In my introduction to this series I mentioned that the job of a cyber security analyst is essentially to use the tools at their disposal. Following my previous few posts around dealing with malicious email campaigns, this post focuses on using your email security tool to identify these emails. Obviously the exact tool you may have when you start working in a SOC (Security Operations Center) may vary, but essentially they all mostly do the same thing with some variations in interfaces and some specific features unique to some. But the point is, if you learn how to use one security tool, then learning another is usually just a case of learning the different user interface and a couple of unique features.
I will focus on Cisco’s email security tool in this post as that is the tool I have the most experience with. When opening IronPort you’ll be taken to this screen. In this post we are going to be concentrating on message tracking, to identify malicious emails in a campaign, using the techniques I set out in the previous few posts. To be a Cyber Security Analyst – Emails
Message tracking will take you to the main search screen. Lets focus on the basic search options first, and then we will delve into the advanced search options later. As always, I’d like to approach this using a hypothetical or real situation. In this case lets use a real attack that happened recently… (some details will be changed or hidden to protect personal information)
A user reported they have received an email that they believed looked suspicious. The email is set out to look like the user has received a voice mail and they are required to click a link within the email to listen to the message. Hovering over the link shows me the URL that it redirects to. I’m not going to share the actual link because I don’t want my site getting flagged up as containing malicious links, but I could tell from the name it wasn’t anything to do with voicemails.
The subject of the email was “Voice mail from (661)374-0699”. So at this point I have 3 pieces of information I can use to search for further activity. The subject line, the sender address and the URL within the email. Using the URL will be the subject of a later post, so lets concentrate on the sender address and the subject line for now.
So the way I look at it, is like this… I can use the sender address to try and find out if there are multiple emails with this, or potentially different subject lines. I can use the subject line to see if there are other senders other than this one. And failing that, I can use a subsection of the subject line to see if there are other emails in the campaign with different but similar subject lines and from different senders. If you’re re-reading that thinking “what the hell did he just say?” don’t worry. I’ll break it down bit by bit.
Let’s start off searching the sender to see if there are any more emails, or if this is a one off incident…
Notice at the top of the screen in the image above there are 3 fields to search in. Sender, Recipient and Subject. As we are searching for any other emails from this sender I have used the “Sender” field. Obviously. To the left of each search field as well is a drop down menu with the following options, “Contains”, “Begins with” and “is”
I am looking for other emails from this exact address but if I wanted to find other emails from senders in the same domain, in this case @*****chamberofcommerce.com then I would have used the contains search and searched only the domain. For example instead of searching email@example.com i’d search contains @gmail.com.
So the search above has shown that there are 2 emails from this sender, over the past week. The time frame can be set using the options under the search fields, either “last day”, “last week” or “custom range” OK so I know there is more than one email involved, this is not an isolated incident.
Lets use the Subject search to see if there are any more senders…
So searching on the subject line shows me that there are actually 5 senders (only 3 pictured above). So the intelligent thing to do now would be to search each of these senders individually to see if they have sent any other emails with different subject lines. It’s like pulling a thread, and we don’t want loose ends.
note: its worth mentioning here by the way, I never take action against these senders other than at most, blocking them from the network. They are likely just people who have been compromised and their email accounts are being used maliciously. In a short amount of time the attackers will have moved onto different email accounts. So there’s no point emailing them harassing them for trying to hack your company.
So I searched each of the 5 senders and no new subject lines were found (these searches are not pictured as I didn’t see the point). So my last question, the only loose end, is are there any more emails with similar subject lines in this campaign. So the way I personally would go about searching for this, in this instance, would be to search a subsection of the subject. In this case, if I was an attacker and I wanted to vary my subject lines while maintaining the same method of attack, I would change the number in the voice mail.
So to search if this has happened, I will search subject contains “voice mail from (”
In this case, no new email subjects were found. But hopefully this gives you an idea how you can use a part of the subject line to search for variations in the subject line using the “contains” search field.
And that in a nutshell is how you use the basic search functions in an email security system to search out malicious email campaigns. There are more advanced search options as well as reports that I will go into in future posts, but hopefully if you’re not already familiar with email security systems, this has given you a little insight into what to expect.