WO2020060505A1 - Incident detecting and responding method on email services - Google Patents
Incident detecting and responding method on email services Download PDFInfo
- Publication number
- WO2020060505A1 WO2020060505A1 PCT/TR2018/050514 TR2018050514W WO2020060505A1 WO 2020060505 A1 WO2020060505 A1 WO 2020060505A1 TR 2018050514 W TR2018050514 W TR 2018050514W WO 2020060505 A1 WO2020060505 A1 WO 2020060505A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- emails
- suspicious
- server
- detection
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/21—Monitoring or handling of messages
- H04L51/212—Monitoring or handling of messages using filtering or selective blocking
Definitions
- the present disclosure relates to a method for detecting and responding to suspicious emails in inboxes with a suspicious email (phishing) reporter add-in.
- incident response activities are mostly conducted by the organization’s CSIRT. Incident response is important because any event that is not correctly handled can pave the way for bigger issues such as system fail. However, retaliating to an attack speedily can help an organization minimize its losses as well as alleviate vulnerabilities.
- US9906539B2 relates to methods, network devices, and machine- readable media for an integrated environment for automated processing of reports of suspicious messages, and furthermore, to a network for distributing information about detected phishing attacks.
- the systems and methods can be used to raise the acuity of the individual in identifying phishing attack messages and provide a means for identifying and reporting those messages so that remedial action can be taken with reduced time between the arrival of the attack message and the remedial action.
- this system is not integrated with any other services that helps to investigate and response emails.
- Incident responder (IR) server of the invention automates response processes and works at the inbox level to quickly close down and contain active threats. Since IR does this operation through the add-in (phishing reporter) technology that each user has in their email, it can complete the incident investigation and response process under a minute without any performance problems.
- IR addresses and manages the effects of a security breach or cyberattack. It controls the consequence of the situation after cyber attack, in a way that, limits violation and deterioration, plus decrease revival time and price.
- Malicious messages can be flagged with a warning in the user’s inbox, they can be deleted from the inbox or a custom API can be called to perform another action e.g. call the user’s phone.
- Figure 1 shows the flow diagram of the method for detecting and responding suspicious emails.
- Figure 2 shows settings interface of phishing reporter add-in.
- Figure 3 shows a warning message of phishing reporter add-in installed to Outlook.
- Figure 4 shows reported incidents to incident response server.
- Figure 5 shows the list of integrated third party engines.
- Incident response process can be triggered with an end-user report on a suspicious email via phishing reporter add-in, manual initiation of a SOC team member or the data coming from the indicator of compromise (IOC) such as commonly used phishing websites.
- IOC indicator of compromise
- the incident response server analyses the header, body and attachments using proprietary technology in addition to a number of integrated services for anti-spam, URL reputation, anti-virus, malware sandboxing etc. Incident response server also integrates and automates other available threat analysis services for saving time and reducing technical dependency.
- the server can be built on the cloud or in user network optionally.
- incident response server responds to threats in ways that suit for specific policies of the user.
- incident response server delivers detailed results to the SOC team for further investigation and response.
- Figure 1 shows the flow diagram of the method for detecting and responding suspicious emails.
- the basic process steps of the method are as follows:
- Body URL reputation control, malicious content detection, detecting suspicious content with artificial intelligence.
- Attachments Attachment known malware control with antivirus services, detection of unknown malware with anti-malware sandbox technology, detection 0-day file format exploits with anti-exploit technology
- incident response server generates an alarm signature (SNORT, YARA etc.) to update available cyber-security technologies via API or protocols (SSH, SMB, Telnet, etc.) that allows running codes/commands on remote systems.
- SNORT alarm signature
- YARA YARA
- 3rd party feeds Figure 5 shows a sample list of these parties
- SOC team support SOC team support
- end- users reports and alarm signatures shared with API in the IR.
- precautions are taken and suspicious emails are reported to SOC team via the incident response server.
- Phishing attempts can be reported in email service add-in with a button in the interface.
- the main function of phishing reporter is to make users to easily report suspicious emails to the incident responder.
- Figure 4 has an interface that shows reported incidents. When a user detects a suspicious email, by clicking on the suspicious email report button, he/she reports it to the incident responder server for analysis. It helps users easily report misclassified email and affiliates for analysis, thus SOC teams can detect attacks early, mitigate the impact and block user-based attacks against malicious emails.
- the phishing reporter add-in also helps users to start a response to suspicious email. As a result, harmful emails are marked such as phishing, malicious or non-malicious by IR.
Abstract
The present invention is a computer-implemented method for detecting and responding suspicious emails, comprising the steps of analysing incoming emails with an incident response server in each inbox according to a user feedback that reported on an email service add-in (phishing reporter) or a trigger of a SOC team member or 3rd party IOC feeds, flagging suspicious emails and warning users with a message or a call and/or deleting suspicious emails from inboxes depending on user preference chosen on the add-in interface.
Description
INCIDENT DETECTING AND RESPONDING METHOD ON EMAIL SERVICES
Technical Field
The present disclosure relates to a method for detecting and responding to suspicious emails in inboxes with a suspicious email (phishing) reporter add-in.
Background
Today, incident response activities are mostly conducted by the organization’s computer security incident response team (CSIRT). This is a problem that it takes a lot of time and manpower. A timely incident response is critical because any event that is not correctly handled can pave the way for bigger issues such as system fail; retaliating to an attack speedily can help an organization minimize its losses as well as alleviate vulnerabilities.
Over 90% of successful data breaches are initiated by an email-based attack. These attacks cost businesses $3 trillion per year and drive considerable technological investments, such as firewalls and anti-spam, to provide protection. Technology solutions will never detect and block 100% of email-based attacks. Therefore, it is a problem for companies to detect a suspicious email in its users’ inbox. Also, it is an issue to respond the suspicious email once discovered in the inbox of the users. Most common issues encountered in the prior art are as follows:
• Making an investigation in email server like the exchange, postfix etc. causes:
a) serious performance consumption,
b) finding a needle in a haystack with a single source,
c) need for the coordination of different teams which delays to detect the incident and response it.
• Due to synchronization problem, a copy of an email that is deleted from the email server may still be in the user's email inbox which will not protect users from risks. Especially for mobile users working outside the office network, it is a critical problem for organizations to find and delete a malicious email from the inboxes.
The incident response activities are mostly conducted by the organization’s CSIRT. Incident response is important because any event that is not correctly handled can pave the way for
bigger issues such as system fail. However, retaliating to an attack speedily can help an organization minimize its losses as well as alleviate vulnerabilities.
The application numbered US9906539B2 relates to methods, network devices, and machine- readable media for an integrated environment for automated processing of reports of suspicious messages, and furthermore, to a network for distributing information about detected phishing attacks. The systems and methods can be used to raise the acuity of the individual in identifying phishing attack messages and provide a means for identifying and reporting those messages so that remedial action can be taken with reduced time between the arrival of the attack message and the remedial action. However, it is not possible to carry out suspicious email investigation and response in inbox level with an add-in. On the other hand, this system is not integrated with any other services that helps to investigate and response emails.
Summary
Incident responder (IR) server of the invention automates response processes and works at the inbox level to quickly close down and contain active threats. Since IR does this operation through the add-in (phishing reporter) technology that each user has in their email, it can complete the incident investigation and response process under a minute without any performance problems.
All investigation is done directly in the user’s inbox instead of at the server exchange, thus it gives maximum agility and reducing response time. IR addresses and manages the effects of a security breach or cyberattack. It controls the consequence of the situation after cyber attack, in a way that, limits violation and deterioration, plus decrease revival time and price.
Malicious messages can be flagged with a warning in the user’s inbox, they can be deleted from the inbox or a custom API can be called to perform another action e.g. call the user’s phone.
Benefits to the security operation center (SOC):
• Cost-Effective: With built-in integrated services, you do not need to invest in any other anti-malware sandbox and anti-exploitation solutions.
• Time Saving: Reduces the effort that you spend to analyse malicious emails for hours.
• Suspicious emails can be deleted from the user's inbox with information received from the command centre.
• Detects a suspicious email in users’ inbox.
• If the existing security measures are inadequate for analysis, detection and prevention, it gives the occasion to benefit from analysis service.
• Provides more effective security measures with integration with third-party systems (SIEM, Firewall, DLP etc.)
Benefits to an email user:
• Protects a user before he/she becomes a victim of a phishing attack.
• Allows the result analysis to be reported to the user.
• Protects the user from sophisticated attacks, such as typosquatting.
• Gives artificial intelligence support to the email box, minimizing the user's mistake.
For example, it prevents confidential data from being delivered to the wrong addresses.
Brief Description of the Drawing
Figure 1 shows the flow diagram of the method for detecting and responding suspicious emails.
Figure 2 shows settings interface of phishing reporter add-in.
Figure 3 shows a warning message of phishing reporter add-in installed to Outlook.
Figure 4 shows reported incidents to incident response server.
Figure 5 shows the list of integrated third party engines.
Detailed Description
Incident response process can be triggered with an end-user report on a suspicious email via phishing reporter add-in, manual initiation of a SOC team member or the data coming from the indicator of compromise (IOC) such as commonly used phishing websites.
Once an email received, the incident response server analyses the header, body and attachments using proprietary technology in addition to a number of integrated services for anti-spam, URL reputation, anti-virus, malware sandboxing etc. Incident response server also integrates and automates other available threat analysis services for saving time and
reducing technical dependency. The server can be built on the cloud or in user network optionally.
It is a simple process to create custom rules, playbooks and workflow to ensure incident response server responds to threats in ways that suit for specific policies of the user. On completion of the analysis, incident response server delivers detailed results to the SOC team for further investigation and response.
Figure 1 shows the flow diagram of the method for detecting and responding suspicious emails. The basic process steps of the method are as follows:
• analysing incoming emails with an incident response server in each inbox according to a user feedback that reported (automatically or manually) on an email service (Outlook etc.) add-in (suspicious email/phishing reporter) or a trigger of a SOC team member or 3rd party IOC feeds,
• flagging suspicious emails and warning users with a message or a call and/or deleting suspicious emails from inboxes depending on saved preference (as shown in Figure 2 and 3) in the server of an administrator managing users’ inboxes.
Incident response server addresses an email component in three ways and performs detailed analysis in:
• Fleader: Spam control with integrated antispam services and anomaly detection,
• Body: URL reputation control, malicious content detection, detecting suspicious content with artificial intelligence.
• Attachments: Attachment known malware control with antivirus services, detection of unknown malware with anti-malware sandbox technology, detection 0-day file format exploits with anti-exploit technology
In the preferred embodiment of the invention, incident response server generates an alarm signature (SNORT, YARA etc.) to update available cyber-security technologies via API or protocols (SSH, SMB, Telnet, etc.) that allows running codes/commands on remote systems. 3rd party feeds (Figure 5 shows a sample list of these parties), SOC team support, end- users’ reports and alarm signatures shared with API in the IR. In further, precautions are taken and suspicious emails are reported to SOC team via the incident response server.
Phishing attempts can be reported in email service add-in with a button in the interface. The main function of phishing reporter is to make users to easily report suspicious emails to the
incident responder. Figure 4 has an interface that shows reported incidents. When a user detects a suspicious email, by clicking on the suspicious email report button, he/she reports it to the incident responder server for analysis. It helps users easily report misclassified email and affiliates for analysis, thus SOC teams can detect attacks early, mitigate the impact and block user-based attacks against malicious emails. The phishing reporter add-in also helps users to start a response to suspicious email. As a result, harmful emails are marked such as phishing, malicious or non-malicious by IR.
Claims
1. A method for detecting and responding suspicious emails in inbox level, comprising the steps of:
• analysing incoming emails with an incident response server in each inbox according to a user feedback that reported on an email service add-in or a trigger of a SOC team member or 3rd party IOC feeds through API,
• flagging suspicious emails and warning users by the server with a message or a call and/or deleting suspicious emails from inboxes depending on saved preference in the server of an administrator managing users’ inboxes.
2. The method according to claim 1 , wherein the analysis performed in email header, body and attachments in accordance with:
• spam control with integrated antispam services and anomaly detection,
• URL reputation control, malicious content detection, detecting suspicious content with artificial intelligence.
• attachment known malware control with antivirus services, detection of unknown malware with anti-malware sandbox technology, detection 0-day file format exploits with anti-exploit technology
respectively.
3. The method according to claim 1 , further comprising generating alarm signatures to update available cyber-security technologies via API or protocols that allows running codes/commands on remote systems.
4. The method according to claim 1 , further comprising reporting suspicious emails and taken precautions to SOC team via the incident response server.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/TR2018/050514 WO2020060505A1 (en) | 2018-09-20 | 2018-09-20 | Incident detecting and responding method on email services |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/TR2018/050514 WO2020060505A1 (en) | 2018-09-20 | 2018-09-20 | Incident detecting and responding method on email services |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2020060505A1 true WO2020060505A1 (en) | 2020-03-26 |
Family
ID=65365995
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/TR2018/050514 WO2020060505A1 (en) | 2018-09-20 | 2018-09-20 | Incident detecting and responding method on email services |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2020060505A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116663001A (en) * | 2023-06-02 | 2023-08-29 | 北京永信至诚科技股份有限公司 | Security analysis method and device for mail, electronic equipment and medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9223971B1 (en) * | 2014-01-28 | 2015-12-29 | Exelis Inc. | User reporting and automatic threat processing of suspicious email |
US20160301705A1 (en) * | 2015-04-10 | 2016-10-13 | PhishMe, Inc. | Suspicious message processing and incident response |
US20170244736A1 (en) * | 2014-10-30 | 2017-08-24 | Ironscales Ltd. | Method and system for mitigating malicious messages attacks |
-
2018
- 2018-09-20 WO PCT/TR2018/050514 patent/WO2020060505A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9223971B1 (en) * | 2014-01-28 | 2015-12-29 | Exelis Inc. | User reporting and automatic threat processing of suspicious email |
US20170244736A1 (en) * | 2014-10-30 | 2017-08-24 | Ironscales Ltd. | Method and system for mitigating malicious messages attacks |
US20160301705A1 (en) * | 2015-04-10 | 2016-10-13 | PhishMe, Inc. | Suspicious message processing and incident response |
US9906539B2 (en) | 2015-04-10 | 2018-02-27 | PhishMe, Inc. | Suspicious message processing and incident response |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116663001A (en) * | 2023-06-02 | 2023-08-29 | 北京永信至诚科技股份有限公司 | Security analysis method and device for mail, electronic equipment and medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20190215335A1 (en) | Method and system for delaying message delivery to users categorized with low level of awareness to suspicius messages | |
US11044267B2 (en) | Using a measure of influence of sender in determining a security risk associated with an electronic message | |
Oest et al. | {PhishTime}: Continuous longitudinal measurement of the effectiveness of anti-phishing blacklists | |
EP3206364B1 (en) | Message authenticity and risk assessment | |
US10326779B2 (en) | Reputation-based threat protection | |
US20170244736A1 (en) | Method and system for mitigating malicious messages attacks | |
US9319382B2 (en) | System, apparatus, and method for protecting a network using internet protocol reputation information | |
Mell et al. | Guide to malware incident prevention and handling | |
JP6104149B2 (en) | Log analysis apparatus, log analysis method, and log analysis program | |
US20180234435A1 (en) | Proactive predication and mitigation of cyber-threats | |
US7681132B2 (en) | System, method and program product for visually presenting data describing network intrusions | |
US9027135B1 (en) | Prospective client identification using malware attack detection | |
US7908658B1 (en) | System using IM screener in a client computer to monitor bad reputation web sites in outgoing messages to prevent propagation of IM attacks | |
US20160232349A1 (en) | Mobile malware detection and user notification | |
WO2020060503A1 (en) | An email threat simulator for identifying security vulnerabilities in email protection mechanisms | |
Kuraku et al. | Emotet malware—a banking credentials stealer | |
US10659493B2 (en) | Technique for detecting malicious electronic messages | |
US10142360B2 (en) | System and method for iteratively updating network attack mitigation countermeasures | |
Marquis-Boire et al. | You only click twice: FinFisher’s global proliferation | |
US9332023B1 (en) | Uploading signatures to gateway level unified threat management devices after endpoint level behavior based detection of zero day threats | |
US11392691B1 (en) | System and method of securing e-mail against phishing and ransomware attack | |
WO2020060505A1 (en) | Incident detecting and responding method on email services | |
SOX | This White Paper | |
Sawant | A comparative study of different intrusion prevention systems | |
Khatri et al. | Mobile guard demo: network based malware detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 18845479 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 18845479 Country of ref document: EP Kind code of ref document: A1 |