Email Detection Engineering and Threat Hunting

Presented at DEF CON 32 (2024), Aug. 10, 2024, 2 p.m. (240 minutes).

Email remains the #1 initial access vector for commodity malware and nation state actors. Historically, tackling email-based threats has been considered the purview of black-box vendor solutions, with defenders having limited scope (or tooling!) to swiftly and effectively respond to emerging attacker activity and novel offensive tradecraft. In this workshop, attendees will be given detailed insight into the latest techniques used to deliver prevalent malware strains, including Pikabot and DarkGate, and will hunt through email data to identify this malicious activity, developing rules to detect and block these attacks. Initially attendees will be introduced to the foundational technologies that enable threat hunting, detection engineering, and response in the email domain, before being given access to the email data of a fictitious company seeded with benign and real-world attack data. Throughout the day, participants will learn to hunt common phishing techniques including: - QR codes - Image-as-content - Drive-by delivery via links and HTML smuggling - Excel attachments with embedded links to SMB shares - ISO attachments - PDF attachments with embedded links to malware (PDF -> URL -> ZIP -> WSF) - VIP impersonations - BEC Attendees will be guided through the rule creation process, utilizing free and open detection engines including Sublime and Yara, and will be introduced to the signals and email attributes that can be used to craft high-fidelity rules, including targeted user groups, sentiment analysis, sender domain age, and attachment analysis. Having completed the workshop, attendees will have a strong understanding of the tools and techniques at their disposal to defend their organizations from all manor of email threats.

Presenters:

• Alfie Champion - Co-founder at DelivrTo
  Alfie specialises in the delivery of attack detection and adversary emulation services, actively contributing education content, tooling and blogs to further the industry. He has previously worked with organisations across multiple industry verticals to uplift and validate their detective capability through red or purple team engagements, and now leads the global adversary emulation function at a FTSE 250 company. He has previously spoken at BlackHat USA, RSA and Blue Team Con 2022, among others, and is the co-founder of DelivrTo.
• Josh Kamdjou - Founder and CEO at Sublime Security
  Josh has been doing offensive security-related things for the past 12 years. He's spent most of his professional career breaking into networks via spear-phishing and other methods, and building software for both the public (Department of Defense) and private sectors. Josh is the Founder and CEO of Sublime Security, and in his private life enjoys weight lifting, Martial Arts, soccer, and spending time with his niece and nephew.

Similar Presentations:

• HOPE X (2014) / PRISM-Proof Email: Why Email Is Insecure and How We Are Fixing It
• DEF CON 31 (2023) / Email Detection Engineering and Threat Hunting Inbox Workshop
• BSidesLV 2023 / Email Detection Engineering and Threat Hunting