(3) Common Techniques For Analyis And E-mail Research Flashcards
What is pattern recognition?
Pattern recognition is the ability to see a common attack, exploit, and compromise and to identify it for what it is
What is a common focus for pattern recognition?
A common focus for pattern recognition is to identify command and control (C&C) traffic, also called beaconing
What are a few patterns that one could look for to identify Command and Control (C&C) traffic?
Identifying C&C traffic involves looking for:
-Traffic on known malicious IP addresses or networks
-Traffic on unexpected ports
-Traffic via protocols that are rarely used, or outside the general use patterns of that protocol
-Data transfers that are very large
-Traffic that is normally associated with processes that wouldn’t normally send traffic (such as calculator, etc)
-Traffic sent outside normal business hours
-Any other traffic that is outside the norm
What do advanced Ai and ML techniques do when it comes to pattern recognition?
When it comes to pattern recognition, AI and ML use a huge set of indicators and baseline techniques to identify unwanted or malicious events and can do so on a very large scale
What do automated e-mail scanning tools look for when it comes to e-mails?
Automated e-mail scanning tools look for things such as known malicious or spam senders, using block lists that are available worldwide.
They also check each e-mail for bad payloads like malware or bad files
When it comes to e-mail analysis, what is header analysis and message content analysis?
Header analysis examines the e-mail header, checking elements such as SPF (Sender Policy Framework) and the domain to see if it is a known domain that sends bad stuff
Note: There are e-mail header analysis tools online that can be used to examine these things
What is true about forwarded e-mails when it comes to e-mail analysis?
Forwarded e-mails don’t maintain the original headers. The headers can still be looked at manually though, but normal users wouldn’t know how to do that without being taught.
What happens is that Security Policy Framework (SPF) is broken when an e-mail is forwarded because the forwarding sender will now be the sender and many SPF checks can fail at that point
What is the danger with automatic e-mail forwarding?
Automatic e-mail forwarding is a security issue because attackers who have successfully compromised an e-mail account can send all e-mails that the compromised account gets to whatever destination that they would like.
Even in the absence of a data compromise, a forwarded e-mail sends important data outside of your security perimeter
Why are embedded links a security concern?
Embedded links are a concern because they are included in phishing e-mails.
Embedded phishing links can lead to different places that the text that makes up the links can make it seem.
E-mail security tools can scan for rough content and block most (not all) of these bad links
Why are e-mail signature blocks useful to help identify attacks?
E-mail signature blocks are useful because e-mail signatures can contain images and embedded links that tell attackers if the e-mail was opened or are actually part of an attack.
More sophisticated attackers will copy legitimate signatures
When it comes to e-mail analysis, why are digital signatures and public key encryption important?
Digital signatures and public key encryption are important because they can assist in proving that the actual sender was the real one and that the message content was not changed.
Digitally signed e-mails create a hash that can be checked to make sure that the received e-mail matches the one that was sent and that the sender was the actual real sender.
When it comes to e-mail analysis, what happens when an e-mail is digitally signed?
When an e-mail is digitally signed, a hash is made. The hash is encrypted with the signers private key to create the digital signature.
The senders digital certificate and signature is attached to the e-mail.
When it comes to e-mail analysis, what happens when a person gets an e-mail that has been digitally signed?
The recipient can make sure the hash that they get is good and can decrypt the signature using the public key of the sender, making sure it matches.
What do many e-mail service providers include as a feature with their e-mail service?
E-mail service providers often include support for digital signatures and tools like S/MIME (Secure/Multipurpose Internet mail Extensions) but not enough people use them
