Monday, 11 February 2019

IronPort: Password-Protected Archives

One of the main methods attackers use to deliver malicious files to the victim's inbox is adding the file to a password-protected archive and embedding the archive password in the email body either explicitly or in an image. This allows the attacker to bypass the Email security appliance Anti-Virus, IDS, etc.

So, to catch such attacks, we quarantine all incoming emails with protected archives in a special IronPort Quarantine. This quarantine is configured to release its contents after a chosen number of hours e.g. 3 hours. This 3-hour time window gives the SOC analyst the chance to avoid campaigns of 200+ malicious emails going through to the victim's inbox.


 1) We create a new quarantine and call it "Protected_Archives_Q". Setting the "Retention Period" to 3 hours and the "Default Action" to "Release".
Monitor => "Policy, Virus and Outbreak Quarantines" => click "Add Policy Quarantine"




N.B. In the image below, we set the "Retention Period" to 3 hours, but it is up to the SOC team to chose the best value according to their working hours and business needs. Attacks on weekends should be considered. Also, the company having different users in different Time Zones requires the SOC team to have more quarantines, more filters, and more policies. We will discuss that in later posts.

2) We create a new "Content Filter" and call it "Protected_Archives".
"Mail Policies" => "Incoming Content Filters" ==> "Add Filter"

3) We add new condition for compressed file types.
"Add Condition" => "Attachment File Info" => "File Type" => "Is" => "Compressed"


4) We add another condition for protected files.


"Attachment Protection" => "One or more attachments are protected."

5) In the "Apply Rule" dropbox, we select "Only if all conditions match".

 
6) We add our action, which is to quarantine emails that match the previous two conditions in Step 3 and step 4, in the "Protected_Archives_Q" quarantine.
"Add Action" => "Quarantine" => "Send message to quarantine:" => "Protected_Archives_Q"



Now our content filter looks like below:


7) We finally assign the "Protected_Archive" content filter to the default Incoming Mail Policy.

"Mail Policies" => "Incoming Mail Policies" => "Content Filters" => Select "Enable" on "Protected_Archive"


This is not the end of it. Actually, SOC team has a lot to do when it comes to cases like protected archives. For example, with each false positive e.g. legit sender bank@veryimportantbank.com that happens to send protected archives to your users, the SOC analyst will have to update the filter to exempt "bank@veryimportantbank.com", like below.


Even exempting certain senders (envelope senders) from your filter is not enough, for example, there has to be another content filter to verify "SPF" of e.g. veryimportantbank.com and this SPF filter must be with a less order than "Protect_Archives" i.e. processed first. Don't worry, we will cover this later.


It is also noteworthy that SOC team should make the user aware that e.g. banks never send their customers the password for e.g. statements in the same email as the attachment.

No comments:

Post a Comment