Documente Academic
Documente Profesional
Documente Cultură
8. Social Engineering
Recon email walkthrough + example for local analysis (safe)
9. Vishing, Smishing
Example of Smishing, example audio-clip of Vishing
10. Whaling
Email walkthrough + example for local analysis (safe)
3) Tactics and Techniques Used
1. Section Introduction
2. Spear Phishing
3. Impersonation
4. Typo squatting and Homographs
5. Sender Spoofing
6. HTML Styling
7. Attachments
8. Hyperlinks
9. URL-Shortening Services
10. Use of Legitimate Services
11. Business Email Compromise
4) Investigating a Phishing Email
1. Section Introduction
2. Artefacts we Need to Collect
Sending address, sending IP + reverse DNS, recipients, subject, URLs/attachments
3. Manual Collection Techniques
Text Editor + mail client to retrieve artefacts
4. Analysis Toolkits
PhishTool
5. Scoping (Recipient Identification)
Identifying recipients using multiple methods
5) Analyzing URLs, Attachments, and Artefacts
1. Section Introduction
2. Visualization Tools
URL2PNG, Virtual Machines, URLScan
3. Artefact Reputation Tools
AbuseIPDB, IPVoid, VirusTotal, IBM X-Force Exchange
4. Interaction Tools
Virtual Machines, Online Sandboxes
6) Taking Defensive Actions
1. Section Introduction
2. Preventative Measures: Marking External Emails
Appending subject lines or email bodies with warning messages
3. Preventative Measures: Email Security Technology
SPF, DKIM, DMARC
4. Preventative Measures: Spam Filter
Blocking emails based on threat feeds and blacklists
5. Preventative Measures: Attachment Filtering
Filtering extensions such as .exe, .iso, .dll
6. Preventative Measures: Attachment Sandboxing
7. Reactive Measures: Pulling or Deleting Emails
Deleting known-bad emails from inboxes or retrieving for analysis
8. Reactive Measures: Immediate Response Process
Complete start-to-finish phishing investigation
9. Reactive Measures: Blocking Web-Based Artefacts
Web proxy blocks (URL, Domain, IP)
10. Reactive Measures: Blocking Email-Based Artefacts
Email gateway blocks (Sender, Subject, Sending Server IP, Sending Domain)
11. Reactive Measures: Blocking File-Based Artefacts
EDR/AV blocks (MD5/SHA1 hash, filename)
12. Reactive Measures: Informing Threat Intelligence Team
Tracking campaigns/actors, sharing IOCs
7) Report Writing
1. Section Introduction
2. Email Header, Artefacts, and Body Content
Appropriately describe the email and provide the necessary artefacts
3. Users Affected and Actions Taken to Notify
Who was contacted, how, and when?
4. Analysis Process, Tools, and Results
What tools were used to investigate artefacts? What were the results? URL2PNG, virtual machine,
WannaBrowser, IPVoid, AbuseIPDB, WHOis
5. Defensive Measures Taken
What actions were taken, or requested to be taken? Email, Web, and File artefact blocking
6. Lessons Learned
Any knowledge that was taken away from this specific attack
8) Lessons Learned
1. Section Introduction
2. Reflect on the Observed Phishing Campaign
3. Identifying New Tactics (Work with Threat Intel)
Collecting intelligence on new tactics and sharing with appropriate industry or government partners through
ISACs
4. Response Improvements
How could the response have been better? Runbooks, procedures, training, new tooling
9) Further Reading
1. Further Reading Material
Links to more resources that students may find helpful.
4. Custom Malware/Tools
Exploring custom tools used by APTs, why they’re used
5. Living-off-the-land Techniques
What LOTL is, why it’s used, why it can be effective
4) Operational Intelligence
1. Indicators of Compromise Explained & Examples
What IOCs are, how they’re generated and shared, using IOCs to feed defences
2. Precursors Explained & Examples
What precursors are, how they’re different from IOCs, how we monitor them
3. TTPs Explained & Examples
What TTPs are, why they’re important, using to maintain defences (preventative)
4. MITRE ATT&CK Framework
Framework explained and how we map cyber-attacks, real-world example
5. Lockheed Martin Cyber Kill Chain
Framework explained and how we map cyber-attacks, real-world example
6. Attribution and its Limitations
Why attribution is hard, impersonation, sharing infrastructure, copy-cat attacks
7. Pyramid of Pain
You’ll wish we didn’t teach you this. It’s called the Pyramid of Pain for a reason.
5) Tactical Threat Intelligence
1. Threat Exposure Checks Explained
What TECs are, how to check your environment for presence of bad IOCs
2. Watchlists/IOC Monitoring
What are watchlists, how to monitor for IOCs (SIEM, IDPS, AV, EDR, FW)
3. Public Exposure Assessments
What PEAs are, how to conduct them, google dorks, harvester, social media
4. Open-Web Information Collection
How OSINT data is scraped, why it’s useful
5. Dark-Web Information Collection
How intel companies scrape dark web intel, why it’s useful, databreach dumps, malicious actors on underground
forums, commodity malware for sale
6. Malware Information Sharing Platform (MISP)
What is MISP, why is it used, how to implement MISP
6) Strategic Threat Intelligence
1. Intelligence Sharing and Partnerships
Why sharing intel is important, existing partnerships, US-CERT, NCCIC, NCSC, ISACs
2. IOC/TTP Gathering and Distribution
3. Campaign Tracking & Situational Awareness
Why we track actors, why keeping the team updated is important
4. Trialing New Intelligence Platforms/Toolkits
Undertaking proof-of-value demos to assess the feasibility of new tooling
5. OSINT vs Paid-for Sources
Threat Intelligence Vendors, Public Threat Feeds, National Vulnerability Database, Twitter
7) Malware and Global Campaigns
1. Types of Malware Used by Threat Actors
Trojans, RATs, Ransomware, Backdoors, Logic Bombs
2. Globally recognized Malware Campaigns
Emotet, Magecart, IcedID, Sodinikobi, Trickbot, Lokibot
8) Further Reading
1. Further Reading Material
Links to more resources that students may find helpful.
4. ACPO Principles
5. Live Forensics
Fast acquisition of key files
6. How to Collect Evidence
Laptops, desktops, phones, hard drives, tablets, websites, forum posts, blog posts, social-media posts, chat rooms
7. Types of Hard Drive Copies
visible data, bit for bit, slackspace
8) Live Forensics
1. Section Introduction
2. Live Acquisition
What is live acquisition/live forensics? Why is it beneficial?
3. Products
Carbon Black, Encase, memory analysis with agents, Custom Scripts
4. Potential Consequences
Damaging or modifying evidence making it invalid
9) Post-Investigation
1. Section Introduction
2. Report Writing
3. Evidence Retention
Legal retention periods, internal retention periods
4. Evidence Destruction
Overwriting, degaussing, shredding, wiping
10) Further Reading
1. Further Reading Material
Links to more resources that students may find helpful.
If you are interested in Blue Team Level 1, register now to be notified when we launch, and
receive a £100 (20%) discount!
Organizations, if you believe BTL1 could benefit your team, new-hires, graduates, or anyone
else, please get in touch as we are offering discounts and free vouchers for bulk licenses.
https://securityblue.team/why-btl1/