Phishing Email Management

Oct 26, 2018| Category: Security| Tags: Security, SecOps

Inboxes are constantly under attack. As concluded by PhishMe Research, 91% of cyber attacks start with a phishing email. 76% of organizations say they experienced phishing attacks in 2017(Symantec 2018 ISTR). 92.4% of malware is delivered via email(Verizon 2018 DBIR). The phishing attack is becoming popular not only because it provides direct access to most vulnerable part of the network - the end users, but also because most attackers are automating phishing attacks:)

How to protect your organizations from phishing scams is a challenging problem. Education is the first step. As many employees have been aware of this problem, they may choose to report phishing emails to security team. Hence many SecOps are responsible for triage tons of reported phishing email, some are true positive while some are not.  If they are true positives, remediation is necessary afterwards.

In more details, here are some important steps involved in handling phishing email.

  1. Collect message data
    1. Sender email address. If email is "forward", original email must be collected
    2. Recipient email address
    3. Subject line
    4. Sending server IP address
    5. Email content
    6. Email attachment
    7. Domain/URL profiling
  2. Check with third party threat intelligence providers about IP/Domain/URL reputation such as
    1. PhishTank.com
    2. IPVoid.com
    3. Virustotal.com
  3. Known false positives
    1. Close The investigation
  4. Sandbox check
    1. If it has attachment, submit malware to the dynamic malware analysis sandbox and collect the resolution report for future record.
  5. Email header check. Suspicious features include:
    1. Return-Path field contains an email address that is not related to the name shown in the From field in the original email.
    2. The X-Authenticated-User field contains an email address which appears suspicious
    3. The Mail Server IP address in header is known to be malicious.
    4. The email domain is known to be malicious.
  6. Affected user profiling
    1.  Profile the user that has clicked through to the submission page
  7. Update web proxy
    1. Filter all traffic to phishing URL
    2. Change affected user's credential
    3. Monitor system and user account for possible misuse

Triaging one phishing email takes time, triaging hundreds of phishing emails takes more time.  Automation is the key to handle phishing email properly and accurately. Hackers are automating attacks, how about defenders?