Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Effective Threat Investigation for SOC Analysts

You're reading from   Effective Threat Investigation for SOC Analysts The ultimate guide to examining various threats and attacker techniques using security logs

Arrow left icon
Product type Paperback
Published in Aug 2023
Publisher Packt
ISBN-13 9781837634781
Length 314 pages
Edition 1st Edition
Arrow right icon
Author (1):
Arrow left icon
Mostafa Yahia Mostafa Yahia
Author Profile Icon Mostafa Yahia
Mostafa Yahia
Arrow right icon
View More author details
Toc

Table of Contents (22) Chapters Close

Preface 1. Part 1: Email Investigation Techniques
2. Chapter 1: Investigating Email Threats FREE CHAPTER 3. Chapter 2: Email Flow and Header Analysis 4. Part 2: Investigating Windows Threats by Using Event Logs
5. Chapter 3: Introduction to Windows Event Logs 6. Chapter 4: Tracking Accounts Login and Management 7. Chapter 5: Investigating Suspicious Process Execution Using Windows Event Logs 8. Chapter 6: Investigating PowerShell Event Logs 9. Chapter 7: Investigating Persistence and Lateral Movement Using Windows Event Logs 10. Part 3: Investigating Network Threats by Using Firewall and Proxy Logs
11. Chapter 8: Network Firewall Logs Analysis 12. Chapter 9: Investigating Cyber Threats by Using the Firewall Logs 13. Chapter 10: Web Proxy Logs Analysis 14. Chapter 11: Investigating Suspicious Outbound Communications (C&C Communications) by Using Proxy Logs 15. Part 4: Investigating Other Threats and Leveraging External Sources to Investigate Cyber Threats
16. Chapter 12: Investigating External Threats 17. Chapter 13: Investigating Network Flows and Security Solutions Alerts 18. Chapter 14: Threat Intelligence in a SOC Analyst’s Day 19. Chapter 15: Malware Sandboxing – Building a Malware Sandbox 20. Index 21. Other Books You May Enjoy

The anatomy of secure email gateway logs

Email gateway security is a security solution that checks and analyzes every email, including its content, sent from external email addresses to internal email addresses and vice versa. Such an inline position allows email security controls to have visibility of all emails sent and received, which makes its logs very valuable during threat detection and investigations.

Email security solutions typically provide several types of logs to help organizations monitor and analyze email activity. Here are some common types of logs:

  • SMTP logs: These logs contain information about the delivery of emails via the SMTP, including information such as the sender’s IP address, recipient’s email address, and timestamps
  • Message tracking logs: These logs provide detailed information about the email messages that pass through the email security solution, including metadata such as message ID, sender, recipient, subject, and date/time
  • Content filtering logs: These logs record information about any content filtering rules that were applied to an email message, including the nature of the content and whether it was blocked or allowed
  • Spam and malware logs: These logs contain information about any emails that were flagged as spam or detected as containing malware by the email security solution
  • Quarantine logs: These logs contain information about any emails that were quarantined by the email security solution, including metadata about the message and the reason it was quarantined

During this section, we will discuss and analyze the most common log fields that are generated and exist in all security email gateways, regardless of product name or vendor:

  • SMTP server IP: An SMTP server IP is the IP used by a sender to send an email to a recipient. We can use it to observe any backlisted SMTP server IPs sending us an email or to check for a spoofing presence, as we will see later.
  • Sender email address: The sender email address is the address used to send an email to the recipient. We can use it to observe whether we received an email from a blacklisted domain. It’s also important to consider that this email address could be spoofed by an attacker to trick the victim.
  • Recipient email address: The recipient’s email address is the address that will receive the email in their mailbox from the sender. If there is a cyber incident where a phishing email is distributed to recipients, we can use it to scope the potentially infected users and machines.
  • Email subject: The email subject is a field in an email message that typically describes the content of the message or its purpose. It is entered by the email sender when composing the email and is usually displayed prominently in the recipient’s email client. Attackers usually use motivational phrases in the email subject to encourage their victims into interacting with the email content. For instance, they may use phrases such as Urgent Action Required, Confirm your Account Details, or Unauthorized Access Attempt. Also, it’s crucial to check any suspicious emails that have an irrelevant subject that does not align with the recipient’s interests or job role. For instance, it is unusual for an accountant to receive an email with a subject related to IT courses, so such emails should be treated with caution.
  • Attached filename: If the email sender attached files to the email sent to the recipient, the attachment filename appears in this log field. We mentioned previously the most common phishing attachment types used by attackers to gain initial access to the victim’s machine. The correlation between the list of file types used in phishing attacks and attractive filenames that attackers usually use to encourage a user into opening a malicious file (for example, Purchase order, Important note, and Invoice) will help you detect the spearphishing attachment emails.
  • Attached file hash: Some email gateway security solutions provide a hash value of every file attached in the email passed through it. Some of them provide a hash value when the attached file is detected as malicious, and some of them do not provide a file hash under any conditions. Regardless of the file hash type provided by the secure email gateway solution, you should find one provided. You can hunt for a malicious email passed to recipients by extracting a list of the file hashes provided by email security, executing the list against a threat intelligence feed database, such as the VirusTotal platform, where a script can be utilized.
  • Malware category: This log field will only appear when the email gateway security’s malware signature database matches any file passed through it. The malware category field will provide the malware family (ZLoader, a Trojan Word document, RedLine Infostealer, etc.).
  • Attached URL: If an email contains any URL in the email body, it will be provided in this log field. Some appliances log every URL contained in the email body, and some appliances just log the URL when a match occurs between the attached URL and one in the malicious URL database of the email gateway.
  • Device action: The device action is the action that the email security appliance takes regarding the sent email. The value of this log field helps a security analyst to determine whether a malicious mail was successfully passed to the end user or not.
  • Block reason: When an email is blocked by the email gateway, the blocking reason will be provided to you in this log field.

Now that we are familiar with the most common possible log fields in all email security gateway logs, let us learn how to investigate suspicious emails.

You have been reading a chapter from
Effective Threat Investigation for SOC Analysts
Published in: Aug 2023
Publisher: Packt
ISBN-13: 9781837634781
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image