Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Effective Threat Investigation for SOC Analysts

You're reading from   Effective Threat Investigation for SOC Analysts The ultimate guide to examining various threats and attacker techniques using security logs

Arrow left icon
Product type Paperback
Published in Aug 2023
Publisher Packt
ISBN-13 9781837634781
Length 314 pages
Edition 1st Edition
Arrow right icon
Author (1):
Arrow left icon
Mostafa Yahia Mostafa Yahia
Author Profile Icon Mostafa Yahia
Mostafa Yahia
Arrow right icon
View More author details
Toc

Table of Contents (22) Chapters Close

Preface 1. Part 1: Email Investigation Techniques
2. Chapter 1: Investigating Email Threats FREE CHAPTER 3. Chapter 2: Email Flow and Header Analysis 4. Part 2: Investigating Windows Threats by Using Event Logs
5. Chapter 3: Introduction to Windows Event Logs 6. Chapter 4: Tracking Accounts Login and Management 7. Chapter 5: Investigating Suspicious Process Execution Using Windows Event Logs 8. Chapter 6: Investigating PowerShell Event Logs 9. Chapter 7: Investigating Persistence and Lateral Movement Using Windows Event Logs 10. Part 3: Investigating Network Threats by Using Firewall and Proxy Logs
11. Chapter 8: Network Firewall Logs Analysis 12. Chapter 9: Investigating Cyber Threats by Using the Firewall Logs 13. Chapter 10: Web Proxy Logs Analysis 14. Chapter 11: Investigating Suspicious Outbound Communications (C&C Communications) by Using Proxy Logs 15. Part 4: Investigating Other Threats and Leveraging External Sources to Investigate Cyber Threats
16. Chapter 12: Investigating External Threats 17. Chapter 13: Investigating Network Flows and Security Solutions Alerts 18. Chapter 14: Threat Intelligence in a SOC Analyst’s Day 19. Chapter 15: Malware Sandboxing – Building a Malware Sandbox 20. Index 21. Other Books You May Enjoy

Attacker techniques to evade email security detection

As cyber defense and security controls have become increasingly advanced, attackers have become more creative in their techniques to evade detection by email security solutions. Many critical organizations have now deployed such solutions to check every email sent from external senders to internal recipients, and they have skilled SOCs and threat-hunting teams to detect and respond to threats. In this section, we will explore some of the techniques that attackers use to bypass email security solutions and carry out successful attacks:

  • Using newly created domains to send a malicious email: Modern email security solutions are fortified with threat intelligence feeds, which include an updated list of sender domains with a bad reputation resulting from their malicious use in previous phishing campaigns. To evade detection by email security solutions that block malicious emails due to sender domain reputation, attackers often create new domains that have not been used previously in any malicious activities.
  • Using non-blacklisted SMTP servers: Like malicious sender domain feeds, a secure email gateway can be enriched with threat intelligence feeds of the known malicious Simple Mail Transfer Protocol (SMTP) server IPs that are usually used during phishing campaigns, which are blocked. To avoid their malicious emails being blocked by email security solutions due to the bad reputation of the SMTP server IPs, attackers tend to use non-blacklisted IP addresses.
  • Sandbox analysis evasion: Email gateway security appliances have significantly improved over time and now include sandbox technology that can analyze every attachment sent from external email senders to internal employees. We will deep dive into sandboxing later in the book, but for now, it is worth knowing that sandbox technology is a vital tool, used by cybersecurity analysts and solutions to analyze the behavior of files and executables before running them in a real environment, ensuring that they are not harmful. However, attackers are well aware of this technology and use various techniques to evade sandbox detection efforts, such as the following:
    • Malware sleep: To evade detection from sandbox analysis, an attacker can take precautions by, for example, incorporating a sleep time of up to three minutes in their malware code after execution, thereby delaying the start of any malicious activity until after the sandbox analysis has been completed and avoiding detection by the sandbox’s real-time monitoring.
    • Encrypted file: An attacker can employ a technique of sending a malware file to the victim in the form of a compressed folder or document file, encrypted with a password, which is then shared with the victim via the email body for decryption. Since submitting an attachment file to a sandbox by an email gateway is not an interactive submission process, the password cannot be provided to the sandbox during file analysis to decrypt and analyze the file. Therefore, the sandbox fails to analyze the attachment, allowing it to pass through to the victim’s mailbox undetected.
    • Sandbox discovery: After the malware is executed, it may check for the presence of a virtual machine environment, search for any malware analysis tools, and detect abnormal user activity to determine whether it is running in a sandbox environment. If the malware detects any signs of sandbox technology, it may alter its intended actions, stop running, go into sleep mode, or take other evasive actions to avoid detection by the sandbox.
    • Responding to specific requests: Another technique used by sophisticated attackers in targeted attacks to evade analysis is to respond only to requests sent from the victim environment’s IP addresses, collected during the reconnaissance phase.
  • Trusted domains hosting phishing pages: In 2019, cybersecurity researchers detected phishing subdomains and pages hosted on trusted cloud application hosting domains, including appspot.com and web.app domains. Attackers were able to abuse these domains by hosting malicious subdomains that contained phishing login pages targeting well-known brands, such as Microsoft Outlook and Dropbox. Due to being hosted on legitimate web servers, these phishing URLs were not categorized as malicious domains in threat intelligence platforms, which made them difficult to block with email gateway security solutions. However, email gateway security solutions that received threat intelligence feeds that included specific phishing subdomains/hostnames could block the phishing attempts (see Figure 1.4).
Figure 1.4 – A phishing subdomain targeting Outlook hosted in a web.app domain

Figure 1.4 – A phishing subdomain targeting Outlook hosted in a web.app domain

As you can see, an attacker developed an HTML phishing file impersonating the Microsoft Outlook login page and hosted it on a subdomain of the web.app domain.

Now that you are familiar with most attackers’ techniques to bypass the email security solutions deployed on a victim environment, let us see some attacker techniques to trick the victim into listing their email as a trusted email and interacting with its contents.

You have been reading a chapter from
Effective Threat Investigation for SOC Analysts
Published in: Aug 2023
Publisher: Packt
ISBN-13: 9781837634781
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image