Blue Team Mind Map - Investigating Email Attack

1. Phishing Email

Analyzing

Email Header Analysis, NSLookup, Blacklist check
Phishing email checklist:
- Sender domain checking
- Message header checking
- IP/Hostname checking
- SPF+DKIM+DMARC checking

Analyzing

Examine email sender's address
Header Analysis
Check for URL & Links
Legitimacy of detected URL & link
- Anti-malware & URL scanning tool
  - Response: Implement IP & URL block

Analyzing

Examine email flow above, plus file hash analysis
Determine the file type (e.g. by extension or by tools)
Forensic examination on attachment files
- Use isolated and containment environment to perform analysis
  - Manual testing: Disassemble and reverse the files using tools like IDA Pro, WinDBG, Peepdf
  - Automated testing: Use SaaS scanning tools: Anyrun, Hybrid Analysis, Virustotal

Once malicious host and/or url hash detected,

If the user did not access the IP/URL, remove the mail from users mail box and server
- Eradication
  - block the sender address
  - implement IP/URL blocking
if the user has accessed the IP/URL/attachment,
- Containment
  - Password reset
- Eradication
  - Block the sender address
  - Implement IP/URL blocking
  - Remove the mail from mailbox and server
- Recovery
  - Data Restoration
  - System Reconfiguration
if the user has downloaded and executed the malicious attachment
- Containment (on top of the above basis process)
  - Isolation includes network segmentation
  - Access control and disabling the account

Threat actor could use legitimate website to help redirecting to malicious url in order to make their links in email look non malicious. e.g. linkedin.com/facebook post -> malicious url
Collect IOC and update detected hash to EDR tools