IBM Security QRadar

Business Email Compromise (BEC) is a growth industry. The level of expertise required launch a cyber-attack via email is minimal, and the financial incentive to succeed is significant. In April of 2020, a threat group stole nearly £600k with a successful compromise. A recent FBI publication indicates that cyber criminals are relentless, and that BEC accounted for only 5% of the total number of cybercrime complaints received in the US in 2019; however, these same incidents were responsible for nearly half of the reported losses ($1.7 billion USD). Another report from multinational finance and insurance giant AIG indicates that BEC represented nearly a quarter of their total claims for EMEA for 2018. In short, BEC is easy, lucrative, and financially devastating to the target of the attack. Current events have a large portion of the world’s workforce using email more than ever before as a means of collaboration, vastly increasing an organization’s attack surface.

In response to this rising threat, we have released the IBM Security QRadar Phishing and Email Content Extension on the IBM Security App Exchange. Here are some of the highlights for the new content extension.

Log Source Types

The content pack has been designed and tested for use with Proofpoint Enterprise Protection/Enterprise Privacy, PostFix Mail Transfer Agent, Microsoft Exchange Server, Cisco IronPort (logs from Cisco Email Security Appliance (ESA)), Microsoft Office 365 and QRadar Network Insights (QNI).

Custom Rules

Use Cases

The QRadar Phishing and Email Content Extension includes new custom rules that cover the following use cases.

1. Potential leakage of data
2. Suspicious mailbox management
3. Suspicious email subject
4. High number of emails from unauthorized users
5. Valid email addresses discovery
6. Abnormal behavior for inbound emails
7. Abnormal behavior for outbound emails
8. Email or web communication with hostile host
9. Executable embedded in email

Rules

The content extension includes a number of event driven rules. Some examples include:

Abnormal Number of Emails to Invalid Recipients

This rule triggers when a number of emails are sent to invalid recipients (i.e. invalid domains, unknown users, malformed addresses, et al.). This indicates a potential brute force attempt to resolve valid email addresses. 

Email received from potentially hostile Host

Triggers when an email is received from hosts that are known for hostile activities such as Phishing, Spam, Malware, Botnet Command and Control, or Cryptocurrency Mining.

Mailbox item deleted by another user

Triggers when a mailbox item is deleted by a user that is not the mailbox owner. This indicates that someone may be abusing their privileges or rights on a mailbox.

Potential leakage of data via mailbox forwarding

This rule triggers when a high volume of email is sent to the same outside of the organization. This type of activity is an indicator of potential data exfiltration.

QRadar Network Insights Rules

The content extension also includes rules that are intended to be used with flow data from QRadar Network Insights (QNI). Some examples include:

High number of emails from unauthorized users

This rule detects high email volumes from any address not included in a whitelist (e.g. 100 events in 5 minutes). Unauthorized users may include emails originating from within the organization, provided they are not included in the Whitelisted Email Admins reference set.

Inbound email with suspicious subject

This rule detects emails containing suspicious subjects. The Phishing Subjects reference set contains alphanumeric, case insensitive prepopulated sample subject lines that are associated with phishing emails or convey a sense of urgency.

Potential spam/phishing subject detected from multiple sending servers

This rule detects multiple instances of the same email subject line from multiple hosts within a short period of time. This is a potential indicator of spam or phishing. Note this rule uses the custom AQL function ISREPLY that returns TRUE or FALSE if a string is the typical subject line of an email response (i.e. contains RE: in the subject). 

Email attachment with executable hidden in double file extensions

This rule detects mail attachments that contain at minimum two consecutive file extensions, with one of the extensions associated with an executable. The rule covers both attachments with a non-executable file extension followed by an executable file extension, and when a non-malicious file extension is appended to a malicious executable. We consider this to be particularly interesting as this is a technique used by clever bad actors to bypass standard mail server detections.

MITRE ATT&CK™

Our email content extension addresses the following adversary tactics and techniques (if applicable) from the MITRE ATT&CK™ framework.

Custom Properties

The content extension contains 9 custom event properties to extract File Extension, Filename, MessageID, Originating Host, Originating_User, RecipeintRecipient Host, Recipient_User, Subject and Target User Name. These IBM custom properties are placeholders, and meant to be replaced by specific log source properties.

Pulse Dashboard

Users that have the Pulse app installed can leverage the sample dashboard to provide some examples of creative visualizations for some of the included content.

Other Important information

Availability

The IBM Security QRadar Phishing and Email Content Extension is available for free on the IBM Security App Exchange and can be downloaded and installed manually using the Content Management Tool. Alternatively, the pack can be downloaded and installed using the QRadar Assistant App

Reference Data and Tuning

This content extension contains several rules that require additional tuning. The threshold for both the High Inbound Emails Containing Attachments From External Host and High Number of Emails From Unauthorized Users rules should be adapted for the size of your company. The regular expression in the Inbound Email with Suspicious Subject Keywords rule should be updated to include suspicious keywords that are relevant to your specific use cases.

In addition, we have included four reference sets that should be tuned for optimal performance. The Whitelisted Email Admins reference set should include addresses for users that are allowed to send bulk email. The Corporate Email Domains reference set ships empty, and must be populated with data relevant to your environment – to define what you consider local versus remote.

Finally, the Phishing Subjects reference set has been prepopulated with sample email subjects related to well-known phishing campaigns; however, this reference set should be tuned regularly to include any new discoveries, or optimally, aligned with current threat intelligence sources such at the IBM X-Force Exchange.

Requirements

This content extension is compatible with QRadar 7.3.2+ and is “QRadar on Cloud” ready. As noted, some of the rules are designed for QNI, and require the corresponding flow data. Finally, some of the detections cross reference by reputation, and require an active X-Force subscription.

Conclusions

Help secure your organization by downloading the QRadar Phishing and Email Content Extension. Doing so will save you time by providing new and relevant custom event properties, prepopulated reference set data, and rules that have been designed to use the popular email log sources that exist in your current deployment today. Get peace of mind with rules that alert you to potential security threats such as data exfiltration and phishing attempts. Take advantage of the flexibility we offer by tailoring this content to your architecture, environment and current events. And, again, it is conveniently downloaded on the IBM Security App Exchange, or directly from the Assistant App in QRadar. For a full list of the content included or additional information, please refer to the IBM Knowledge Center, QRadar Forum Support and IBM Customer Support. I welcome any questions, comments or suggestions in the discussion below.