So, to catch such attacks, we quarantine all incoming emails with protected archives in a special IronPort Quarantine. This quarantine is configured to release its contents after a chosen number of hours e.g. 3 hours. This 3-hour time window gives the SOC analyst the chance to avoid campaigns of 200+ malicious emails going through to the victim's inbox.
1) We create a new quarantine and call it "Protected_Archives_Q". Setting the "Retention Period" to 3 hours and the "Default Action" to "Release".
Monitor => "Policy, Virus and Outbreak Quarantines" => click "Add Policy Quarantine"
2) We create a new "Content Filter" and call it "Protected_Archives".
"Mail Policies" => "Incoming Content Filters" ==> "Add Filter"
3) We add new condition for compressed file types.
"Add Condition" => "Attachment File Info" => "File Type" => "Is" => "Compressed"
4) We add another condition for protected files.
"Attachment Protection" => "One or more attachments are protected."
5) In the "Apply Rule" dropbox, we select "Only if all conditions match".
"Add Action" => "Quarantine" => "Send message to quarantine:" => "Protected_Archives_Q"
Now our content filter looks like below:
"Mail Policies" => "Incoming Mail Policies" => "Content Filters" => Select "Enable" on "Protected_Archive"
This is not the end of it. Actually, SOC team has a lot to do when it comes to cases like protected archives. For example, with each false positive e.g. legit sender bank@veryimportantbank.com that happens to send protected archives to your users, the SOC analyst will have to update the filter to exempt "bank@veryimportantbank.com", like below.
Even exempting certain senders (envelope senders) from your filter is not enough, for example, there has to be another content filter to verify "SPF" of e.g. veryimportantbank.com and this SPF filter must be with a less order than "Protect_Archives" i.e. processed first. Don't worry, we will cover this later.
It is also noteworthy that SOC team should make the user aware that e.g. banks never send their customers the password for e.g. statements in the same email as the attachment.
No comments:
Post a comment