Thursday, May 11, 2017

Incident Response | Phishing Attack



Incident Response | Phishing Attack

The attacker crafts an “fake” email with a URL in it and sends the message to several users at your organization

  1. The phishing email is received by the company’s SMTP server
  2. Email goes through the SPAM filter
  3. The phish is moved into the end user’s mailbox
  4. User notifies the new email in the mailbox and reads it
  5. User clicks on the link in the malicious email
  6. A website opens up and offers an “.exe” file (disguised with a pdf icon) to be downloaded
  7. User thinks the file is a genuine and opens it
  8. The file was a dropper that downloads some additional content from the Internet
  9. The additional content automatically installs
  10. The malware opens a permanent connection to a certain IP address
  11. Attacker connects to the PC through this permanent tunnel
  12. Attacker enumerates the network and downloads DATA if available
IR Steps: -
If a new report comes in from Helpdesk or End users, create a new ticket
  1. Obtain the original email from the end-user and attach it to the ticket
  2. Validate the email whether it is a phish
1.    Check the hostname part of all links in the email on https://otx.alienvault.com or another feed like Virus total or IBM Xforce Exchange
2.    Check the URL, is it the same? Or masking to a malicious link?
3.    Does the email try to evade SPAM filters? 
If the email is a false positive, resolve the ticket. Otherwise, continue with the instructions below.
Investigation Step 1: Get IoCs
  1. Full download URL(s) from the email
  2. Hostname from URL
  3. Visit http://www.kloth.net/services/nslookup.php and get the IPs belonging to the hostname
Alerting Employees
If this is the fifth ticket related to the same, we need to warn our end-users of the threat.
Block Emails on the SMTP Server
As the phisher can easily change the subject line or sender of the emails, try to find a common pattern in the email headers of the related emails. For instance, all emails might share the X-Mailer: and X-PHP-Script: headers.
Removing Emails from User Inboxes
Check the SMTP logs whether the same email has been delivered to other users. Engage IT in removing similar emails from the affected employee mailboxes.
  1. Search for the subject line from the original phish
  2. Search for the sender email address from the original phish
  3. If you identify other recipients in the SMTP logs
1.    Export affected recipients into a CSV file
2.    Contact System Administrators / ask them to remove the phishes from the affected mailboxes
Blocking Download URL
This process will block the dropper to be downloaded if a user clicks on the malicious URL in the phish.
  1.  Pivot on hostname and collect related hostnames and create a blacklist.
  2. Block it in Perimeter Level, Email Security.



No comments: