Pages

Monday, 11 February 2019

IronPort: Password-Protected Archives

One of the main methods attackers use to deliver malicious files to the victim's inbox is adding the file to a password-protected archive and embedding the archive password in the email body either explicitly or in an image. This allows the attacker to bypass the Email security appliance Anti-Virus, IDS, etc.

So, to catch such attacks, we quarantine all incoming emails with protected archives in a special IronPort Quarantine. This quarantine is configured to release its contents after a chosen number of hours e.g. 3 hours. This 3-hour time window gives the SOC analyst the chance to avoid campaigns of 200+ malicious emails going through to the victim's inbox.


 1) We create a new quarantine and call it "Protected_Archives_Q". Setting the "Retention Period" to 3 hours and the "Default Action" to "Release".
Monitor => "Policy, Virus and Outbreak Quarantines" => click "Add Policy Quarantine"




N.B. In the image below, we set the "Retention Period" to 3 hours, but it is up to the SOC team to chose the best value according to their working hours and business needs. Attacks on weekends should be considered. Also, the company having different users in different Time Zones requires the SOC team to have more quarantines, more filters, and more policies. We will discuss that in later posts.

2) We create a new "Content Filter" and call it "Protected_Archives".
"Mail Policies" => "Incoming Content Filters" ==> "Add Filter"

3) We add new condition for compressed file types.
"Add Condition" => "Attachment File Info" => "File Type" => "Is" => "Compressed"


4) We add another condition for protected files.


"Attachment Protection" => "One or more attachments are protected."

5) In the "Apply Rule" dropbox, we select "Only if all conditions match".

 
6) We add our action, which is to quarantine emails that match the previous two conditions in Step 3 and step 4, in the "Protected_Archives_Q" quarantine.
"Add Action" => "Quarantine" => "Send message to quarantine:" => "Protected_Archives_Q"



Now our content filter looks like below:


7) We finally assign the "Protected_Archive" content filter to the default Incoming Mail Policy.

"Mail Policies" => "Incoming Mail Policies" => "Content Filters" => Select "Enable" on "Protected_Archive"


This is not the end of it. Actually, SOC team has a lot to do when it comes to cases like protected archives. For example, with each false positive e.g. legit sender bank@veryimportantbank.com that happens to send protected archives to your users, the SOC analyst will have to update the filter to exempt "bank@veryimportantbank.com", like below.


Even exempting certain senders (envelope senders) from your filter is not enough, for example, there has to be another content filter to verify "SPF" of e.g. veryimportantbank.com and this SPF filter must be with a less order than "Protect_Archives" i.e. processed first. Don't worry, we will cover this later.


It is also noteworthy that SOC team should make the user aware that e.g. banks never send their customers the password for e.g. statements in the same email as the attachment.

6 comments:

  1. I really like to read this fantastic post! I read your blog and do my homework online I think it is very informative for all people. Thanks for your great info.

    ReplyDelete
  2. Many organizations online will offer help with your Thesis Writing Services Uk tasks. Consider this going to the store. There will be numerous variations of one item, yet a couple of can't avoid being of top notch. Some of them will have an immense expense as a result of it, however the best items are the ones that accompany top quality and sensible cost.

    ReplyDelete
  3. Up to 60% off select brands. Ladies wearing a white tank top under a short sleeve plaid shirt with denim shorts. Go for a ladylike puff-sleeved shirt or match a tank top with high-waisted pants for NAVY BLUE WOOL BODY HOOD VARSITY JACKET an on-pattern look. Dress down with comfortable woolen clothes or a denim shirt, or layer

    ReplyDelete
  4. Furthermore, we offer a range of SOIL MODIFICATION services in USAconsultancy services to help you comprehend your options

    ReplyDelete
  5. in response to the rising interest in Dubai gaming tournamente-sports for streaming and distributing video of competitions

    ReplyDelete
  6. In the UAE, corporate bank accounts are essential for enterprises. Finding a bank that is right for your business and offers the servicesFinancial Instruments in Dubai and products you need is essential before you can establish a partnership.

    ReplyDelete