WO2020060505A1 - Incident detecting and responding method on email services - Google Patents

Incident detecting and responding method on email services Download PDF

Info

Publication number
WO2020060505A1
WO2020060505A1 PCT/TR2018/050514 TR2018050514W WO2020060505A1 WO 2020060505 A1 WO2020060505 A1 WO 2020060505A1 TR 2018050514 W TR2018050514 W TR 2018050514W WO 2020060505 A1 WO2020060505 A1 WO 2020060505A1
Authority
WO
WIPO (PCT)
Prior art keywords
emails
suspicious
email
server
detection
Prior art date
Application number
PCT/TR2018/050514
Other languages
French (fr)
Inventor
Ozan UÇAR
Original Assignee
Ucar Ozan
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ucar Ozan filed Critical Ucar Ozan
Priority to PCT/TR2018/050514 priority Critical patent/WO2020060505A1/en
Publication of WO2020060505A1 publication Critical patent/WO2020060505A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/21Monitoring or handling of messages
    • H04L51/212Monitoring or handling of messages using filtering or selective blocking

Definitions

  • the present disclosure relates to a method for detecting and responding to suspicious emails in inboxes with a suspicious email (phishing) reporter add-in.
  • incident response activities are mostly conducted by the organization’s CSIRT. Incident response is important because any event that is not correctly handled can pave the way for bigger issues such as system fail. However, retaliating to an attack speedily can help an organization minimize its losses as well as alleviate vulnerabilities.
  • US9906539B2 relates to methods, network devices, and machine- readable media for an integrated environment for automated processing of reports of suspicious messages, and furthermore, to a network for distributing information about detected phishing attacks.
  • the systems and methods can be used to raise the acuity of the individual in identifying phishing attack messages and provide a means for identifying and reporting those messages so that remedial action can be taken with reduced time between the arrival of the attack message and the remedial action.
  • this system is not integrated with any other services that helps to investigate and response emails.
  • Incident responder (IR) server of the invention automates response processes and works at the inbox level to quickly close down and contain active threats. Since IR does this operation through the add-in (phishing reporter) technology that each user has in their email, it can complete the incident investigation and response process under a minute without any performance problems.
  • IR addresses and manages the effects of a security breach or cyberattack. It controls the consequence of the situation after cyber attack, in a way that, limits violation and deterioration, plus decrease revival time and price.
  • Malicious messages can be flagged with a warning in the user’s inbox, they can be deleted from the inbox or a custom API can be called to perform another action e.g. call the user’s phone.
  • Figure 1 shows the flow diagram of the method for detecting and responding suspicious emails.
  • Figure 2 shows settings interface of phishing reporter add-in.
  • Figure 3 shows a warning message of phishing reporter add-in installed to Outlook.
  • Figure 4 shows reported incidents to incident response server.
  • Figure 5 shows the list of integrated third party engines.
  • Incident response process can be triggered with an end-user report on a suspicious email via phishing reporter add-in, manual initiation of a SOC team member or the data coming from the indicator of compromise (IOC) such as commonly used phishing websites.
  • IOC indicator of compromise
  • the incident response server analyses the header, body and attachments using proprietary technology in addition to a number of integrated services for anti-spam, URL reputation, anti-virus, malware sandboxing etc. Incident response server also integrates and automates other available threat analysis services for saving time and reducing technical dependency.
  • the server can be built on the cloud or in user network optionally.
  • incident response server responds to threats in ways that suit for specific policies of the user.
  • incident response server delivers detailed results to the SOC team for further investigation and response.
  • Figure 1 shows the flow diagram of the method for detecting and responding suspicious emails.
  • the basic process steps of the method are as follows:
  • Body URL reputation control, malicious content detection, detecting suspicious content with artificial intelligence.
  • Attachments Attachment known malware control with antivirus services, detection of unknown malware with anti-malware sandbox technology, detection 0-day file format exploits with anti-exploit technology
  • incident response server generates an alarm signature (SNORT, YARA etc.) to update available cyber-security technologies via API or protocols (SSH, SMB, Telnet, etc.) that allows running codes/commands on remote systems.
  • SNORT alarm signature
  • YARA YARA
  • 3rd party feeds Figure 5 shows a sample list of these parties
  • SOC team support SOC team support
  • end- users reports and alarm signatures shared with API in the IR.
  • precautions are taken and suspicious emails are reported to SOC team via the incident response server.
  • Phishing attempts can be reported in email service add-in with a button in the interface.
  • the main function of phishing reporter is to make users to easily report suspicious emails to the incident responder.
  • Figure 4 has an interface that shows reported incidents. When a user detects a suspicious email, by clicking on the suspicious email report button, he/she reports it to the incident responder server for analysis. It helps users easily report misclassified email and affiliates for analysis, thus SOC teams can detect attacks early, mitigate the impact and block user-based attacks against malicious emails.
  • the phishing reporter add-in also helps users to start a response to suspicious email. As a result, harmful emails are marked such as phishing, malicious or non-malicious by IR.

Abstract

The present invention is a computer-implemented method for detecting and responding suspicious emails, comprising the steps of analysing incoming emails with an incident response server in each inbox according to a user feedback that reported on an email service add-in (phishing reporter) or a trigger of a SOC team member or 3rd party IOC feeds, flagging suspicious emails and warning users with a message or a call and/or deleting suspicious emails from inboxes depending on user preference chosen on the add-in interface.

Description

INCIDENT DETECTING AND RESPONDING METHOD ON EMAIL SERVICES
Technical Field
The present disclosure relates to a method for detecting and responding to suspicious emails in inboxes with a suspicious email (phishing) reporter add-in.
Background
Today, incident response activities are mostly conducted by the organization’s computer security incident response team (CSIRT). This is a problem that it takes a lot of time and manpower. A timely incident response is critical because any event that is not correctly handled can pave the way for bigger issues such as system fail; retaliating to an attack speedily can help an organization minimize its losses as well as alleviate vulnerabilities.
Over 90% of successful data breaches are initiated by an email-based attack. These attacks cost businesses $3 trillion per year and drive considerable technological investments, such as firewalls and anti-spam, to provide protection. Technology solutions will never detect and block 100% of email-based attacks. Therefore, it is a problem for companies to detect a suspicious email in its users’ inbox. Also, it is an issue to respond the suspicious email once discovered in the inbox of the users. Most common issues encountered in the prior art are as follows:
• Making an investigation in email server like the exchange, postfix etc. causes:
a) serious performance consumption,
b) finding a needle in a haystack with a single source,
c) need for the coordination of different teams which delays to detect the incident and response it.
• Due to synchronization problem, a copy of an email that is deleted from the email server may still be in the user's email inbox which will not protect users from risks. Especially for mobile users working outside the office network, it is a critical problem for organizations to find and delete a malicious email from the inboxes.
The incident response activities are mostly conducted by the organization’s CSIRT. Incident response is important because any event that is not correctly handled can pave the way for bigger issues such as system fail. However, retaliating to an attack speedily can help an organization minimize its losses as well as alleviate vulnerabilities.
The application numbered US9906539B2 relates to methods, network devices, and machine- readable media for an integrated environment for automated processing of reports of suspicious messages, and furthermore, to a network for distributing information about detected phishing attacks. The systems and methods can be used to raise the acuity of the individual in identifying phishing attack messages and provide a means for identifying and reporting those messages so that remedial action can be taken with reduced time between the arrival of the attack message and the remedial action. However, it is not possible to carry out suspicious email investigation and response in inbox level with an add-in. On the other hand, this system is not integrated with any other services that helps to investigate and response emails.
Summary
Incident responder (IR) server of the invention automates response processes and works at the inbox level to quickly close down and contain active threats. Since IR does this operation through the add-in (phishing reporter) technology that each user has in their email, it can complete the incident investigation and response process under a minute without any performance problems.
All investigation is done directly in the user’s inbox instead of at the server exchange, thus it gives maximum agility and reducing response time. IR addresses and manages the effects of a security breach or cyberattack. It controls the consequence of the situation after cyber attack, in a way that, limits violation and deterioration, plus decrease revival time and price.
Malicious messages can be flagged with a warning in the user’s inbox, they can be deleted from the inbox or a custom API can be called to perform another action e.g. call the user’s phone.
Benefits to the security operation center (SOC):
• Cost-Effective: With built-in integrated services, you do not need to invest in any other anti-malware sandbox and anti-exploitation solutions.
• Time Saving: Reduces the effort that you spend to analyse malicious emails for hours. • Suspicious emails can be deleted from the user's inbox with information received from the command centre.
• Detects a suspicious email in users’ inbox.
• If the existing security measures are inadequate for analysis, detection and prevention, it gives the occasion to benefit from analysis service.
• Provides more effective security measures with integration with third-party systems (SIEM, Firewall, DLP etc.)
Benefits to an email user:
• Protects a user before he/she becomes a victim of a phishing attack.
• Allows the result analysis to be reported to the user.
• Protects the user from sophisticated attacks, such as typosquatting.
• Gives artificial intelligence support to the email box, minimizing the user's mistake.
For example, it prevents confidential data from being delivered to the wrong addresses.
Brief Description of the Drawing
Figure 1 shows the flow diagram of the method for detecting and responding suspicious emails.
Figure 2 shows settings interface of phishing reporter add-in.
Figure 3 shows a warning message of phishing reporter add-in installed to Outlook.
Figure 4 shows reported incidents to incident response server.
Figure 5 shows the list of integrated third party engines.
Detailed Description
Incident response process can be triggered with an end-user report on a suspicious email via phishing reporter add-in, manual initiation of a SOC team member or the data coming from the indicator of compromise (IOC) such as commonly used phishing websites.
Once an email received, the incident response server analyses the header, body and attachments using proprietary technology in addition to a number of integrated services for anti-spam, URL reputation, anti-virus, malware sandboxing etc. Incident response server also integrates and automates other available threat analysis services for saving time and reducing technical dependency. The server can be built on the cloud or in user network optionally.
It is a simple process to create custom rules, playbooks and workflow to ensure incident response server responds to threats in ways that suit for specific policies of the user. On completion of the analysis, incident response server delivers detailed results to the SOC team for further investigation and response.
Figure 1 shows the flow diagram of the method for detecting and responding suspicious emails. The basic process steps of the method are as follows:
• analysing incoming emails with an incident response server in each inbox according to a user feedback that reported (automatically or manually) on an email service (Outlook etc.) add-in (suspicious email/phishing reporter) or a trigger of a SOC team member or 3rd party IOC feeds,
• flagging suspicious emails and warning users with a message or a call and/or deleting suspicious emails from inboxes depending on saved preference (as shown in Figure 2 and 3) in the server of an administrator managing users’ inboxes.
Incident response server addresses an email component in three ways and performs detailed analysis in:
• Fleader: Spam control with integrated antispam services and anomaly detection,
• Body: URL reputation control, malicious content detection, detecting suspicious content with artificial intelligence.
• Attachments: Attachment known malware control with antivirus services, detection of unknown malware with anti-malware sandbox technology, detection 0-day file format exploits with anti-exploit technology
In the preferred embodiment of the invention, incident response server generates an alarm signature (SNORT, YARA etc.) to update available cyber-security technologies via API or protocols (SSH, SMB, Telnet, etc.) that allows running codes/commands on remote systems. 3rd party feeds (Figure 5 shows a sample list of these parties), SOC team support, end- users’ reports and alarm signatures shared with API in the IR. In further, precautions are taken and suspicious emails are reported to SOC team via the incident response server.
Phishing attempts can be reported in email service add-in with a button in the interface. The main function of phishing reporter is to make users to easily report suspicious emails to the incident responder. Figure 4 has an interface that shows reported incidents. When a user detects a suspicious email, by clicking on the suspicious email report button, he/she reports it to the incident responder server for analysis. It helps users easily report misclassified email and affiliates for analysis, thus SOC teams can detect attacks early, mitigate the impact and block user-based attacks against malicious emails. The phishing reporter add-in also helps users to start a response to suspicious email. As a result, harmful emails are marked such as phishing, malicious or non-malicious by IR.

Claims

1. A method for detecting and responding suspicious emails in inbox level, comprising the steps of:
• analysing incoming emails with an incident response server in each inbox according to a user feedback that reported on an email service add-in or a trigger of a SOC team member or 3rd party IOC feeds through API,
• flagging suspicious emails and warning users by the server with a message or a call and/or deleting suspicious emails from inboxes depending on saved preference in the server of an administrator managing users’ inboxes.
2. The method according to claim 1 , wherein the analysis performed in email header, body and attachments in accordance with:
• spam control with integrated antispam services and anomaly detection,
• URL reputation control, malicious content detection, detecting suspicious content with artificial intelligence.
• attachment known malware control with antivirus services, detection of unknown malware with anti-malware sandbox technology, detection 0-day file format exploits with anti-exploit technology
respectively.
3. The method according to claim 1 , further comprising generating alarm signatures to update available cyber-security technologies via API or protocols that allows running codes/commands on remote systems.
4. The method according to claim 1 , further comprising reporting suspicious emails and taken precautions to SOC team via the incident response server.
PCT/TR2018/050514 2018-09-20 2018-09-20 Incident detecting and responding method on email services WO2020060505A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/TR2018/050514 WO2020060505A1 (en) 2018-09-20 2018-09-20 Incident detecting and responding method on email services

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/TR2018/050514 WO2020060505A1 (en) 2018-09-20 2018-09-20 Incident detecting and responding method on email services

Publications (1)

Publication Number Publication Date
WO2020060505A1 true WO2020060505A1 (en) 2020-03-26

Family

ID=65365995

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/TR2018/050514 WO2020060505A1 (en) 2018-09-20 2018-09-20 Incident detecting and responding method on email services

Country Status (1)

Country Link
WO (1) WO2020060505A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116663001A (en) * 2023-06-02 2023-08-29 北京永信至诚科技股份有限公司 Security analysis method and device for mail, electronic equipment and medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9223971B1 (en) * 2014-01-28 2015-12-29 Exelis Inc. User reporting and automatic threat processing of suspicious email
US20160301705A1 (en) * 2015-04-10 2016-10-13 PhishMe, Inc. Suspicious message processing and incident response
US20170244736A1 (en) * 2014-10-30 2017-08-24 Ironscales Ltd. Method and system for mitigating malicious messages attacks

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9223971B1 (en) * 2014-01-28 2015-12-29 Exelis Inc. User reporting and automatic threat processing of suspicious email
US20170244736A1 (en) * 2014-10-30 2017-08-24 Ironscales Ltd. Method and system for mitigating malicious messages attacks
US20160301705A1 (en) * 2015-04-10 2016-10-13 PhishMe, Inc. Suspicious message processing and incident response
US9906539B2 (en) 2015-04-10 2018-02-27 PhishMe, Inc. Suspicious message processing and incident response

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116663001A (en) * 2023-06-02 2023-08-29 北京永信至诚科技股份有限公司 Security analysis method and device for mail, electronic equipment and medium

Similar Documents

Publication Publication Date Title
US20190215335A1 (en) Method and system for delaying message delivery to users categorized with low level of awareness to suspicius messages
US11044267B2 (en) Using a measure of influence of sender in determining a security risk associated with an electronic message
Oest et al. {PhishTime}: Continuous longitudinal measurement of the effectiveness of anti-phishing blacklists
EP3206364B1 (en) Message authenticity and risk assessment
US10326779B2 (en) Reputation-based threat protection
US20170244736A1 (en) Method and system for mitigating malicious messages attacks
US9319382B2 (en) System, apparatus, and method for protecting a network using internet protocol reputation information
Mell et al. Guide to malware incident prevention and handling
JP6104149B2 (en) Log analysis apparatus, log analysis method, and log analysis program
US20180234435A1 (en) Proactive predication and mitigation of cyber-threats
US7681132B2 (en) System, method and program product for visually presenting data describing network intrusions
US9027135B1 (en) Prospective client identification using malware attack detection
US7908658B1 (en) System using IM screener in a client computer to monitor bad reputation web sites in outgoing messages to prevent propagation of IM attacks
US20160232349A1 (en) Mobile malware detection and user notification
WO2020060503A1 (en) An email threat simulator for identifying security vulnerabilities in email protection mechanisms
Kuraku et al. Emotet malware—a banking credentials stealer
US10659493B2 (en) Technique for detecting malicious electronic messages
US10142360B2 (en) System and method for iteratively updating network attack mitigation countermeasures
Marquis-Boire et al. You only click twice: FinFisher’s global proliferation
US9332023B1 (en) Uploading signatures to gateway level unified threat management devices after endpoint level behavior based detection of zero day threats
US11392691B1 (en) System and method of securing e-mail against phishing and ransomware attack
WO2020060505A1 (en) Incident detecting and responding method on email services
SOX This White Paper
Sawant A comparative study of different intrusion prevention systems
Khatri et al. Mobile guard demo: network based malware detection

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18845479

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18845479

Country of ref document: EP

Kind code of ref document: A1