Phind the Phish - Reducing Phishing Detection from Months to Minutes

Wednesday, March 15, 2017

 

Every day, attackers tunnel under, sneak through, go around, go over and squeeze past your security technologies.

While you’re armed with more security tools than you can count, most of them are hiding a dirty little secret: They actually create more work for people, not less. Security teams are inundated by alerts indicating potential incidents. These products don't come with job requisitions. They do come with alert overload.

Defenders are often unable to quickly validate whether an alert is real or not, mostly because they receive little context – aka useful insight – from each alert. Without context, it’s a challenge to determine the potential impact of an alert. And given the limits of PCAP data, it can often take days or even weeks to retrieve and analyze data about a threat.

But what if you had a secret weapon that provided the visibility and context you need to make a quick decision about the severity of an alert and, more important, understand the context of what was going on before and after that alert?

With metadata, you do. Rich metadata can answer many questions about what’s happening on your network and shift the advantage from the attacker to you.

Impossible?

Possible. And we’ll prove it. In this three-part blog series, we'll use metadata to solve three of your most vexing challenges.

  1. How can I find everyone who received a phishing email?
  2. How do I verify that we haven’t already been compromised by a particular tactic?
  3. How do I detect credentials in the clear?

 

Phishing emails – A prolific threat …

Attackers have upped the game when it comes to phishing. Classic phishing campaigns used to come with predictable executable attachments disguised as screensavers or an exploit or macro in a Word document. Now, attachments are non-traditional file types, such as Java JAR, Windows Script Files (.wsf) and JavaScript, among others.

Experience tells you that where there's one phishing email, there are many more. To take action, you need to know the full extent of the event – but how do you find all the other emails that you know are out there?

You could call the mail administrator. If you have a good relationship and can reach him, it may be possible to convince him to search for similar subject lines and “from” addresses on the mail server. The problem is that mail administrators lack the tools to easily perform such tasks. Plus, their day job leaves little time to take calls from security analysts. You’re left knowing there’s a problem, but unable to identify which users received the email, clicked on it and may be compromised.

Relax. Rich metadata solves the problem.

Metadata fills in the missing pieces of the puzzle. With metadata, you can easily conduct an incident response exercise to scope the event and gain the context necessary to act on the alert. A glance at the Fidelis Network dashboard indicates a number of malware alerts. Let’s take a look at one of them to see how easy it is to dig through data to find the other emails.

Figure 1. Fidelis Network Threat Life Cycle Dashboard
Figure 1. Fidelis Network Threat Life Cycle Dashboard

Because Fidelis Network captures rich metadata about every event it sees on the network, pivoting from alert to root cause takes only a few clicks. The extensive forensic information provided in the alert detail facilitates and expedites the investigation process.

Capture2
Figure 2. Alert Detail

Using the one phishing email as a starting point, we begin with the file attachment details. For this event, we find that a .wsf file was inside a zip file and attached to the email. We can also see that the file extension [.doc.wsf] was mangled just enough to possibly convince a user that it's actually a Word document.

Clearly malicious.

image from https://s3.amazonaws.com/feather-client-files-aviary-prod-us-east-1/2017-03-15/1750b311-c220-4383-9a60-da88ff0f159c.png
Figure 3. File Attachment Details

Moving across the screen, we see details about related alerts, strengthening our suspicions that the email is part of a larger campaign. This information allows us to begin putting context around the alert that will help answer questions such as:

  • Where does the email seem to have come from?
  • What are the dates?
  • When did the user receive them?
Capture4
Figure 4. Related Alerts Details

Continuing to the right of the screen, the decoding path and channel attributes reveal even more aspects about the event. Here, for example, we see that the sender is masquerading as FedEx.

Capture5
Figure 5. Decoding Path & Channel Attributes Detail

While we have quickly uncovered a tremendous amount of information about the alert, this is only the beginning. The next step is to pivot from this alert to look for other events in the environment. This is where metadata really shines. Because Fidelis stores rich metadata about every event on the network, it’s a simple matter to perform a search on a component from inside the session.

Let’s revisit that file name. In this case, the attackers intended to fool the user by using a .wsf file with a .doc extension.

Capture6
Figure 6. Use of .doc.wsf Extension as Attack Tactic

 Using the tactic as search criteria, we perform a search over a one-week period.

Capture7
Figure 7. Filename as Search Criteria

And what do we find? Subject lines on multiple messages and attachments, all of which, while unique, conform to the same tactic. We can conclude that this is a campaign!

Capture8
Figure 8. Search Results Reveal Full Scope of Campaign

Without Fidelis, and the rich metadata it captures, it’s a safe bet that you’re relying on the mail administrator to help find the nefarious emails. And it’s equally likely you won't find them. All you’d have is that one email. With Fidelis, it takes a couple of pivots and quick searches. In less than two minutes you're able to find all the phishing emails.

What could be easier?

Did you know Fidelis automates the collection, analysis and storage of your network data so it’s ready for you to investigate immediately? The rich metadata that Fidelis Network captures about every session on your network makes it possible to investigate suspected incidents in seconds – and put the adversary on the ropes.

Ready to cut your detection time down to minutes with metadata? Read our white paper, Talk Metadata To Me: How to Decode Your Network’s Deepest and Darkest Secrets and contact Fidelis today.

This is part one of a three-part blog series about ways to reduce detection time from months to minutes. Coming up: Part 2: Applying New Threat Intel to the Past.

 -- Fidelis Cybersecurity CMO Michael Evans