🟦
LSWSec-Defensive
  • LSWSec - Defensive Security Notes
  • General
    • Tool List
  • Threat Intelligence
    • Introduction
    • Threat Actors and APTs
    • Operational Threat Intelligence
    • Tactical Threat Intelligence
    • Strategic Threat Intelligence
    • Malware and Global Campaigns
  • Phishing
    • Introduction
    • Investigating a Phishing Email
    • Analysing
    • Defensive Action
    • Reactive Measures
    • Report Writing
  • Digital Forensics
    • Introduction
    • Digital Evidence and Handling
    • Memory, Pagefile and Hibernation file
    • Digital Evidence Collection
    • Windows Investigation
    • Linux Investigations
    • Volatility
    • Autopsy
    • Windows Commands
      • Network Discovery
      • DHCP
      • DNS
  • SIEM
    • Introduction
    • Logging
    • Correlation
  • Incident Response
    • Introduction
    • Preperation
    • Detection & Analysis
    • Containment, Eradication and Recovery
    • reporting
    • MITRE Att&ck
  • Event Viewer
    • event Summary
    • Event ID: 4648
    • Event ID: 4776
    • Event ID: 4673
    • Event ID: 4625
Powered by GitBook
On this page
  • Marking External Emails
  • Email security technology
  • Spam filter
  • Attachment Filtering
  • Attachment sandboxing
  • Security Awareness training
  1. Phishing

Defensive Action

Marking External Emails

EXCHANGE

  • Go to admin centre

  • Go to mailflow

  • Create new rule

  • Name External email

  • Apply rule if the sender is outside the organisation

  • AND the recipient is inside the organisation

  • Prepend the subject of the message with: EXTERNAL

Email security technology

SPF records

  • Sender policy framework

  • Used to stop attackers spoofing your domain by specifying IP or Hostnames that are authorised to send emails

  • The basic syntax of the record is: v=spf1 <IP> <enforcement rule>

DKIM

  • Domain Keys Identified Mail

  • Uses cryptography to verify if an email has been sent by its trusted servers

  • The basic syntax of the record is: V=DKIM1 <key type> <public key>

DMARC

  • Domain Based Message Authentication, reporting and conformance

  • This allows domain owners to specify what happens if a email fails SPF AND DKIM

  • The three basic options are: none, quarantine and reject

  • The basic syntax of the record is: v=DMARC1 <action> <report address>

Spam filter

  • Gateway spam filter - sits behind a on-premises firewall on a network (Barracuda email security gateway)

  • Hosted Spam FIlter- these are hosted in the cloud and work similarly to gateway spam filters. However sometimes these can update more quickly.

  • Desktop spam filters - these go on the host computer, these are often freeware so can sometimes be risky to install.

Types of spam filters

  • Content Filters - uses information in the header and body to determine if the email is legitimate or spam.

  • Rule-based filters - create rules in exchange to mark as spam if the email meets a specific rule.

  • Bayesian Filters - uses machine learning to detect spam depending on emails which have been marked. However can require a large amount of spam to be most effective

Attachment Filtering

  • Best way to do this is to block file types which aren’t commonly used by the company

  • Most common formats to block are: .exe, .vbs, .js, .iso, .bat, .ps or .html

Attachment sandboxing

  • Attachments that do not get blocked, are opened in a sandbox environment before they get delivered.

  • They are then analysed and do not get delivered if something malicious is detected.

  • A report can be generated to detail what the attachments do.

Security Awareness training

  • User awareness training is crucial in preventing a phishing attack.

  • There are two methods: awareness training or simulated phishing attack.

Awareness training

Make users aware to be wary of:

  • Coming from an unknown sending address.

  • Improper grammar and spelling mistakes.

  • Poor styling.

  • Trying to get the recipient to click on a button or complete an action.

  • Suspicious URLs and attachments.

Simulated Phishing Attacks

  • Send simulated emails to see how likely a phishing attack would succeed

  • If a user clicks on a “malicious” link then it can take them to a safe website, making them aware of what has just happened.

  • This can allow for improvements to be made to staff training or make directors aware of how important security is.

  • Some platforms to do this on are: Sophos Phish Threat, GoPhish open-source, trend micros phish insight or PhishingBox.

PreviousAnalysingNextReactive Measures

Last updated 2 years ago