You're reading from Effective Threat Investigation for SOC Analysts The ultimate guide to examining various threats and attacker techniques using security logs

Product type Paperback

Published in Aug 2023

Publisher Packt

ISBN-13 9781837634781

Length 314 pages

Edition 1st Edition

Concepts

Cybersecurity

Author (1):

Mostafa Yahia

View More author details

Table of Contents (22) Chapters

Preface

1. Part 1: Email Investigation Techniques

2. Chapter 1: Investigating Email Threats FREE CHAPTER

3. Chapter 2: Email Flow and Header Analysis

4. Part 2: Investigating Windows Threats by Using Event Logs

5. Chapter 3: Introduction to Windows Event Logs

6. Chapter 4: Tracking Accounts Login and Management

7. Chapter 5: Investigating Suspicious Process Execution Using Windows Event Logs

8. Chapter 6: Investigating PowerShell Event Logs

9. Chapter 7: Investigating Persistence and Lateral Movement Using Windows Event Logs

10. Part 3: Investigating Network Threats by Using Firewall and Proxy Logs

11. Chapter 8: Network Firewall Logs Analysis

12. Chapter 9: Investigating Cyber Threats by Using the Firewall Logs

13. Chapter 10: Web Proxy Logs Analysis

14. Chapter 11: Investigating Suspicious Outbound Communications (C&C Communications) by Using Proxy Logs

15. Part 4: Investigating Other Threats and Leveraging External Sources to Investigate Cyber Threats

16. Chapter 12: Investigating External Threats

17. Chapter 13: Investigating Network Flows and Security Solutions Alerts

18. Chapter 14: Threat Intelligence in a SOC Analyst’s Day

19. Chapter 15: Malware Sandboxing – Building a Malware Sandbox

20. Index

Why subscribe?

21. Other Books You May Enjoy

Attacker techniques to evade email security detection

As cyber defense and security controls have become increasingly advanced, attackers have become more creative in their techniques to evade detection by email security solutions. Many critical organizations have now deployed such solutions to check every email sent from external senders to internal recipients, and they have skilled SOCs and threat-hunting teams to detect and respond to threats. In this section, we will explore some of the techniques that attackers use to bypass email security solutions and carry out successful attacks:

Using newly created domains to send a malicious email: Modern email security solutions are fortified with threat intelligence feeds, which include an updated list of sender domains with a bad reputation resulting from their malicious use in previous phishing campaigns. To evade detection by email security solutions that block malicious emails due to sender domain reputation, attackers often create new domains that have not been used previously in any malicious activities.
Using non-blacklisted SMTP servers: Like malicious sender domain feeds, a secure email gateway can be enriched with threat intelligence feeds of the known malicious Simple Mail Transfer Protocol (SMTP) server IPs that are usually used during phishing campaigns, which are blocked. To avoid their malicious emails being blocked by email security solutions due to the bad reputation of the SMTP server IPs, attackers tend to use non-blacklisted IP addresses.
Sandbox analysis evasion: Email gateway security appliances have significantly improved over time and now include sandbox technology that can analyze every attachment sent from external email senders to internal employees. We will deep dive into sandboxing later in the book, but for now, it is worth knowing that sandbox technology is a vital tool, used by cybersecurity analysts and solutions to analyze the behavior of files and executables before running them in a real environment, ensuring that they are not harmful. However, attackers are well aware of this technology and use various techniques to evade sandbox detection efforts, such as the following:
- Malware sleep: To evade detection from sandbox analysis, an attacker can take precautions by, for example, incorporating a sleep time of up to three minutes in their malware code after execution, thereby delaying the start of any malicious activity until after the sandbox analysis has been completed and avoiding detection by the sandbox’s real-time monitoring.
- Encrypted file: An attacker can employ a technique of sending a malware file to the victim in the form of a compressed folder or document file, encrypted with a password, which is then shared with the victim via the email body for decryption. Since submitting an attachment file to a sandbox by an email gateway is not an interactive submission process, the password cannot be provided to the sandbox during file analysis to decrypt and analyze the file. Therefore, the sandbox fails to analyze the attachment, allowing it to pass through to the victim’s mailbox undetected.
- Sandbox discovery: After the malware is executed, it may check for the presence of a virtual machine environment, search for any malware analysis tools, and detect abnormal user activity to determine whether it is running in a sandbox environment. If the malware detects any signs of sandbox technology, it may alter its intended actions, stop running, go into sleep mode, or take other evasive actions to avoid detection by the sandbox.
- Responding to specific requests: Another technique used by sophisticated attackers in targeted attacks to evade analysis is to respond only to requests sent from the victim environment’s IP addresses, collected during the reconnaissance phase.
Trusted domains hosting phishing pages: In 2019, cybersecurity researchers detected phishing subdomains and pages hosted on trusted cloud application hosting domains, including appspot.com and web.app domains. Attackers were able to abuse these domains by hosting malicious subdomains that contained phishing login pages targeting well-known brands, such as Microsoft Outlook and Dropbox. Due to being hosted on legitimate web servers, these phishing URLs were not categorized as malicious domains in threat intelligence platforms, which made them difficult to block with email gateway security solutions. However, email gateway security solutions that received threat intelligence feeds that included specific phishing subdomains/hostnames could block the phishing attempts (see Figure 1.4).

Figure 1.4 – A phishing subdomain targeting Outlook hosted in a web.app domain

As you can see, an attacker developed an HTML phishing file impersonating the Microsoft Outlook login page and hosted it on a subdomain of the web.app domain.

Now that you are familiar with most attackers’ techniques to bypass the email security solutions deployed on a victim environment, let us see some attacker techniques to trick the victim into listing their email as a trusted email and interacting with its contents.