Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Effective Threat Investigation for SOC Analysts

You're reading from   Effective Threat Investigation for SOC Analysts The ultimate guide to examining various threats and attacker techniques using security logs

Arrow left icon
Product type Paperback
Published in Aug 2023
Publisher Packt
ISBN-13 9781837634781
Length 314 pages
Edition 1st Edition
Arrow right icon
Author (1):
Arrow left icon
Mostafa Yahia Mostafa Yahia
Author Profile Icon Mostafa Yahia
Mostafa Yahia
Arrow right icon
View More author details
Toc

Table of Contents (22) Chapters Close

Preface 1. Part 1: Email Investigation Techniques
2. Chapter 1: Investigating Email Threats FREE CHAPTER 3. Chapter 2: Email Flow and Header Analysis 4. Part 2: Investigating Windows Threats by Using Event Logs
5. Chapter 3: Introduction to Windows Event Logs 6. Chapter 4: Tracking Accounts Login and Management 7. Chapter 5: Investigating Suspicious Process Execution Using Windows Event Logs 8. Chapter 6: Investigating PowerShell Event Logs 9. Chapter 7: Investigating Persistence and Lateral Movement Using Windows Event Logs 10. Part 3: Investigating Network Threats by Using Firewall and Proxy Logs
11. Chapter 8: Network Firewall Logs Analysis 12. Chapter 9: Investigating Cyber Threats by Using the Firewall Logs 13. Chapter 10: Web Proxy Logs Analysis 14. Chapter 11: Investigating Suspicious Outbound Communications (C&C Communications) by Using Proxy Logs 15. Part 4: Investigating Other Threats and Leveraging External Sources to Investigate Cyber Threats
16. Chapter 12: Investigating External Threats 17. Chapter 13: Investigating Network Flows and Security Solutions Alerts 18. Chapter 14: Threat Intelligence in a SOC Analyst’s Day 19. Chapter 15: Malware Sandboxing – Building a Malware Sandbox 20. Index 21. Other Books You May Enjoy

Social engineering techniques to trick the victim

Now, after bypassing the email security controls, an attacker will trick the victim into listing their email as a trusted email and interacting with its content, such as executing attachments or browsing URLs. To trick the victim into interacting with the attacker’s email as a trusted mail, the attacker conducts some social engineering techniques. Social engineering is when an attacker accomplishes malicious activities by tricking the victim into performing human interactions – for example, executing malware, entering credentials into phishing URLs, spreading malware by sending it to their colleagues, and providing sensitive information. There are several techniques used by attackers to conduct successful social engineering attacks, as listed here in detail:

  • Email spoofing: As discussed previously, email spoofing is a technique used in email attacks to trick recipients into thinking a message came from an email sender other than the attacker. For example, think about an attacker targeting a victim who is an employee at ABC Bank; during the reconnaissance phase, the attacker knew that there was business between ABC Bank and another local bank called XYZ Bank. When sending a phishing email to the victim, the attacker spoofs the XYZ Bank email domain address to trick the victim into thinking that the email is trustworthy and related to the business. Hence, they will comfortably interact with the email contents (see Figure 1.5).
Figure 1.5 – Spoofing an IRS domain to send a phishing email (ABC7 Chicago)

Figure 1.5 – Spoofing an IRS domain to send a phishing email (ABC7 Chicago)

As you see in the preceding screenshot, the attacker spoofed the US government Internal Revenue Service (IRS) domain to send a phishing email to their victims.

  • Email thread hijacking: Email thread hijacking occurs when an attacker takes control of an existing email conversation between a compromised user and another target victim by replying to the email thread using a newly created email domain that looks similar to the compromised company’s domain. This makes it difficult for the new target victim to spot the difference between the two domains, and they continue the thread without suspicion. For example, an attacker may gain access to organization.com by compromising the victim1@organization.com mailbox. The attacker then spots an email thread between the compromised email address and the target company’s email address, target@targetorg.com. Using their access to the compromised victim mailbox, the attacker copies the email thread to his external server and replies to the thread, using a newly created domain email address similar to the compromised organization, such as victim1@organization.co. The attacker then asks the targeted user to perform some actions, such as changing bank account information, transferring money, providing sensitive information, or executing attachments. This way, the attacker hijacks the email thread between victim1@organization.com and target@targetorg.com for their newly created domain email address, victim1@organization.co (see Figure 1.6).
Figure 1.6 – The steps of email thread hijacking

Figure 1.6 – The steps of email thread hijacking

Attackers usually utilize the email thread hijacking technique in a BEC attack, a type of social engineering attack where the attacker targets a specific individual within another company with whom the victim has an established business relationship, often someone who has access to financial information. The attacker then poses as the legitimate business entity, using similar email domains, and sends a convincing email requesting a change in payment instructions, such as instructing the victim to transfer funds to a new bank account number.

  • Hosting phishing pages on trusted websites that issue an SSL certificate: When a normal user is asked to enter their credentials on a website, the first thing they do is to check for the green padlock symbol. If the padlock exists, the user assumes that it’s safe to interact with the website and enters their credentials. Knowing this, attackers can host a phishing URL on trusted websites that issue SSL certificates for web communications with the end user, such as dynamic DNS domains or cloud applications that host domains (e.g., appspot.com and web.app domains), to trick the victim.

Now that you are familiar with some attacker techniques to trick victims into listing their email as a trusted email and interacting with its content, let’s move on to analyze secure email gateway logs.

You have been reading a chapter from
Effective Threat Investigation for SOC Analysts
Published in: Aug 2023
Publisher: Packt
ISBN-13: 9781837634781
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image