SOC Analyst Training: How to Detect Phishing Emails

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

uh all right so today we're going to talk about emails phishing emails and how we as security teams can identify these emails and analyze them inspect them and find malicious parts so first of all why do we talk about emails at all it seems very basic right but emails are all over the place our organization use them individuals use them we all use them and many organizations reported experiencing phishing attacks and a phishing email is a lure is a lord that meant to look like a legitimate and we're victims to open interact with the email and that's how they infect them or steal information now when we talk about phishing emails it's not only uh the obvious one with a malicious say url or the the prince that asks for money phishing and this is how mitral attack uh actually classifies it it's a way for threat doctors to get an initial access to the victim it's a way to deliver threats it could be pectors information stealers trojan horses and so on that's the first stage of an attack and only to to present how many attacks use phishing emails that's only the recent uh threats that our research team was able to find all of these campaigns all of these uh some of them are undetected power at all it all started from a phishing email that was uh maybe it was targeted it targets ukraine like with the elephant framework framework case and other cases are more global like targeting a sector and energy sector but in the bottom line many attacks start from a phishing email that is meant to lure the victim into clicking a link opening an attachment interacting in some way and that's how an attack will start and this is our these are the main ways in which straight doctors would use an email because well it's a relatively simple format in that way that it can contain text and it contains attachments so that's what the thread doctors would use they would use urls they maybe will try to hide them or they use attachments in which they will hide malware and deliver it to the endpoint to the victim and our goal in this webinar is to learn how to look at emails is to understand how we can identify suspicious parts or more malicious parts and i really i do understand that some of you might say that well configured security tools should be able to stop these emails from arriving to the endpoint arriving to the victim and you're right and they should but based on these attacks that we saw and the amount of malicious image malicious emails that are being sent it's still very important it still emphasizes how important it is to understand the email format and to understand how exactly threat doctors use emails to deliver threats for these cases when the security tools miss the detection of these emails when we need to investigate these emails so maybe in some cases the tools were successful but still it's up to the investigators to understand what is going in the email itself so that's what we're going to do in this webinar so first of all email has a header and a body like many other formats uh the header will have different fields that we will go over and the body is actually the the part that you see in your mailbox the content the urls and the attachments and an email um this is how it would look like when you don't look at it in a gmail or outlook this is actual uh an eml format and it's really readable you can open it in a text editor so we see different fields we see lots of information and it can be a bit overwhelming but you will get used to it so the from and the two are the the fields that you're going to see in your email uh inbox that's basically the address from which the email was sent to sent from and send two and here we see the the name in this case the the receiver of the email is reducted and it's very common for uh files for email files that are submitted to viruses to have a redacted field but that's usually how it would look like next we have to receive the research field is basically your friend because unlike the two and the front fields which can be stored the received file is like think about it a normal physical mail that goes over these different post offices uh where each post office is a server and as a step uh for a server the stamp is its address it's like the address um and that's why you see so many received fields now when an email is sent it goes over different servers but for us as in vista investigators these fields what they mean is we know the path that the the email was uh passed through and when we read an email we were read it from the bottom to the top because it's like an onion it's like an envelope so the last the the inner part the top uh like the bottom part of the receipt this is the first server that actually send the email and we can investigate we can inspect these id addresses and learn a lot about the email so we're going to see that in in the examples in this webinar and besides that we have more fields like the spf which is a dns record that specifies which servers are allowed to send emails on behalf of our domain so for example not any server can send emails on behalf of integer.com uh and if an email fails this uh spf check so it may be a string a strong indicator that the email is booked all right so what is a spoofed email spoofed email it means that the threat doctors are using an email address they attempt to look to make their email look legitimate so instead of using some weird gmail address as a sender address they prefer to use a legitimate looking email address that will convince me as a user to open the email and maybe click on links right because if i get an email from amazon i'm more likely to click on it than if i see an email from some random at gmail and there are different red flags that can be raised when we see when we see an email so first of all uh there is a type of squashing which is not really spoofing is just making instead of microsoft microsoft and s1 you're probably familiar with that but for spoofing it's really it looks the same and it's relatively easy to just spoof an email so what i did basically different free tools that allow you to send emails um so here i said that i want to to send an email from the name elliot at this uh not very suspicious apparently email address and here is um here is the victim i can set the subject i even can add files and attachments and set the text and then i created the temporary email mailbox and here you can see that if i get the email that's what i see i see this uh not suspicious um email address and this name while obviously this email was not sent from this address or by this user so that's in a very uh simplified way how spoof deals are working and why just looking at mailbox it's hard to detect that this this is a malicious email right so that's why it's so important to go over the headers go over the email itself dive deeper into it and understand what is going on under the hoop so let's take an example oh sorry back to business so let's take an example of this email and what we're going to do is look at the flow now when we look at emails the from and to basically say from we means like who send the email if i think that this is a suspicious or phishing email it can help me understand who is the possible threat doctor behind the email and the tool field tells me who is the potential victim so here what i understand from these two fields is that the email targets uh some organization in ukraine and the email wants to appear like it was sent from some government agency in ukraine and what we will do is check the spf records for this domain and it means to see if this domain uh the that the email was sent from this ip as i said because we're looking at the bottom part of the received field so the email was sent from this ip which meant to look like it was from this address and what i want to understand is first of all is this domain has an spf record i want to understand which servers are allowed to send emails on behalf of on behalf of this server and maybe it is this ip and then we're good and maybe it's not so we're going to use a free tool uh for spf record check and what we see here is that when we enter the record the the domain there are no spf records means that this domain any any server can send for the emails from on behalf of this server and that's a very bad practice for organizations and especially for government entities to not have uh defined servers that are allowed to send emails because that's why any server possibly can send email and the next thing that we're going to do is to use the ip that we saw in the email in the shift field and check the whois records and what we see here is that the server is located in turkey and it's very suspicious because if this email was sent from a ukrainian government entity why would it be sent from a server located in turkey now this email uh that we just looked at was used in the elephant framework attack which we were able to uh to discover and this whole framework was discovered as part of a big campaign against ukraine and against companies in ukraine and we were able to discover the whole thing just by looking at the email and the attachments so that's how important it is to analyze phishing emails now conversation hijacking is another very common way for threat doctors to make their emails look legitimate because in the end it all comes down to that they need to convince me to open an email to click on things to interact with the email and one of the ways to do that is to use addresses that i trust or to use email threads that will look like i was part of it or it was part of my organization to convince me to interact with so conversation hijacking is basically when threat actors use stolen emails from previous attacks and would use the content or even the addresses to make these emails look more convenient and more convincing and what you see here is an email that was received from an exchange server from a local one based on the ip and you can see here that it's a microsoft exchange server and this email was part of another attack an updated version of ice id and our research team believes that it was part of an attack that uh exploited exchange servers that were vulnerable certain vulnerability and that's how they got these emails and used them to deliver the updated version of vice id another uh example of conversation height i think is with emoted so palo alto unifor you were able to find this email in these emails now what is very special about this is that as you can see they passed the sdf record check now what uh emoted did they based that the product behind demoted they stole emails and their headers and they used the headers to uh to craft new emails and deliver the thread and by using trusted headers they were able to bypass the spf checks so that's an example when even if we do have a well-configured email service and a listener and so on there are still ways that actors use to bypass these measures and eventually these emails can reach the victim and i'm sure that not every user will check the the email the header and and try to identify each email if it's phishing or not it's it's impossible so it's very important for us security teams to to get familiar with all the techniques another example so we talked about three doctors using urls and attachments so this is an example of how urls are used urls can be used uh in a plain text or a shortened version like we see here they can be hidden behind links or words or images and so on what we can see here is part of uh campaign the target entities in georgia and this email this url looks like it points to an address of of the government to download a certain form and the thing is that it is downloading a form but it's an rtf form which will download additional payload which will execute them in for stealer called outdate so once again that's something that we don't straight uh see in the email and the thing about these urls is that they have a very short life they usually go offline very quick very quick um and when we see urls what we want to do is inspect them we can use different commands different tools now i'm not from sales team i'm a researcher so i'm talking about the tools that i'm using so one of the tools that i'm using is our url analysis tool from integer and what i like about it is that i can see the demolition part i can see strictly the the classification and i can see a screenshot of the of the page so i'm not using any sandboxes to view the information and for example in this case uh in the url i can see that going to be like an amazon signing page for japan i guess and i can see more information in the indicators um so you can scan a url and get very quickly some kind of full image about the url and emails can have different sorts of attachments different types of attachments they're really endless possibilities but from the scans that i ran from the statistic that i was able to find i saw that most of deimos would have microsoft office files just because it's a very popular format that is used all over the organizations internally and externally and usually it's going to be a bit less suspicious especially for users that are not familiar with all the ways the trade doctors would use these files then of course we have the pdfs because first of all pdfs by default can have javascript and execute code and second because pdfs use pdf readers and really lots of pdf readers and many of them are vulnerable so threat actors especially if they have some sort of intel about the pdf reader that is being used in the organization they can use that they can send a pdf that is specially crafted and that's how they would deliver more a zip and archive files are usually very common as well because well they can be encrypted if their password protected the content of the archive is encrypted and it usually will bypass very basic tools um that will not be able to identify the malicious parts of of these files eso and img disk images are especially um preferable i would say because especially after windows 8 if you double click and use a file it will automatically execute whatever is in the file without asking so once again for users that are not familiar with the with the format it's very convenient from the thread actor perspective to use these files i linked some uh tools you're going to have the slides so don't worry about that but i link some open source tools that can be used to extract um the attachments from the emails and once you have the attachment you can inspect it on yourself for using a sandbox a virtual machine and so on but uh once again that's how important it is to to to inspect this attached files all right so another example of an email all right so what we're going to see here is once again we we usually start i would say uh i will rephrase i usually start looking at the from uh to understand what is going on in the email and as in the first example i think uh the the receiver is reducted but i still have that the potential the sender of this email which is this company over here and if we run a quick search we'll find out that that's a korean uh company uh some kind of a manufacturer company and what we were able to find from this email uh is an attachment so we have this email that looks like it was sent from a korean company to i don't know who so i don't have much at this point right so i can give up but i will not i will take the attachment and in this case i would use integer analyze just to understand what is going in this file so accept url analysis well so have a file analysis basically we support lots of file formats and we provide a genetic analysis of the file so we compare the file to all the other files that we have in our database but not only that is that we take each binary file we break it into smaller parts we call them genes and we have a huge database with all the genes both of trusted and malicious files and that's how we are able to classify and identify files just like this analysis and we provide more than that we provide also our seeds strings and especially how to detect these threads behind them in your organization so in this case once again back to the emails we have this is a file which is a form book an information stealer that was delivered by this email so while maybe i wasn't able to find lots of information from the header from inspecting the the ip or the or the domain that sent it i still have the attachment where i can get more information and understand that i'm facing a threat so if i'm a seaside organization or incident responder i can understand the full picture uh just by scanning the file and understanding what i'm facing and maybe how to detect it and how to respond to it and now it's time for questions awesome nice job nicole um we got a ton of questions um somewhat uh i think it was on the slide with the uh fight we're talking about the different file types um someone wanted just to clarify is it do you mean dmg files or is it img files uh i met img but yep okay let's see what else okay this was about the email headers so when analyzing email headers sometimes you face an extremely edited header so it looks like a local email what can i do to find out the actual origin so that i could contact a cert to report the incident so usually you would need to you would need to uh to check the received fifth because really that's the that's the most uh trustful field which is not probably not going to be spoofed but once again there are ways to manipulate headers so i would start from there cool next question uh does the entire domain with the subdomain included need to be used for spf check or is just the domain enough to be honest i'm not sure about the specific of the sub domain and then it's a dns record so uh i i guess it depends like on how you identify identify and then another one could you uh elaborate on how to analyze conversation hijacking headers again do you just look at the spf headers to analyze and is using localhost and the spf headers a frequent way of utilizing conversation hijacking so as as i said in the example of immediate using the conversation hydrating so it will be hard to identify because the spf passed in general to identify it i would you i would try to first of all look at the received fields as in our example of the ice id campaign we noticed the the private uh sorry the local ip address so that raised our suspicions and then when we looked at um at the fields and we tried to identify which kind of mail server it is so we identified it as an exchange server and try to look it up and see what we can get so we did find that some some exchange servers are vulnerable and some report mentioned that the threat actor got access to these servers and stole some information so that's how we uh concluded that it might be relevant and might be connected so there is no specific field it's more like the overall picture like in the last example it's the field from the form it's the attachment it's like building a picture from all these pieces of data cool another question if i want to analyze an attachment do i really need the attachment file or a hash of the attachment is enough to check a hash would be enough uh if you if for example the file is on virustotal because indent to to analyze it uh if we're talking for example in integer analyze we need to have the binary we need to have the file whether it's script the document or whatever because usually you need to have the data so even if you have the hash and you can get somehow the file itself so it's okay another one uh if our users receive such uh conversation hijacking does it mean our email server is compromised uh not necessarily because they can it's possible that the conversation hijacking was from another uh company or another organization they're just using these emails to target your organization another one do emails need to be manually analyzed or can the email traffic be routed and automatically analyzed yeah so uh there are tools like uh cortex soar and other tools that basically listen to your mailbox and set the policies to what to do with certain emails that answer certain rules so definitely you don't need to make it a manual job uh personally i'll like for automating as much as possible because uh we don't want to waste your time right so that's the goal to automate and uh most emails we get are using pass-through addresses from google docs sharepoint and such is there a quick way to identify this uh it's a real issue uh yeah i can agree i would say a url scanner uh just a way to make sure uh to understand what is what it leads to before you click it so yeah if you're weld scanner or maybe use a sandbox or a vm to to open it and that that's what i would suggest uh how about a bec scenario where the other party has had their email compromised are you doing analysis on the content or tone of the email yes so there are ways i didn't talk about it like the tone and the language uh you should do that too hopefully and then someone asked uh please repeat the tools the automated email content analyzer i'm not sure what they mean by that um are they looking for the the open source tools for extracting the attachments is that it it might be yeah the automated email content i will share the slides so um and if not so the person pass it i can link it on the chat cool um i think someone said you mentioned like url scan for example yeah and we do use the url scan in our in our url scan council uh but it's already good too nice a lot of questions come in which is nice um and yeah we'll we'll definitely show the slides after this um and also the recording for you guys uh the next question uh are there any forensic tools that you recommend to analyze emails um to be honest i i tried to find something but i just gave up i did manually because as part of my job um sometimes i look at emails sometimes when i look at binaries so i just do it manually i open it in as you sign this code and look through the fields and if i have links for attachment i would use integer analyze and that that's for the most part uh if i have an email thread how do i run the analysis if i don't have the original email if you don't have the email but like if you don't have the email but you have the attachment uh if you have the email thread how do i run the analysis if i don't have the original email um interesting question i guess you still have the headers i mean from your email box you should be able to see the full content uh so extract as much as information as you can from there once again if you don't have the file it will be hard but cool i think someone asked a question in the beginning i want to get back to that um before we forget it um did we go over the when analyzing the email headers i think we did that one right sometimes you're faced with an extremely edited header so it's like a local email yeah do that one okay um okay i think this one someone put it up uh around slide 14 uh if our user received such emails uh of these hijacked does this mean our email server is compromised uh that might have been wrong hijacking we got that one yeah okay uh someone asked just want to know what is the endpoint protection that has a good detection in phishing emails and maybe the rules to detect them using sin and so on um so that's not my main focus so i don't have a good answer for you i'm sorry personally and like a company more focused on the on the attachment part and the url scanning so uh i i can say from this perspective and then someone asked with bec we use a machine learning uh ai anti-phishing system it's pretty good but no software is perfect and uh some malicious uh stuff does come through every now and then it's not really a question but interesting but it's a yeah a good statement yeah let me see and uh just so everyone knows if we miss a question where we have all this documented so we definitely can cannot follow up with a few guys after or feel free to send us an email we'll also send you an email uh if we if we didn't answer any of your questions i just want to make sure contact on twitter exactly um just a few more we'll get to that i think we can uh wrap up um so this is kind of like this person said like it's a this is very manual kind of what you uh showed like how would you like automate it basically yes so as i said in the end the goal is to automate as much as possible uh just to save as time right we all have so many tasks in order uh i would suggest to to use a tool that listens to your mailbox and maybe uh will extract the attachments and the urls or all the artifacts and then just take all the information and use the sandbox or something like into their noise to just drop it and inspect this artifact so we will not be going over all the emails from the phishing mailbox manually so you can automate this part and kind of a fall up to that um like how does inteser kind of fit in with this in terms of like you know building a email phishing pipeline uh we do have integration with different phishing mailboxes uh and services so instead of doing the manual process of submitting files or urls you can integrate them so the process will be like a whole pipeline and in the end what you will have to do is just go over maybe the uh the true alerts that are really a malicious or phishing email and the goal is just to exactly know what you're facing with without having to look at the header and all the processes we need although you still need to know how to do that nothing is perfect oh another question how can i use x headers during an analysis for example x authenticated sender yes so the x headers are basically aware of the format just to say that you can add more headers uh to specify different uh different settings so there are really different headers over there uh you can use this information to maybe look for more emails or look for maybe hunt for similar emails in your environment if that answers the question oh another one how could we check if dkim or dmarc were spoofed or not well in the end it's a it's a record um like in the emoted sample it was relatively hard uh to detect it because the headers were stolen so you need to rely on other fields or other techniques uh to do it cool i think we pretty much covered the questions we definitely did miss some so we'll definitely try and get back to everybody uh can you point us to trusted links to download extracting tools um because i guess that's what's in the slides yes okay so yeah okay yeah again everyone we're going to share the slides after this i'll probably send you a follow-up email today or tomorrow we'll also include the recording that'll be on youtube um so hopefully you have all the info that you need um i'm just trying to see if we can get a few more in i'm definitely going to miss some i got that one oh if i have received a phishing email like how do i detect it on other end points um so a phishing email like um like binary files and with the attachments and urls you have lots of artifacts and what you can do is extract these artifacts effect especially if you have the attachment for example because these files usually have lots of uh detection so you can extract all the information and maybe build something like see a sigma rule or arrow to scan your organization endpoints and identify it so it will be especially easy if there is a binary file attached because uh these usually have lots of different uh identifiers but that's the main way to do that to extract the information from the fields that we covered from the urls and use that to scan your endpoints cool and let's uh let's wrap up with those questions i think it ties in nicely so someone was asking uh where do i find your guys content like blogs and such on email analysis so i guess i can answer that one uh interester.com blog nicole's done uh she's done a few pieces of content on me uh including a blog on basically what she discussed today uh so i know sometimes people prefer video format other people prefer uh prefer like blogs so it's there um and nicole's also done i think now what you've done a webinar and a blog each on how to analyze pdf files and also office docs so definitely uh recommend checking them out um and someone said can we upload eml files to your analyzer so uh we're not supporting eml files as as is right now but if you uh submit the attachment uh whatever it's binary a script document whatever we will be able to analyze it and give you the report or if it has url so you can submit it cool uh nicole do you have like the last slide we can put up just quickly with our info oh yeah just a second cool so thanks everyone like really appreciate all the great comments uh and questions um and thanks nicole odyssey for presenting all this it's really interesting um thank you for attending uh if you guys do want to contact us you probably want to contact her not me but i'm on linkedin nicole's on twitter and then i just wanted to add a quick thing like i think a lot of you probably already use our free version of interzer where you can analyze files but we did talk a little bit about url analysis that is available in the enterprise version of integer but if you want if you have a free account or create a free account you can request a free 14-day trial and you basically get access to all the enterprise features including the url analysis so if you want to kind of see how that works and give it a try without having to to talk to anyone you definitely can do that uh cool so um i guess we'll wrap it up but uh again we'll send up the uh send out after this an email with the recording the slide deck um if we didn't answer your question feel free to contact us um but we can also we have everything documented we'll try and uh reach out i know some of the questions were anonymous so again feel free to contact us all right cool have a good have a good day everybody

Info

Channel: Intezer

Views: 15,072

Rating: undefined out of 5

Keywords:

Id: Xrzsu-FFvu8

Channel Id: undefined

Length: 41min 46sec (2506 seconds)

Published: Wed Jun 15 2022