One of the neat things we get to do at PacketSled is work with our customers to address a very large variety of problems that don’t always immediately manifest themselves as obvious security incidents. This last week we had a customer experiencing an unusually large volume of email spam, some of which had malware payloads, some of which had adware payloads, and some of which was, well, just spam.
The customer’s question was very interesting: “Do any of the spam senders have anything in common?” To answer this question, we turn to a core feature of PacketSled’s natural language search called “clustering.” Clustering enables a security analyst or incident responder to see the relationship between normally otherwise disparate data that traverses their network. Because PacketSled creates a semantic record of every conversation on the network by extracting all the meaningful attributes from its observed flows, we can establish the relationship between two or more otherwise seemingly disparate activities on any network.
For example, clustering filenames on destination ip addresses will show us the nature of the files that our users are downloading, irrespective of protocol (HTTP, FTP, dropbox, etc). This feature is immensely helpful during breach analysis and incident response to determine the “who, what, when, where, how” in an incident.
In this case, we’re trying to define why
the spam filter isn’t working, and what the resolution should be. The obvious places to look for commonalities are in the characteristics of the email itself. First, we issue the search “cluster subject on [receiver_email]” and we return a list of all email subjects, followed by a count of those subjects. Clicking on that result shows us the recipients that received any email with that subject in it.
(note: the recipients and subjects of legitimate emails have been redacted)
As we examine the data, we start to notice that there seems to be a heavy correlation between any email that originates outside of the recipient’s country (in this case, non-US traffic), and the content of the emails. To validate this, we simply add the modifiers src_geo != lo (for local), and src_geo != US (to eliminate any emails that originated from the recipient’s geo, and we add the country of origin to the cluster query (src_geo).
This is where the results get -very interesting-. There is not a single email in the entirety of 24 hours
that originates outside of the customer’s native geography which is a legitimate email. Subjects range from telepathy classes to blue pill sales. A simple right click on the IP address in the visualization, and we can lookup the originator of over 90% of this traffic:
Seems that LeaseWeb’s customers are our primary offenders. In this case, our customer had a legacy rule deployed in their message gateway (that is managed by a third party) to allow anything from that class A, irrespective of content. Nobody at the organization is quite sure why, but they are sure that this would have taken several days, if not weeks to hunt down, and exposed most of their users to large amounts of unnecessary risk. PacketSled enabled this customer to resolve this issue in record time, keeping the customer safe and productive.