Security Bsides Las Vegas 2024

login

Email Detection Engineering and Threat Hunting
.ical
2024-08-06 , Pearl

Email remains the #1 initial access vector for commodity malware and nation state actors. Historically, tackling email-based threats has been considered the purview of black-box vendor solutions, with defenders having limited scope (or tooling!) to swiftly and effectively respond to novel offensive tradecraft.

In this training, attendees will be given detailed insight into the latest techniques used to deliver prevalent malware strains, including Pikabot and IcedID, and will hunt through email data to identify this malicious activity, developing rules to detect and block these attacks.

Initially attendees will be introduced to the foundational technologies that enable threat hunting and detection engineering in the email domain, before being given access to the email data of a fictitious company seeded with benign and real-world attack data.

Attendees will be guided through the rule creation process, utilizing free and open detection engines including Sublime and Yara, and will be introduced to the signals that can be used to craft high-fidelity rules, including sentiment analysis, domain age, and attachment analysis. Having completed the training, attendees will have a strong understanding of the tools and techniques at their disposal to defend their organizations from all manor of email threats.

  • Introduction
    • Concepts overview: What is phishing?
    • Interactive: What are recent phishing techniques you’ve seen, or that your company has received? Write them down. Share with the group. We’ll use these ideas to find threats in the lab!
  • Methodology overview
    • Detection Engineering methodology and application to email
    • Threat hunting methodology and application to email
  • Hands-on, with learning mixed in
    • Lab setup
      • Attendeers are “Detection Engineers / Threat Hunters / Security Engineers” at “Tyrell Corp”
      • They’re given access to a fictitious email environment seeded with real world email attacks and benign email data
      • Deploy free / OST using Docker and various Github rules repos
      • Lab environment will receive on-going emails, both benign and attacks
      • Attendees must develop detections to detect these attacks while minimizing false positives
    • Sequence:
      • First, get familiarized with signals and rules in lab environment
      • Message Query Language / YARA syntax overview
      • Deep dive into attack types and signals used for detection and threat hunting
        • Attack types (not limited to but including):
          • VIP Impersonations
          • HTML smuggling via links/attachments
          • Malicious VBA macros
          • OneNote / LNK file malware (attachments, and links to auto-downloads)
          • PDF attachments with embedded links to malware (PDF -> URL -> ZIP -> WSF)
          • Lookalike domains / homoglyph attacks
          • Credential phishing
          • Password protected archives
          • Exploits (e.g. CVE-2023-23397, CVE-2021-40444)
          • Fake invoices (Geek Squad)
        • Signals: sender domain age, sentiment analysis, attachment analysis, bitcoin addresses, and much, much more
        • Translate signals into detection
      • Malware family and threat actor overview and usage of said techniques
        • Brief overview of additional malware families and threat actors relevant to email attacks
        • Discussion of their techniques, targets, and impact
          • Pikabot
          • QakBot
          • IcedID
          • TrickBot
          • BazarLoader
        • Translate signals into detection
      • BEC attack overview and signals
      • We'll provide a link to a recent technique described in a threat intel report or shared by a security researcher
      • Detection and hunting
        • Use all the knowledge gained from past sequences
        • Attendees must hunt for missed attacks in the environment
        • Optional: Attendees may collaborate in small groups, and compete with others on detection / hunting efficacy
        • Hunt behaviorally in lab environment for these! Attacks are waiting to be found.
        • Lab environment will receive on-going emails, both benign and attacks
        • Large group engagement: We’ll periodically poll the group to discuss findings
          • Volunteers share discovery/hunting process
        • Small group engagement:
          • Sort into “Security Teams” of 2-4 - Collaborate + work independently
The speaker’s profile picture
Josh Kamdjou

Josh has been doing offensive security-related things for the past 12 years. He's spent most of his professional career breaking into networks via spear-phishing and other methods, and building software for both the public (Department of Defense) and private sectors. Josh is the Founder and CEO of Sublime Security, and in his private life enjoys weight lifting, Martial Arts, soccer, and spending time with his niece and nephew.

This speaker also appears in: