One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 8350560 |
| Date de publication | 2023-06-29 10:00:00 (vue: 2023-06-29 10:06:48) |
| Titre | Histoires du SOC: riposter contre la récolte d'identification avec un point de preuve Stories from the SOC: Fighting back against credential harvesting with ProofPoint |
| Texte | Executive summary
Credential harvesting is a technique that hackers use to gain unauthorized access to legitimate credentials using a variety of strategies, tactics, and techniques such as phishing and DNS poisoning. Phishing is the most frequent type of cyber threat and can lead to more harmful attacks such as ransomware and credential harvesting.
According to recent research, phishing assaults targeted credential harvesting in 71.5% of cases in 2020. 72% of employees admitted to clicking on a phishing email\'s malicious link, making it easy for attackers to gather credentials.
Phishing is a type of social engineering attack that tricks victims into disclosing personal information or downloading malicious software. It is one of the most difficult cyber threats to eliminate as it relies on human defenses, and organizations must consistently teach personnel to spot the newest phishing techniques.
The Managed Extended Detection and Response (MXDR) SOC team received an alert regarding a user clicking on a suspicious URL in an email and the subsequent traffic was allowed. However, ProofPoint effectively rewrote the URL to prevent some of the potential threats. The SOC team notified the customer about the successful phishing attack by creating an investigation report containing all the events between the attack and lockout.
Investigation
Initial alarm review
Indicators of Compromise (IOC)
The first alert was triggered when a user clicked on a link contained in a phishing email, which was permitted to pass through. The email\'s content was crafted to deceive the user into divulging their login credentials. Because the link\'s URL did not have a signature indicating a poor reputation on Open-Source Intelligence (OSINT), ProofPoint did not intercept the initial click.
Expanded investigation
Events search / Event deep dive
While investigating phishing cases, you must check all recipients who received the same phishing email and who clicked the attachment URL, and whether the firewall allowed the HTTP URL request or not. A review of the previous ninety days of events revealed there was one additional recipient, however, logs showed the email was quarantined after user’s click. The first click on the malicious URL by the initial user was allowed. However, ProofPoint’s URL defense feature conducted a heuristic behavioral-based analysis and determined the URL to be malicious. As a result, the second click by the initial user and any subsequent clicks by other users were effectively blocked by ProofPoint.
After conducting an OSINT analysis, it was determined that the sender\'s email fails to pass DMARC (Domain Message Authentication Reporting and Conformance), and MX record authentication. This raises concerns regarding the legitimacy of the email. Also, OSINT searches indicate that both recipient emails have been compromised, though the exact time remains unknown.
|
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | “initial 2020 able about accepting access according account action actions activity additional admitted advanced affected affecting after against alarm alert all allowed allows also analysis analyzes analyzing antivirus any applications approach are assaults assessments asset att&ck attachment attachments attack attacker attackers attacks attempting authenticate authentication authenticity back based because been before behalf behavior behavioral between blocked blocking both breaches building but can cases cause check checks click clicked clicking clicks com communicated company compromise compromised concerns conduct conducted conducting confirmed conformance consistently contained containing content controlled cost crafted created creating credential credentials crucial customer cyber cyberattack cyberattacks cybersecurity damage days deceive deep defense defenses destination detect detected detection determine determined determines device did difficult directed disabled disclosing displayed dive divulging dmarc dns doesn domain downloading during easy effectively eliminate email emails employee employees enables enabling engineering ensure ensuring environment eradicating event events every exact executed executive expanded exploiting extended extra extract factor fails feature fighting file finding firewall first firstly followed following foothold fortunately framework fraudulent frequent from full further gain gather get good hackers hand harmful harvesting has hash have header help helps heuristic host however http human identified identify identifying impact important impossible incident incident/attack incidents included includes indicate indicating indicators information initial instance intelligence interaction intercept investigating investigation ioc known layer lead learning legitimacy legitimate lessons like limiting link links lockout login logins logs loss lost made mail making malicious malware manage managed many marked match matches maximum may measures message messages mfa minimizes minimizing mitigate mitigation mitigation/remediation mitre more most multi multiple must mxdr necessary network newest ninety not note notified once one open option organizational organizations osint other outlook pass password perform permitted personal personnel phase phishing point poisoning poor poses potential potentially prevent preventative preventing prevents previous problem proceed process production proofpoint proofpoint’s protect protection protocol provides providing quarantined quickly raises ransomware received recent recipient recipients recommendations recommended record records recovery redirect regarding regular rejected relies remain remains removing renders report reporting reputation request research resetting responded response responsible result revealed review reviewing rewritten rewrote risk robust root running same sandbox sandbox* sandboxing scan scanned screenshotmachine search searches second security sender senders sensitive server servers share should showed signature signatures significant signs soc soc: social software some someone source spam specify spot static steal step steps steps: stories strategies strategy stronger subsequent successful such summary suspicious system tactic tactics take taking targeted teach team technique techniques test them then therefore though threat threats through time tools traffic training tricks tried triggered two type types unauthorized unknown until url urlscan use used user user’s users uses using variety verifying victims vigilant viruses vulnerabilities vulnerable warning website were: when whether which who without worked works would |
| Tags | Ransomware Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.