Security
Reader small image

You're reading from  Effective Threat Investigation for SOC Analysts

Product typeBook
Published inAug 2023
PublisherPackt
ISBN-139781837634781
Edition1st Edition
Concepts
Cybersecurity
Right arrow
Author (1)
Mostafa Yahia
Mostafa Yahia
author image
Mostafa Yahia

Mostafa Yahia is a skilled and motivated threat investigator and hunter with a wealth of experience investigating and hunting down various cyber threats. He is a proven leader in building and leading cybersecurity-managed services such as SOC and threat-hunting services. Mostafa holds a bachelor's degree in computer science, which he earned in 2016, and has furthered his education by earning multiple industry-recognized certifications, including GCFA, GCIH, CCNA, and IBM QRadar. In addition to his professional work, Mostafa also shares his knowledge through free courses and lessons on his YouTube channel. Currently, he serves as the senior lead for cyber defence services in an MSSP company, overseeing SOC, TH, DFIR, and CA services.
Read more about Mostafa Yahia

Right arrow

The anatomy of secure email gateway logs

Email gateway security is a security solution that checks and analyzes every email, including its content, sent from external email addresses to internal email addresses and vice versa. Such an inline position allows email security controls to have visibility of all emails sent and received, which makes its logs very valuable during threat detection and investigations.

Email security solutions typically provide several types of logs to help organizations monitor and analyze email activity. Here are some common types of logs:

  • SMTP logs: These logs contain information about the delivery of emails via the SMTP, including information such as the sender’s IP address, recipient’s email address, and timestamps
  • Message tracking logs: These logs provide detailed information about the email messages that pass through the email security solution, including metadata such as message ID, sender, recipient, subject, and date/time
  • Content filtering logs: These logs record information about any content filtering rules that were applied to an email message, including the nature of the content and whether it was blocked or allowed
  • Spam and malware logs: These logs contain information about any emails that were flagged as spam or detected as containing malware by the email security solution
  • Quarantine logs: These logs contain information about any emails that were quarantined by the email security solution, including metadata about the message and the reason it was quarantined

During this section, we will discuss and analyze the most common log fields that are generated and exist in all security email gateways, regardless of product name or vendor:

  • SMTP server IP: An SMTP server IP is the IP used by a sender to send an email to a recipient. We can use it to observe any backlisted SMTP server IPs sending us an email or to check for a spoofing presence, as we will see later.
  • Sender email address: The sender email address is the address used to send an email to the recipient. We can use it to observe whether we received an email from a blacklisted domain. It’s also important to consider that this email address could be spoofed by an attacker to trick the victim.
  • Recipient email address: The recipient’s email address is the address that will receive the email in their mailbox from the sender. If there is a cyber incident where a phishing email is distributed to recipients, we can use it to scope the potentially infected users and machines.
  • Email subject: The email subject is a field in an email message that typically describes the content of the message or its purpose. It is entered by the email sender when composing the email and is usually displayed prominently in the recipient’s email client. Attackers usually use motivational phrases in the email subject to encourage their victims into interacting with the email content. For instance, they may use phrases such as Urgent Action Required, Confirm your Account Details, or Unauthorized Access Attempt. Also, it’s crucial to check any suspicious emails that have an irrelevant subject that does not align with the recipient’s interests or job role. For instance, it is unusual for an accountant to receive an email with a subject related to IT courses, so such emails should be treated with caution.
  • Attached filename: If the email sender attached files to the email sent to the recipient, the attachment filename appears in this log field. We mentioned previously the most common phishing attachment types used by attackers to gain initial access to the victim’s machine. The correlation between the list of file types used in phishing attacks and attractive filenames that attackers usually use to encourage a user into opening a malicious file (for example, Purchase order, Important note, and Invoice) will help you detect the spearphishing attachment emails.
  • Attached file hash: Some email gateway security solutions provide a hash value of every file attached in the email passed through it. Some of them provide a hash value when the attached file is detected as malicious, and some of them do not provide a file hash under any conditions. Regardless of the file hash type provided by the secure email gateway solution, you should find one provided. You can hunt for a malicious email passed to recipients by extracting a list of the file hashes provided by email security, executing the list against a threat intelligence feed database, such as the VirusTotal platform, where a script can be utilized.
  • Malware category: This log field will only appear when the email gateway security’s malware signature database matches any file passed through it. The malware category field will provide the malware family (ZLoader, a Trojan Word document, RedLine Infostealer, etc.).
  • Attached URL: If an email contains any URL in the email body, it will be provided in this log field. Some appliances log every URL contained in the email body, and some appliances just log the URL when a match occurs between the attached URL and one in the malicious URL database of the email gateway.
  • Device action: The device action is the action that the email security appliance takes regarding the sent email. The value of this log field helps a security analyst to determine whether a malicious mail was successfully passed to the end user or not.
  • Block reason: When an email is blocked by the email gateway, the blocking reason will be provided to you in this log field.

Now that we are familiar with the most common possible log fields in all email security gateway logs, let us learn how to investigate suspicious emails.

Previous Page
Chapter 3 of 22, Page 7
Next Page
You have been reading a chapter from
Effective Threat Investigation for SOC Analysts
Published in: Aug 2023Publisher: PacktISBN-13: 9781837634781
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at €14.99/month. Cancel anytime

Author (1)

author image
Mostafa Yahia

Mostafa Yahia is a skilled and motivated threat investigator and hunter with a wealth of experience investigating and hunting down various cyber threats. He is a proven leader in building and leading cybersecurity-managed services such as SOC and threat-hunting services. Mostafa holds a bachelor's degree in computer science, which he earned in 2016, and has furthered his education by earning multiple industry-recognized certifications, including GCFA, GCIH, CCNA, and IBM QRadar. In addition to his professional work, Mostafa also shares his knowledge through free courses and lessons on his YouTube channel. Currently, he serves as the senior lead for cyber defence services in an MSSP company, overseeing SOC, TH, DFIR, and CA services.
Read more about Mostafa Yahia

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages