SOC News: Article

One Article Review

Accueil - L'article:

Source	AlienVault Lab Blog
Identifiant	8437170
Date de publication	2024-01-09 11:00:00 (vue: 2024-01-09 15:08:57)
Titre	Histoires du SOC: quelque chose sent Phishy Stories from the SOC: Something smells phishy
Texte	Executive summary In the current cyber landscape, adversaries commonly employ phishing as the leading technique to compromise enterprise security. The susceptibility of human behavior makes individuals the weakest link in the security chain. Consequently, there is an urgent need for robust cybersecurity measures. Phishing, which capitalizes on exploiting human behavior and vulnerabilities, remains the adversary\'s top choice. To counter this threat effectively, ongoing education and awareness initiatives are essential. Organizations must recognize and address the pivotal role of human vulnerability in cybersecurity. During regular business hours, an alarm was generated due to a customer’s user that had interacted with a potentially malicious phishing link. This prompted a thorough investigation conducted by analysts that involved leveraging multiple Open-Source Intelligence (OSINT) tools such as VirusTotal and URLscan.io. Through a meticulous examination, analysts were able to unveil suspicious scripts within the phishing webpage’s Document Object Model (DOM) that pinpointed an attempt to exfiltrate user credentials. This detailed analysis emphasizes the importance of proactive cybersecurity measures and showcases the effectiveness of analysts leveraging OSINT tools along with their expertise to accurately assess threats within customer’s environments. Investigation The alarm The Managed Detection and Response (MDR) Security Operations Center (SOC) initially received an alarm triggered by a potentially malicious URL that a user received in their inbox. Office 365\'s threat intelligence feed flagged this URL as potentially malicious. The initial steps in addressing this alarm involve two key actions. First, it is crucial to determine the scope of impact on the customer\'s environment by assessing how many other users received the same URL. Second, a thorough validation process is essential to confirm whether the URL is indeed malicious. These initial steps lay the foundation for a comprehensive response to safeguard the security of the environment. To determine how many users received the same URL, a comprehensive search within the customer\'s environment revealed that no other users received the same URL. As a result, only one user is affected, suggesting that this is an isolated incident and does not appear to be part of a targeted attack on the customer\'s environment. With this understanding, the focus can now shift to the second step: Validating the reputation of the URL. By employing the OSINT tool VirusTotal and inputting the URL received by the user, we aim to assess its potential threat level. VirusTotal aggregates results from various security vendors to provide a comprehensive analysis. In the current evaluation, 13 out of 90 security vendors classify this URL as malicious. It\'s important to note that while the number of vendors flagging the URL is a key factor, a conclusive determination of malicious intent typically considers a consensus among a significant portion of these vendors. A higher number of detections by diverse security platforms strengthens the confidence in labeling the URL as malicious. With a potentially malicious URL identified, it is imperative to delve deeper to ascertain the underlying reasons for its malicious reputation. Analysts will utilize a tool such as URLscan.io for this purpose. URLscan.io serves as a sandbox, providing a risk-free environment for visiting websites. This tool is instrumental in conducting a thorough examination to uncover the nuances contributing to the URL\'s malicious classification. After entering our identified malicious URL into URLscan.io,
Envoyé	Oui
Condensat	“hxxps://btmalta 365 able about account accurately actions activities activity actors address addressing adversaries adversary affected aforementioned after against age aggregates aim aims ajax alarm aligns all allow allows along among analysis analysts and/or any apparent appear are ascertain assess assessing associated asynchronous asynchronously attack attempt attempts attention authentication awareness battle becomes been behavior being below breach business button cam/wefmail/email can capitalizes case center chain check choice claim classification classify code collect collectively com/ combat combination commonly components comprehensive comprises compromise compromise: compromised concerning concerns conclusive conducted conducting confidence confirm consensus consequently considered considering considers context continuing contributing convenient correct counter countermeasures crafted created creation credential credentials credibility credible crucial css current customer customer’s customers cyber cybersecurity dangers data date days deeper defenses define defines definitive deliberately delve denote designed detailed details detection detections determination determine development diverse document does dom domain download due during education effective effectively effectiveness elements email emails emerges emphasizes employ employing encompassing ensure ensuring enter entered entering enterprise environment environments errors essential evaluation even event ever evident examination examine examining executive exfiltrate expertise exploit exploiting facilitates factor falling falsely feed file findings first flagged flagging focus follow fortifying foundation free from functionality generated given guidelines had has higher hours how however html https://haveibeenpwned human hxxps://btmalta identified identifying impact imperative implementing importance important inbox incident incorrect indeed indications individuals induce information initial initially initiatives input inputting insecure insight instance instrumental insufficient intelligence intended intent interacted interaction investigation involve involved isolated its javascript key labeling landscape lay leading learn level leveraging likely link listed makes malicious managed many marked may mdr means measures mere method meticulous mfa microsoft model more multi multiple must need newly not notably note now nuances number object observed obtain obtains office office365 often old one ongoing only open operations organization organizations osint other out page paramount part particular password passwords pdf phishing phishy php php” pinpointed pivotal place platforms policies portion post potential potentially practices prepared present presentation prevent proactive process processes prompt prompted properly provide providing purpose raises reasons receive received recent recognize recommended refresh registered registration registry regular relatively remains report reputation request requiring responding response result results revealed reveals review reviewing risk robust role safeguard same sandbox scope screenshot script scripts search searching second security see sensitive sent server serves set severity shift should showcases significant since site situation smells soc soc: some something source start step: steps stories strategies strengthens strong strongly structure submits such suggesting suggests summary surreptitiously susceptibility suspicious tactic tags targeted targeting technique them these thorough threat threats through times tool tools top training transmission transmit transmitted triggered two typical typically typos ultimately uncover underlying underscore understanding unfortunately unveil upon urgent url urlscan use used useful user users utilize utilizing validating validation variables various vendors victim virustotal visiting vulnerabilities vulnerability weak weakest web webpage webpage’s website websites where whether which will within without xml your
Tags	Data Breach Tool Vulnerability Threat
Stories
Notes	★★
Move

L'article ne semble pas avoir été repris aprés sa publication.

L'article ne semble pas avoir été repris sur un précédent.