Blastin and Castin - Part 3

PART 2 REVIEW:

Just a refresher of what we covered in our second part of this series:

  • The variables for measuring valid, spam and malicious emails
  • Dashboard of phishing searches focused on different tactics
  • Phishing Signatures, can help track changes in tactics, volume and scope
8mbZ_4yhynnh5EIJVwRTj3Nr-xPU86tWGc5AnBC-A6BIaMN0lB7z_3cqks8nx1P6uUxl=h900.png

So we are in a place where we are identifying phishing campaigns and attacks but how do we help defend the company? Let's start by using the data to remediate phishes and enabling controls to stop them from coming in.

 

Exchange Removal Script

This was a result of countless hours trying to email users with instructions to delete phishing emails we know they received. We found we would frequently see them click more often on the malicious email or send us question about our email as a result. We even had our email reported as a phish. Frustrating to an already stretched blue team.

We decided wouldn’t it be nice to reach into mailboxes and just remove the bad emails?! After working with our Exchange team and massive updates from @Nc3pt0r and @brkr19 we have a well-oiled remediation script:

https://github.com/security-storm/phishing/blob/master/PowerShell/PhishingEmail.psm1

 

At a high level, it uses the csv export from the EmailSearcher dashboard, determines if the mailbox is Exchange 2010 or Exchange2013, binds to the mailbox and searches, then acts on the messages it found.

Before running the script you need to configure it with your exchange servers, domain controls, as well as a mailbox for the clones of the messages. This also requires PowerShell 5 on the computer you are running it from.

PARAMETER File
If no file name is given, it will prompt to enter a file name and you can enter as shown below.

PARAMETER Action
Options are summarize, archive, or delete
Summarize grabs the first email that matches and copies it to the clone mailbox and counts the total results
Archive does the same as summarize but copies all matching emails to clone mailbox
Delete removes all matching emails and puts a copy of each in the clone mailbox

PARAMETER FilterBy
Options are all, sender, or subject.This allows the caller to specify which columns in the CSV to filter by.
All requires a match on both sender and subject
Sender requires only a match on sender
Subject requires only a match on message subject

EXAMPLE
PhishingEmail -File C:\Temp\phishtoday.csv -Action summarize -FilterBy sender
This will summarize emails matching the sender for each user in the input file

EXAMPLE
PhishingEmail -File C:\Temp\phishtoday.csv -Action delete -FilterBy All
This will delete emails matching the sender and subject for each user in the input file

This script alone is a terrific tool for addressing phishing threats in near real time.

 

Sandbox Sample Retrieval

You may see several mentions with the removal script of a clone mailbox, we use these copies of the phishing emails to see samples fully intact that we can submit for signature as well as analyze the sophistication and tactics being used. This is incredibly more useful than asking users to send it as an attachment and lets you view the email headers and attachments as if it was sent to you.

 

Once you have the links or attachments, you can then process them in a sandbox to gain insight into the attack and what defense mechanisms may work against them. It will also allow you to determine how any clickers would have been impacted.

 

Enabling Email Controls

To push back the tide of phishing emails you need to enable defense prior to the email landing in a mailbox. After analyzing phishing attacks and the tactics they employ we have enabled the controls below that have proven valuable. This is not a complete list but rather the biggest ones you should focus on first.

Cisco ESA AMP Integration - Enabling this submits email attachments for threat scoring. If it exceeds your threshold, generally over 75, it will drop the emails.

Cisco ESA Require PTR Record - This requires a PTR record for the sending email DNS server. This is great for getting rid of those raw IP or non-standard/personal mail servers.

Spam controls - Go thru all of them and make sure they are tuned to get rid of most of that junk email noise so phishing shows up clearer.

Cisco ESA URL Reputation Filter - The ESA platform allows you to find urls within an email and check the reputation score then act on the email. We are more aggressive with the reputation score than in the web proxy to catch and drop a lot of those unknown type links.

 

Summary

By enabling these global changes and having the ability to remove malicious messages without user intervention you should be able to dig outalmost all of your common phishing campaigns. This also lets you spent more time hunting for other suspicious emails using the tools discussed and folding them in.

UP NEXT IN PART 4:

In our next, and final, post of this series, we will be discussing an actual phishing campaign walkthrough with these tools as well as how to automate and workflow them.

In our comparisions it was roughly 30-45 mins per phishing campaign and now we have it down to 5min or less.

  • Real Phishing Campaign Walkthrough
  • Automation in action
Threat ResponseContra_BlueTeamComment