Email Proxy – Phishing Email detected



Alert Analysis & Remediation Runbook


Use Case: Email Proxy – Phishing Email detected- Incident Analysis

Document History

Version

Date of Submission

Primary Author(s)

Reviewed By

Purpose of Revision

Status

(Draft/Review/Approved)







Table of Contents

Objective: 3

Incident Analysis Steps 3

1. Identify the context 4

2. Identify Domain\IP and attachment details 4

3. Identify overall endpoint security status 5

4. Identify possible source of this behaviour 6

5. Identify infection radius: 6

Objective of Response: 7

Incident response Steps 7

1. Block identified blacklisted URLs and IPs at firewall block suspicious email domain at email gateway 7

2. Isolate the system 8

3. Identify the location of attachments, processes generated and terminate them: 8

4. Initiate a full review and remediation of the endpoint security 8

5. Identify other impacted systems and perform remediation 8

6. Implement plan to mitigate similar incidents in future 9


Objective:

Below are the steps to be performed in order to analyse triggered alerts

  1. ANALYSIS

  1. Identify the context

  1. Identify the Email ID of sender and recipient(s), subject of the email and attachments.

  2. Check if the mail is allowed or blocked. 

  3. Identify the Domain and IP address of the sender.

  4. Identify the AD user name/IP associated with the recipient(s).

  5. Identify if any other mails received from the same domain in last 48 hours

Sample Observations from this checks:

  • As per the alert information, it is identified that source user ab@cd.com has sent email to lmn@org.com, jkl@org.com with Subject: Sale 123.

  • As per the alert information, it is identified that two other users also got the mail from same domain cd.com 


  1. Identify Domain\IP and attachment details


  1. Check Domain and IP reputation using https:// www.talosintelligence.com 

    1.  Check if the reputation of the Domain, links and IP is bad or good

    2. Check the Domain name using https://threatcrowd.com which might reveal the intentions of the domain owner

    3. Check if this IP/Domain is actively involved in spreading malware using https://threatcrowd.com . Identify the IOCs related to that malware and check AV logs if those were detected on local machine in last 8 hours

  2. Check the hash values of attachments

    1. Check hash values in https://virustotal.com 

    2. Understand the behaviour of malware 

    3. Check AV logs for the detection of these malicious files.


Sample Observations from these checks:

  1. As per information from https://www.talosintelligence.com/ the IP is reputation is bad.

  2. As per information from https://virustotal.com and https://threatcrowd.com , this IP involved was having bad reputation and actively involved in spreading malwares.

  3. Per the information from https://virustotal.com the attachments contain malware abc which tries to exploit vulnerability in IE version 6.0.

  1. Identify overall endpoint security status


  1. Check if any redirection, proxy denies and allowed to suspicious IPs/Domains from the user/IP.

  2. Identify if the system is having AV and latest signature

  1.  If latest signature are not updated, highlight immediately

  1. Identify if the same system was infected with malwares in last 48 hours and what was the action taken by AV

  2. Check if any new process created /registry changes Process name will reveal if it is malicious or genuine.

  3. Identify any alerts triggered from same system indicating some kind of compromise or infection for last 8 hours

  1.  High number of login. failures from same source IP or source user

  2. Proxy denies and allowed to suspicious IPs/Domains

  3.  IPS alerts triggered from same source IP/Domain.

  4. High number of firewall denies from same source IP towards Internet/Internal IPs ( Lateral moment )

  5.  Privilege elevation of user account


Sample Observations from these checks

  1. Per the logs we have observed high number of proxy denies from the same user towards IP 12.x.x.x and 54.xx.xx.xx. Also this is observed from https://threatcrowd.com

  2. It is identified in ETDR logs that this connection was initiated by abc.exe

  3. As per the logs, this malware was detected in this directory

    1. /temp : This could have been created by other programmes running on this system

    2. /downloads : It is very likely that user must have downloaded this file from browser

    3. /system32: It is very rare that malware are detected here and hence this has potential to cause damage.


  1. Identify possible source of this behaviour

  1. Identify any allowed proxy connections for last 2 hours from this source IP towards uncategorised domains and verify the reputation of other allowed URLS accessed by same IP/User.

  2. Identify any previous mail communications to the domain.

Sample Observations from these checks

  1. Over past 8 hours we have observed the user was accessing URLs categorized under Entertainment, Games and Social Networking.

  2. We did not observe any communication with the domain.

  1. Identify infection radius:

  1. Identify all users receiving the email with same subject or from same domain.

  2. Identify all users receiving files with same hashes or name.

  3. Identify all users trying to communicate with the redirected URLs. 

Sample Observations from these Checks:

  1. We also have seen 2 users which have received mails from same domain 123@org.com, 234@org.com. 

  2. We have not seen any other users receiving same files or systems made connection towards the redirected URLs in last 8 hours.

Note:  The below steps of related to incident analysis could not be performed due to lack of availability of information and access to required log sources. It is recommended that the customer performs these checks.

  1. INCIDENT ANALYSIS

Objective of Response: 

This section is required if above analysis revealed a true positive incident. These steps will enable the customer to Identify, Contain, Eradicate and Recover from the incident

Incident response Steps



  1. Block identified blacklisted URLs and IPs at firewall block suspicious email domain at email gateway

  1. Block the identified malicious URLs  on proxy.

  2. Confirm that there is no genuine traffic is getting impacted by blocking this IP.

  3. Block the IP temporarily/ permanently. It is recommended to block the IP for 45 days and remove if there are no further connections towards this IP.

  4. Block the malicious email domain at email gateway

  1. Isolate the system

Confirm that there is no business getting impacted and disconnect all the affected systems from network or isolate to restricted vlan.

  1. Identify the location of attachments, processes generated and terminate them:

  1. Identify the location of downloaded attachments and remove them.

  2. Identify the process which initiated connection to malicious IP

    1. Using ETDR

    2. Use Netstat –b to see if the connection is still active and identify which process is initiating this connection

    3.  If netsat -b does not reveal this connection as live, then identify all processes running on systems, check hash values and check for their reputation using https://virustotal.com for any malicious process

    4. Terminate identified suspicious process

    5. Identify the entire footprint and artefacts related to that process using

      1. File paths

      2. File names

      3. Registry keys

      4. Schedule tasks

      5. Auto runs

  1. Initiate a full review and remediation of the endpoint security

  1. Delete the email from mail server.

  2. Check if the system is having AV and latest signature

  3. Check if the system is up to date with patches

  4. Check if the systems is having public share folders

  5. Check if the logged in user is having admin rights

  1. Identify other impacted systems and perform remediation

  1. Identify if the malicious process/files/registry key are present on any other systems which made connection towards identified blacklisted IP, URL. 

  2. If found, perform the same remediation steps on these systems

  3. If the identified suspicious emails was delivered to multiple users, remove it from all intended recipients.

  1. Implement plan to mitigate similar incidents in future

  1. Enable attachment and URL reputation checks in email gateway. 

  2. All well-known mal spam generators should be blocked at email gateway

  3. All well-known blacklisted IPs should be blocked at firewall.

  4. it is recommended to deploy ETDR solution on critical assets








                                         



                                      








                                               



Comments

Post a Comment

Popular posts from this blog

Brute force attack investigation

  Responsibility Index Phase Responsibility      Identification L1 Analyst:- GSOC Monitoring Team      Investigation  L2 Analyst:-This includes individuals from Network Team/GSOC Containment L2 Analyst: -  This includes individuals from Network Team/ Server team          Remediation L2 Analyst:-This includes Network Team/Server Team/GSOC Recovery L2 Analyst:-This includes Network Team/Server Team/GSOC Brute Force attack Procedure Identification Stage Stage Source Identification Brute Force incident is reported by  Network Team Incident/If the alert is raised by the SIEM Investigating Stage Stage Actions by Respective Team Investigation Security team checks If the Brute Force attack is identified and an alert generated via SIEM below parameters are considered for investigating: Source addresses of the attempts Firewall Action Investigating Destination on which brute force attem...
Read more

Which tools and software do we need?

 We will need some software when applying the dynamic analysis method. Let's take a look at these software categories. Virtualization Software We do not want to conduct dynamic analysis on our own system as we need to run the malware to be able to examine its activities. For this reason, we should make use of Virtualization Software that helps us work on some virtual systems. Thanks to these software, you can use a different operating system on your host operating system. If they are configured properly, you can perform your analysis safely, as malicious software cannot escape from this virtual operating system. It is useful to make a small note here on these virtualization software. Since these virtualization environments are essentially software, various vulnerabilities that allow malwares to escape out of these virtual environments and allow code executions on the host operating system may occur on these environments. For this reason, It is crucial to keep your virtualization so...
Read more

Packet drafting for IDS_IPS

 Table of contents Introduction Scapy-Overview Snort-Rule References Introduction In this article will demonstrate how we can generate packet that can test/trigger rule in Snort or Suricata using Scapy. Scapy is a packet manipulation tool for computer networks, originally written in Python by Philippe Biondi. It can forge or decode packets, send them on the wire, capture them, and match requests and replies. It can also handle tasks like scanning, tracerouting, probing, unit tests, attacks, and network discovery. Scapy Overview To run Scapy write scapy in your linux terminal as following: ┌──(kali㉿kali)-[~] └─$ sudo scapy [sudo] password for kali:                                                              aSPY//YASa                     apyyyyCY//////////YCa  ...
Read more