In the last post (To be a Cyber Security Analyst – Emails) I looked at the steps I go through when determining if a reported email is malicious or not. In this post I will go through the steps I take to make sure the network is protected in the case of a malicious email being received, or in tech speak, making sure the threat is mitigated.
Often in my day to day role, there can be so many events and suspicious emails being reported that it can become quite overwhelming. There just isn’t enough time to look at everything and so when it comes to mitigating a potential threat, I am looking for the shortest possible path. I will explain in more detail what I mean shortly.
So here are the basic step’s i’m taking after deciding an email is malicious and I will go into more detail for each one after…
- How many emails have been received as part of this attack?
- If malicious links are included, how many different links are there?
- Of these links, which are we susceptible to and which are protected against?
- If we are, or were, susceptible to any of the links, have we been compromised by it?
- If there is malware included as attachments, how many different versions are there?
- Of these versions, which are we protected against and which are we vulnerable to?
1: How many emails?
So if someone reports an email that turns out to be malicious, my first question is, is this the only one or is this email a part of a larger campaign that I am just about to discover? In order to find this out I will use my email security tool and typically search the following over a 7 day period (extending further if needed)…
- Are there any other emails sent from this exact sender or from the sending domain? Sometimes attackers get lazy and just send all the malicious emails from one address and this makes identifying the emails easy.
- Are there any other emails sent with either this exact subject line, or subject lines following the same pattern. For example if the subject line was “your brand new invoice 22334” I wouldn’t necessarily restrict my search to only emails with that exact subject but rather look for emails with subject lines containing “your brand new invoice” as the number at the end is likely to vary.
- If there is an attachment, this gives another angle to search on, as most email security tools allow you to search for attachment name or attachments sha256 (unique fingerprint).
Knowing how many emails we have received gives me a list of potentially infected users, a list of URL links that may have been clicked, and a list of attachments that may have been opened and executed.
2: How many links?
In my last post I mentioned my mental image of all the network users frantically opening emails and clicking as many links as they can. Well in this stage of mitigation I am checking for exactly that. Lets assume from our searches in step 1 we had 3 separate links to siteA.com , siteB.com and siteC.com included in a variety of emails. Remember above I mentioned I am looking for the shortest path to closing this incident. So I have to ask the following questions…
- Is it possible for our users to go to this site? Most secure networks will have a forward proxy, for those who don’t know what this is it’s kind of a middle man for when you want to access the internet, instead of going straight to the internet you go to the middle man and he tells you (hopefully) if a page is malicious or also if a page is just not allowed by your business (eg gambling sites). So I will check if these 3 pages are accessible through our forward proxy. For our scenario lets assume 3 things. First, siteA is blocked since a few weeks before the emails were received (note the time of the block is important here) and so nobody could have gone to this site. (shortest path to case closed right there). Second, siteB is blocked since 3 hours after the emails were received. And third, siteC is not blocked. So our first question is answered, yes it is possible that users may have gone to siteB and siteC and our first mitigating action is to block access to siteB and siteC (usually by blocking access on the forward proxy, telling the middle man not to let anyone go there)
- Now we have blocked access to siteB and siteC, have any of the users gone to the site prior to this? This question can be answered in a variety of ways depending on the tools you have available, but I use a mix of logs generated from the forward proxy (Ask the middle man if he sent anyone to this page) and the email security tool (did anyone click that link? – some will tell you and some won’t) Lets assume for our scenario, that nobody has gone to siteB (shortest path, siteB is now mitigated!) but some damn fool clicked the link and has successfully visited siteC.
- Had nobody clicked the links, this would be the end of the incident (assuming no attachments were included) however given the fact that someone clicked a link, the final question now is, what damage has been done. This question itself can spiral into a never ending cascade of possibilities, infections, spreading malware, the shutdown of the internet, cats and dogs living together… but for our purposes lets keep it nice and simple as we are focusing on emails and leave long winded malware investigations for another post. If someone has clicked a link I will generally do some analysis on the site. Can I identify any malware that is downloaded from this site? Does it just redirect the user to yet another malicious site in a chain of redirects? If so, does that site distribute malware? Let’s say to keep things simple that nothing is downloaded and when scanning the site in urlscan.io that I can see a fake gmail login page is displayed. Ok good now I know, the purpose of the attack is to try and steal usernames and passwords. A quick mitigation here would be to force password resets for the users that visited the site, and I also send them a courtesy email informing them that if they entered their details on that particular page, then their personal passwords may have been compromised (as lots of people use the same passwords for different things)
So before, I talked about the shortest path to mitigation, in the case of links in emails this means to me, can users go there? Have users gone there? What happened to users that went there? I know some analysts will begin researching what happens if a user clicks a link before they even look at whether or not it is possible for a user to navigate to that website, that is what I mean by the shortest path.
If, in our example above, there were no attachments included on these links, the incident would now be over (assuming all the mitigating actions were carried out). However, if attachments were included, this would take us to the next step which I will cover in the next post.