by EDR and antivirus solutions.
Chapter 14, Threat Intelligence in an SOC Analyst’s Day, provides an overview of threat intelligence and its importance in investigating cyber threats. It also covers several tools and platforms for investigating threats, including VirusTotal, IBM-XForce, AbuseIPDB, and Google.
Chapter 15, Malware Sandboxing – Building a Malware Sandbox, provides a comprehensive practical guide for SOC analysts on developing an on-premises sandbox environment to investigate suspicious files using static and dynamic malware analysis techniques. It covers the required tools for analysis, the preparation of guest VMs, various analysis tools in action, and a demo lab for better understanding.
To get the most out of this book
It is essential to have an operating system installed with VMware, which should include both Windows and Ubuntu 18.04 VMs, as well as a reliable internet connection to test external sources and download the necessary tools for each chapter.
Software/hardware covered in the book
Operating system requirements
VMware
Windows, macOS, or Linux
Microsoft Event Viewer
Ubuntu 18.04
Event Log Explorer
PSLoglist
SIEM
HELK
Tasklist
Task Manager
Process Hacker
PowerShell
PsExec
Registry Editor
Reg.exe
schtasks.exe
sc.exe
NET Utility
YARA
PEStudio
EXEinfo
FakeNet
Process Monitor (ProcMon)
ProcDot
RegShot
Autoruns
Conventions used
There are a number of text conventions used throughout this book.
Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: “In this case, the user executed a malicious Microsoft Word document named RS4_WinATP-Intro-Invoice(9).dotm, which spawned the PowerShell.exe process to download the stage two malware file named Win-ATP-Intro-Backdoor.exe.”
A block of code is set as follows:
A new process has been created.Creator Subject: Security ID: S-1-5-21-2431329721-3629005211-3263396425-1105 Account Name: mostafa.yahia Account Domain: soc Logon ID: 0x89553DWhen we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:
SELECT username,password FROM users WHERE username='' or 1=1; --' and password='';Any command-line input or output is written as follows:
SELECT username,password FROM users WHERE username='Mostafa' and password='123456';
Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: “The second section is the Object section, which consists of the Object Server field and is always Security.”
Tips or important notes
Appear like this.
Disclaimer
The information within this book is intended to be used only in an ethical manner. Do not use any information from the book if you do not have written permission from the owner of the equipment. If you perform illegal actions, you are likely to be arrested and prosecuted to the full extent of the law. Packt Publishing does not take any responsibility if you misuse any of the information contained within the book. The information herein must only be used while testing environments with properly written authorizations from the appropriate persons responsible.
Get in touch
Feedback from our readers is always welcome.
General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.
Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.
Share Your Thoughts
Once you’ve read Effective Threat Investigation for SOC Analysts, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.
Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.
Download a free PDF copy of this book
Thanks for purchasing this book!
Do you like to read on the go but are unable to carry your print books everywhere? Is your eBook purchase not compatible with the device of your choice?
Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.
Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.
The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily
Follow these simple steps to get the benefits:
Scan the QR code or visit the link belowhttps://packt.link/free-ebook/9781837634781
Submit your proof of purchaseThat’s it! We’ll send your free PDF and other benefits to your email directlyPart 1: Email Investigation Techniques
Email has become one of the most critical communication channels in today's digital world, enabling individuals and organizations to exchange information quickly and easily. However, this convenience has also made email a prime target for cybercriminals seeking to steal sensitive data or gain unauthorized access to corporate networks. In this part of the book, we will explore the various email-based cyber threats that Security Operations Center (SOC) analysts may encounter, such as phishing and spoofing. We will also cover the essential skills and techniques that SOC analysts must have to investigate and analyze email-based cyber threats effectively. The chapters in this part will provide a comprehensive overview of email threat types, attackers’ techniques to evade email security detection, attackers’ social engineering techniques to trick a victim, the anatomy of secure email gateway logs, email flow, email header analysis, email authentication, and techniques to investigate suspicious emails. By the end of this part, you will have the knowledge and skills you need to investigate and respond to email-based cyber threats effectively.
This part has the following chapters:
Chapter 1, Investigating Email ThreatsChapter 2, Email Flow and Header Analysis1
Investigating Email Threats
Email threats are among the most common types of attacks encountered by Security Operations Center (SOC) analysts, and they often occur multiple times during a working shift. Moreover, malicious emails are often the first step in an attacker’s attempt to gain access to a target environment. Given the increase in these types of threats, SOC analysts and cyber investigators must understand attackers’ techniques to initiate attacks via email and how to investigate and respond to email threats.
The objective of this chapter is to learn why attackers prefer phishing emails to gain initial access, the most common email threats, the most common techniques by attackers to evade detection and trick the victim, how to analyze email secure gateway logs, and how to investigate suspicious emails.
In this chapter, we will cover the following main topics:
Top infection vectorsWhy attackers prefer phishing emails to gain initial accessEmail threat typesAttackers’ techniques to evade email security detectionSocial engineering techniques to trick the victimThe anatomy of secure email gateway logsInvestigating suspicious emailsLet’s get started!
Top infection vectors
In the cyberattack chain, once an attacker has conducted reconnaissance against the target victim’s environment and infrastructure, and prepared the necessary weapons and equipment, the next step is to determine their preferred method and technique to gain initial access to the victim’s environment. Attackers have several techniques at their disposal to gain initial access, including sending phishing emails, exploiting public-facing applications, luring users to visit a compromised website through drive-by compromise, and stealing valid remote credentials such as a VPN or RDP. Understanding the various techniques attackers use to gain initial access is crucial for security professionals to identify and prevent attacks before they can cause damage.
As per the IBM Security X-Force report, 41% of the attackers prefer phishing techniques to gain initial access to the victim’s environment, either by sending a weaponized document or a malicious link to the target victims (see Figure 1.1).
Figure 1.1 – The top infection vectors from the IBM Security X-Force Threat Intelligence Index 2022
Let us explain why most attackers prefer to gain initial access by using phishing mechanisms.
Why do attackers prefer phishing emails to gain initial access?
A phishing email is a type of social engineering attack where an attacker tricks target victims into opening a malicious file or link or providing personal or confidential information, such as passwords and credit card numbers, through fraudulent emails. The reason why phishing is a preferred and successful way for attackers to gain initial access to the victim’s environment is due to several factors, including the following:
It is easy during the reconnaissance phase to acquire a list of target victim users’ email addresses.The reconnaissance phase is the first step taken by intruders to breach a target environment. This phase can last for hours, days, weeks, or even months. During this phase, attackers collect information about the target victim, including their email addresses, which can be used to deliver a weaponized document or link. Attackers can collect email addresses in several ways, such as through job postings, social media platforms such as LinkedIn, third-party subscriptions, data leaks on the dark web, Wayback Machine archives such as Archive.org, or data collection from marketing platforms such as ZoomInfo.com.
It is not hard to prepare a weaponized attachment or link.It is relatively easy for an attacker to upload malware to legitimate cloud platforms and then share the download link with the victim through email. They can also weaponize a document through Visual Basic for Applications (VBA) macros or send the malware executable itself in a compressed format, all of which can be sent to the victim via email.
Many users lack security awareness.Attackers exploit the fact that many users may be vulnerable to social engineering attacks, and a majority of them may not have received proper security awareness training to recognize and respond to these threats.
Now that you understand why most attackers choose phishing emails as a way to achieve their goals, such as gaining initial access to the victim’s environment, let us discuss the various email threat types.
Email threat types
Email threats are every threat your environment faces when deciding to use an email service. They are not limited to phishing emails only; some attackers also use email for blackmailing, information leakage, data exfiltration, and lateral movement. In this section, we will focus on email threats that originate from external sources and discuss in detail four common types of email threats that organizations face:
Spearphishing attachmentsSpearphishing linksBlackmail emailsBusiness Email CompromiseSpearphishing attachments
A spearphishing attachment involves adversaries sending phishing emails to target victims with malicious attachments, either to gain initial access to their systems or harvest their credentials. After defining a list of the victims’ email addresses and preparing the weaponized attachment, the attacker become ready to send the email to the victim with one click. However, the question remains, which weaponized attachment will an attacker choose? Let us discuss the most common weaponized attachment types used by threat actors.
Note
Phishing and spearphishing are both types of email attacks that aim to steal sensitive information or compromise a target’s computer system. While both methods have the same ultimate goal, the primary difference between the two is the level of targeting involved. Phishing emails are mass email attacks that are sent to a randomly large number of people. In contrast, spearphishing emails are much more targeted and personalized. They are specifically crafted to target a particular individual or group of individuals, such as employees of a particular company or members of a specific organization.
Phishing attachment types
When you hear the term phishing attachment, you may think about just one or two types of attachments, but due to the different preferred attacker methods, target victims’ infrastructure and business, and attacker goals, there are variants of the malicious attachment types that attackers email to their target victims. The following are the five most common examples of phishing attachment types:
Malicious Microsoft Office documents: Attackers often use a weaponized Microsoft document with VBA macros, such as Excel, Word, or PowerPoint documents, and send it to the target victim to trick them into opening it, thereby gaining initial access to their machine. This type of attachment is the most commonly used in spearphishing attacks because almost all enterprises use Microsoft documents in their day-to-day work. Additionally, it is easy for attackers to develop a weaponized Microsoft document. Weaponized Microsoft documents provide unlimited features to attackers, and also, they can exploit known vulnerabilities that affect Office apps.Malicious PDF files: Attackers can also use a decoy PDF file that contains malicious code to exploit PDF reader vulnerabilities and gain initial access to the victim’s system, or harvest their credentials. PDF files are a popular choice for attackers because it allows them to easily embed malicious JavaScript code, and the inclusion of links, images, and fonts can make a file appear legitimate and increase the likelihood that the victim will interact with it. This type of attack is often used in spearphishing campaigns, where the attacker targets a specific individual within an organization with a highly personalized email that contains a malicious PDF attachment.Compressed files (.rar, .7z, zip, etc.): An attacker may send a compressed file containing executable malware to the victim, tricking them into extracting it and executing the executable file.ISO images: Recently, we observed a notable increase in the use of .iso files to deliver malware to target recipients. Attackers depend on ISO image files because they are like disc images; hence, they can be used to bypass file filters and evade antivirus detection.HTML files: An attacker may send an HTML phishing attachment that impersonates familiar login pages, such as the Microsoft login page, the DHL login page, or a bank login page, to harvest the victim’s credentials (see Figure 1.2).Figure 1.2 – An HTML phishing attachment impersonating a Microsoft login page
As you can see, an attacker developed an HTML phishing file impersonating the Microsoft login page to trick the victim into entering their credentials.
Spearphishing Link
A spearphishing link involves adversaries sending spearphishing emails to target victims with a malicious link, to either harvest their credentials or trick them into downloading malware and executing it on their machine, thus gaining initial access to their systems. As with all email threats, after defining a list of the victim’s email addresses and preparing the phishing link, the attacker is ready to send an email to the victim. But what is the attacker’s purpose in sending the spearphishing link to the victims? Let us discuss the two most common types of phishing links used by attackers.
Phishing link types
As we mentioned before, every adversary has different intentions. Some of them just want to harvest a victim’s credentials, while others want to gain an initial foothold in the victim’s system. As with spearphishing attachments, there are variants of malicious link types that attackers use to mail to target victims. The following are two common examples of phishing link types:
A phishing link to harvest credentials: One of the forms of a credential harvesting attack is when the attackers send a phishing email armed with links to bogus websites to trick a user into entering their credentials. To host their phishing page, an attacker may use their own domains or abuse legitimate web applications hosting domains, such as appspot.com and web.app domains, as we will see later in the Attacker techniques to evade email security detection section. In 2014, an American multinational financial services company fell victim to a cyberattack. The attack started when attackers sent phishing emails to employees that contained a link to a fake website resembling the company’s VPN login page. The employees were tricked into entering their login credentials, which were then harvested by the attackers. With access to the company’s network, the attackers were able to steal data on more than 76 million households and 7 million small businesses.A phishing link to download malware: An attacker may host the malware on their web server or well-known legitimate cloud file hosting services, such as MEGA, OneDrive, or Dropbox, and then share the file sharing link with their victim over email and try to trick them into downloading and executing the malicious executable. In 2017, a global law firm fell victim to a massive cyberattack that used a phishing email to deliver malware. The attack started when an employee received an email that appeared to be from a client, with a subject line referencing a real estate matter. The email contained a link that the employee clicked on, which then downloaded malware onto the firm’s network. The malware quickly spread throughout the firm’s global network, infecting systems and encrypting files. The attackers demanded a ransom payment in exchange for the decryption key. The attack caused significant disruption to the firm’s operations, and it took several weeks to fully recover.Blackmail email
A blackmail email, also known as a “sextortion” email, is a term used to describe an email scam where an attacker claims to have compromised the victim’s machine and exfiltrated sensitive data, including sexual content and pictures to the attacker’s server. The attacker then demands payment in bitcoin and threatens to publish the data on the internet if the victim does not comply. In order to convince the victim that they have indeed been compromised, attackers typically employ one of two methods, which we will discuss in the next section. This type of email scam is particularly effective as it preys on people’s fear of having their private information exposed, and the use of cryptocurrency makes it difficult to trace the attacker.
Methods to prove infections
Proving a data breach to the victim may seem simple if the attacker has acquired actual sensitive data, such as sexual content, pictures, or confidential files. However, in many cases, attackers may not have accessed valuable data or compromised the victim’s machine at all and simply attempt to scam the victim. There are two common methods that attackers use to convince victims that a data breach has occurred:
Screenshots of the breached data or from the victim’s machine: The blackmailer may compromise the victim’s data by either deploying malware on their machine, such as Infostealer malware, or by purchasing the victim’s data from data leakage stores on the dark web. In both cases, the attacker usually obtains screenshots of the breached data or the victim’s machine desktop and folders to prove the breach to the victim.Spoofing the target victim’s email address: In many cases, the blackmailer is simply a scammer and never had access to either the victim’s machine or data. In such situations, the blackmailer uses the email spoofing technique to trick the victim into thinking that his machine has been compromised by the blackmailer. The email spoofing technique is a technique used in email attacks to trick recipients into thinking that a message came from a mail sender other than the actual sender. In the case of blackmail, the attacker usually spoofs the victim’s email address itself to send the blackmail email to the victim to trick them into thinking that they are compromised, and the attacker used their email address to send him this blackmail email to prove the breach (see Figure 1.3).The email spoofing technique will be covered in detail in the next chapter, Email Flow and Header Analysis.
Figure 1.3 – A spoofed blackmail email (Malwarebytes)
As you see in the preceding screenshot from the Malwarebytes website, the attacker in this scenario used the email spoofing technique to spoof the victim’s email address to send a blackmail message to the victim, claiming that the victim’s data has been compromised and that the attacker possesses sexual content, which they will release to the victim’s contacts if the victim does not transfer 1,000 USD to the attacker’s bitcoin wallet.
Business Email Compromise (BEC)
Business Email Compromise (BEC) is a type of email scam where the attacker targets a specific individual within a company who has access to financial information, such as an executive or a finance employee, and tricks them into making a fraudulent financial transaction or wire transfer. BEC attacks often involve the email thread hijacking technique, which we will discuss in the Social engineering techniques to trick the victim section, or spoofing the email address of a trusted partner or company executive to convince the victim to transfer money or sensitive information to the attacker’s account.
BEC attacks are one of the most trending and result in significant financial losses for organizations, making them a growing concern in the cybersecurity community.
In 2018, the US Department of Justice reported that a Nigerian cybercriminal group called Gold Galleon had used the email thread hijacking technique in BEC attacks against maritime shipping companies. The group would first gain access to an employee’s email account through spearphishing or other means. Once they had access, they would search the employee’s emails for ongoing conversations related to cargo shipments and then use the email thread hijacking technique to intercept and take over the thread. Using this technique, the attackers could impersonate the legitimate email sender and request that payment for the cargo shipment be redirected to a new bank account. Since the email appeared to be part of an ongoing conversation, the victim would often not suspect anything was wrong and would comply with the request, resulting in significant financial losses for the targeted companies.
In one case, the Gold Galleon group was able to steal over $1 million from a shipping company using this technique. The group is believed to have targeted over 100 maritime shipping companies in the United States, Europe, and Asia, with losses totaling tens of millions of dollars.
Now that you are familiar with the most four common email threat types, let us see the attacker techniques to bypass email security solutions deployed in the victim’s environment, as well as the attacker techniques to evade email security detection.
Attacker techniques to evade email security detection
As cyber defense and security controls have become increasingly advanced, attackers have become more creative in their techniques to evade detection by email security solutions. Many critical organizations have now deployed such solutions to check every email sent from external senders to internal recipients, and they have skilled SOCs and threat-hunting teams to detect and respond to threats. In this section, we will explore some of the techniques that attackers use to bypass email security solutions and carry out successful attacks:
Using newly created domains to send a malicious email: Modern email security solutions are fortified with threat intelligence feeds, which include an updated list of sender domains with a bad reputation resulting from their malicious use in previous phishing campaigns. To evade detection by email security solutions that block malicious emails due to sender domain reputation, attackers often create new domains that have not been used previously in any malicious activities.Using non-blacklisted SMTP servers: Like malicious sender domain feeds, a secure email gateway can be enriched with threat intelligence feeds of the known malicious Simple Mail Transfer Protocol (SMTP) server IPs that are usually used during phishing campaigns, which are blocked. To avoid their malicious emails being blocked by email security solutions due to the bad reputation of the SMTP server IPs, attackers tend to use non-blacklisted IP addresses.Sandbox analysis evasion: Email gateway security appliances have significantly improved over time and now include sandbox technology that can analyze every attachment sent from external email senders to internal employees. We will deep dive into sandboxing later in the book, but for now, it is worth knowing that sandbox technology is a vital tool, used by cybersecurity analysts and solutions to analyze the behavior of files and executables before running them in a real environment, ensuring that they are not harmful. However, attackers are well aware of this technology and use various techniques to evade sandbox detection efforts, such as the following:Malware sleep: To evade detection from sandbox analysis, an attacker can take precautions by, for example, incorporating a sleep time of up to three minutes in their malware code after execution, thereby delaying the start of any malicious activity until after the sandbox analysis has been completed and avoiding detection by the sandbox’s real-time monitoring.Encrypted file: An attacker can employ a technique of sending a malware file to the victim in the form of a compressed folder or document file, encrypted with a password, which is then shared with the victim via the email body for decryption. Since submitting an attachment file to a sandbox by an email gateway is not an interactive submission process, the password cannot be provided to the sandbox during file analysis to decrypt and analyze the file. Therefore, the sandbox fails to analyze the attachment, allowing it to pass through to the victim’s mailbox undetected.Sandbox discovery: After the malware is executed, it may check for the presence of a virtual machine environment, search for any malware analysis tools, and detect abnormal user activity to determine whether it is running in a sandbox environment. If the malware detects any signs of sandbox technology, it may alter its intended actions, stop running, go into sleep mode, or take other evasive actions to avoid detection by the sandbox.Responding to specific requests: Another technique used by sophisticated attackers in targeted attacks to evade analysis is to respond only to requests sent from the victim environment’s IP addresses, collected during the reconnaissance phase.Trusted domains hosting phishing pages: In 2019, cybersecurity researchers detected phishing subdomains and pages hosted on trusted cloud application hosting domains, including appspot.com and web.app domains. Attackers were able to abuse these domains by hosting malicious subdomains that contained phishing login pages targeting well-known brands, such as Microsoft Outlook and Dropbox. Due to being hosted on legitimate web servers, these phishing URLs were not categorized as malicious domains in threat intelligence platforms, which made them difficult to block with email gateway security solutions. However, email gateway security solutions that received threat intelligence feeds that included specific phishing subdomains/hostnames could block the phishing attempts (see Figure 1.4).Figure 1.4 – A phishing subdomain targeting Outlook hosted in a web.app domain
As you can see, an attacker developed an HTML phishing file impersonating the Microsoft Outlook login page and hosted it on a subdomain of the web.app domain.
Now that you are familiar with most attackers’ techniques to bypass the email security solutions deployed on a victim environment, let us see some attacker techniques to trick the victim into listing their email as a trusted email and interacting with its contents.
Social engineering techniques to trick the victim
Now, after bypassing the email security controls, an attacker will trick the victim into listing their email as a trusted email and interacting with its content, such as executing attachments or browsing URLs. To trick the victim into interacting with the attacker’s email as a trusted mail, the attacker conducts some social engineering techniques. Social engineering is when an attacker accomplishes malicious activities by tricking the victim into performing human interactions – for example, executing malware, entering credentials into phishing URLs, spreading malware by sending it to their colleagues, and providing sensitive information. There are several techniques used by attackers to conduct successful social engineering attacks, as listed here in detail:
Email spoofing: As discussed previously, email spoofing is a technique used in email attacks to trick recipients into thinking a message came from an email sender other than the attacker. For example, think about an attacker targeting a victim who is an employee at ABC Bank; during the reconnaissance phase, the attacker knew that there was business between ABC Bank and another local bank called XYZ Bank. When sending a phishing email to the victim, the attacker spoofs the XYZ Bank email domain address to trick the victim into thinking that the email is trustworthy and related to the business. Hence, they will comfortably interact with the email contents (see Figure 1.5).Figure 1.5 – Spoofing an IRS domain to send a phishing email (ABC7 Chicago)
As you see in the preceding screenshot, the attacker spoofed the US government Internal Revenue Service (IRS) domain to send a phishing email to their victims.
Email thread hijacking: Email thread hijacking occurs when an attacker takes control of an existing email conversation between a compromised user and another target victim by replying to the email thread using a newly created email domain that looks similar to the compromised company’s domain. This makes it difficult for the new target victim to spot the difference between the two domains, and they continue the thread without suspicion. For example, an attacker may gain access to organization.com by compromising the [email protected] mailbox. The attacker then spots an email thread between the compromised email address and the target company’s email address, [email protected]. Using their access to the compromised victim mailbox, the attacker copies the email thread to his external server and replies to the thread, using a newly created domain email address similar to the compromised organization, such as [email protected]. The attacker then asks the targeted user to perform some actions, such as changing bank account information, transferring money, providing sensitive information, or executing attachments. This way, the attacker hijacks the email thread between [email protected] and [email protected] for their newly created domain email address, [email protected] (see Figure 1.6).Figure 1.6 – The steps of email thread hijacking
Attackers usually utilize the email thread hijacking technique in a BEC attack, a type of social engineering attack where the attacker targets a specific individual within another company with whom the victim has an established business relationship, often someone who has access to financial information. The attacker then poses as the legitimate business entity, using similar email domains, and sends a convincing email requesting a change in payment instructions, such as instructing the victim to transfer funds to a new bank account number.
Hosting phishing pages on trusted websites that issue an SSL certificate
