We covered the first part of Phishing Email Analysis with PhishTool. We demonstrated key areas to consider when analyzing an email and use the collected artifacts for threat intelligence. This was part of TryHackMe Threat Intelligence Tools Room.
Threat Intelligence is the analysis of data and information using tools and techniques to generate meaningful patterns on how to mitigate against potential risks associated with existing or emerging threats targeting organisations, industries, sectors or governments.
To mitigate against risks, we can start by trying to answer a few simple questions:
- Who’s attacking you?
- What’s their motivation?
- What are their capabilities?
- What artefacts and indicators of compromise should you look out for?
Threat Intelligence Classifications:
Threat Intel is geared towards understanding the relationship between your operational environment and your adversary. With this in mind, we can break down threat intel into the following classifications:
- Strategic Intel: High-level intel that looks into the organisation’s threat landscape and maps out the risk areas based on trends, patterns and emerging threats that may impact business decisions.
- Technical Intel: Looks into evidence and artefacts of attack used by an adversary. Incident Response teams can use this intel to create a baseline attack surface to analyse and develop defence mechanisms.
- Tactical Intel: Assesses adversaries’ tactics, techniques, and procedures (TTPs). This intel can strengthen security controls and address vulnerabilities through real-time investigations.
- Operational Intel: Looks into an adversary’s specific motives and intent to perform an attack. Security teams may use this intel to understand the critical assets available in the organisation (people, processes, and technologies) that may be targeted.
How many domains did UrlScan.io identify?
What is the main domain registrar listed?
What is the main IP address identified?
Which malware is associated with the JA3 Fingerprint 51c64c77e60f3980eea90869b68c58a8 on SSL Blacklist?
From the statistics page on URLHaus, what malware-hosting network has the ASN number AS14061?
Which country is the botnet IP address 184.108.40.206 associated with according to FeodoTracker?
What social media platform is the attacker trying to pose as in the email?
What is the recipient’s email address?
What is the Originating IP address? Defang the IP address.
How many hops did the email go through to get to the recipient?
What is the customer name of the IP address?
From Talos Intelligence, the attached file can also be identified by the Detection Alias that starts with an H…
What malware family is associated with the attachment on Email3.eml?