New to automation

Ken · June 6, 2019, 11:33am

Good morning everyone,

Hello from Ohio, I’ve been in a Security focused role for about a year now, our Security program began about three years ago. We have a bunch of tools, a lot of which I think are under-utilized, and zero automation.

As an organization we are expanding fairly rapidly, so we need to stay on top of things. However, that is becoming harder and harder as more of my work are tasks that I feel could be automated. I just need help starting!

I would say that currently our biggest opportunity for automation is in phishing response. Any pointing in the right direction would be appreciated.

Thank you and I’m glad to be here.

Ken

joshswimlane · June 6, 2019, 3:24pm

Welcome to SecOpsHub @Ken! My name is Josh Rickard and i’m a Security Research Engineer with Swimlane. You definitely came to the right place - I have extensive experience with automating phishing response.

Before I dive in, I have a couple questions:

Are you trying to automate the remediation of reported phishing messages?
Automate the detection of phishing messages?
Or something else?

If you have a list of messages that you want to remove from users mailboxes or if you just want to search users mailboxes (if you’re using Exchange) you can use a new open-source Python package we just released for this!

This new package is called py-ews and can be installed using pip. You can find the documentation for this here: https://py-ews.readthedocs.io/en/latest/

This package will allow you to identify all mailboxes you have rights to search, search them, and remove the messages from the users inbox.

Pointers

The biggest thing when it comes to phishing is having a way for users to report messages that they find suspicious. The next is to extract some information that you can either block at your firewall or another appliance/product. The next thing is to extract details about maybe who the hosting provider of a phishing link is and send automated take-down notices or gather that domains whois information and correlate it against other messages that have been reported or identified as malicious.

Honestly, you can take several avenues here but the biggest is having a way to take a reported message and remove it from other people’s mailbox that may have received the same message. This is where py-ews comes in. If you need any help or run into any issues let me know!

I hope this helps, if you have further questions or can provide a bit more of your goals I can provide more detailed information.

Thanks and again Welcome to SecOpsHub!

Josh Rickard

Ken · June 6, 2019, 4:42pm

Josh,

Thank you for the reply. Currently our users are using KnowBe4’s “Phish Alert Button”. So a user gets an email that they think is phishing, they click the button. Currently that sends that email on as a an attachment to a ticket that is created within our ticketing/help desk software, SysAid.

To your questions - I think step one is enrichment/detection. So taking info from that email and doing some preliminary analysis. Thoughts? Maybe that is the wrong approach?

Ken

joshswimlane · June 11, 2019, 3:45am

@Ken, sorry for the delay - hope you had a great weekend!

As far as enrichment, there is a few things I would do:

Strip the Sender address and the From address from email headers (if they are different, then that is not typically normal). Search mailboxes for additional emails sent from those email addresses.
Extract and hash any attachments and check against VirusTotal, Hybrid Analysis, sndbox.io, etc. etc.
Send attachments to an internal sandbox is needed/wanted
Grab any URLs from the body of the message and do a reverse DNS lookup and identify who the hosting provider is. Also get their WHOIS info and you can keep track of this information and use IPs/urls to block at a proxy or border firewall. You can also send automated “takedown” notifications to those hosting providers by pulling their abuse email addresses from WHOIS.
If you want to gather more information, then track and plot (google maps) the send from headers to track the typical path of each email sent - this could or could not show you if an attacker is using a specific open mail relay or other information.

I think you’re heading in the right direction. The biggest thing is writing out your “hypothesis” or “problem statement” – understanding what you are trying to prevent/protect against will help you put in the right automation. Also, a good practice is to say “I expect a X percent drop in {infections, compromised accounts, man hours, etc.} by doing {whatever automation you are wanting to do}”.

I hope this helps!