Skip to main content

General Documents

Perform Malware Analysis on Phishing Emails using Joe Security Sandbox

Abstract

Download PDF

Category: Forensic and Malware Analysis, Analytics and SIEM, Data Enrichment and Threat Intelligence

Cyware Products Used:

  • Cyware Fusion and Threat Response (CFTR)

  • Cyware Threat Intelligence eXchange (CTIX)

  • Orchestrate (CO)

  • Cyware Situational Awareness Platform (CSAP)

Third-Party Integrations Used:

  • Joe Security Sandbox: To perform malware analysis of a suspicious file or URL.

  • Splunk: SIEM solution to identify hits to the IOCs and watchlist malicious IOCs.

  • VirusTotal: To enrich malicious URLs and hashes.

Problem statement

Cybercriminals develop more sophisticated malware, and monitoring suspicious behavior to detect malware has become difficult for analysts. Threats in the recent past have employed advanced obfuscation techniques that can evade detection from the endpoint and network security technologies.

Security analysts use sandboxes to test potentially malicious software by safely executing malicious code in a test environment to avoid harming the host device, the network, or other connected devices. In addition to performing malware analysis and security research, sandbox solutions can be integrated into security orchestration and automation response (SOAR) workflows.

Solution

The solution is to automatically collect malicious files from reported phishing emails, process them for sandbox malware analysis and automatically deploy remediation actions to block the threats on the organization’s network.

Perform_Malware_Analysis_on_Phishing_Emails_using_Joe_Security_Sandbox.svg

How do we solve this problem?

The workflow polls and retrieves the suspicious emails reported by users from the dedicated mailbox on the configurable interval using the IMAP/POP3 protocol. This helps security teams to automatically extract and analyze the attachments and URLs present in suspicious emails, and deploy the required actions. The playbook performs the following activities.

  1. Poll Dedicated Mailbox: The playbook starts by polling the dedicated mailbox on the configured interval over the IMAP/POP3 protocol to retrieve the phishing emails reported by the users. You can also configure Office365 integration to retrieve emails. See Office 365 integration.

  2. Identifying Threat Indicators: The playbook analyzes the suspicious email for elements in the email headers, body, and attachments and automatically extracts email attachments and URLs.

  3. Send to Sandbox: The extracted URL and attachments are sent to Joe Security Sandbox for analysis. You can also configure a preferred sandbox tool for analysis. See Forensic and Malware Analysis.

  4. Download Report: After completing the malware analysis, the playbook retrieves a complete report of the malware analysis. The report highlights the state of the submitted file or URL as Malicious, Non-malicious, Suspicious, and Not Applicable.

  5. Enrichment: The playbook extracts the URL and file hash and sends it for enrichment to CTIX and VirusTotal. CTIX provides external and internal enrichment details of the indicators along with the confidence score. VirusTotal enrichment also provides additional information about the malicious nature of the identified indicators.

  6. Create a CFTR Incident: The playbook now creates a new incident in CFTR and updates the details of the sandbox malware analysis report and enrichment details.

  7. Response Actions: When the threat is identified as malicious, the playbook performs the following actions in real time.

    1. Blocks the sender’s email address in the email gateway and identified malicious IOCs on Crowdstrike Falcon Endpoint Detection and Response.

    2. Adds the malicious IOCs to CTIX and updates the threat data notes as Blocked on EDR.

    3. Sends an advisory notification to all the impacted users using CSAP.

    4. Creates an action in CFTR to quarantine the asset and keep the incident open for manual investigation.

Optional Configurations
Configure your SIEM to identify Hits to IOC

The Joe Security Sandbox playbook allows analysts to check the Splunk SIEM logs to find out if any user has already clicked or accessed the malicious IOC. After gathering Splunk SIEM logs, the playbook will automatically remediate the threats on the affected endpoints. You can also configure a preferred SIEM tool to identify hits to IOC.

Benefits
Detect and Respond to Zero-day Threats

Sandbox can detect malicious activities performed by a file or a URL by performing deep analysis, and allows analysts to detect and block zero-day threats and targeted attacks.

Analyze Large Volumes of Phishing Emails

By leveraging an automated response process, security analysts can save time and effectively respond to a large volume of spearphishing alerts.

Going Beyond Incident Investigation

The playbook not only helps the organization respond to specific phishing threats but also helps capture the learnings from the incidents to put in place long-term strategic controls. This helps organizations to defend against any such future attempts by using the unique capabilities of the fusion center.