Phishing with CRITs

Screenshot_2019-10-08 CRITs Collaborative Research Into Threats

CRITs was introduced a bit earlier as a threat intelligence platform (TIP) worth your time to review, if not employ in your enterprise.  Let me show a quick example why.

Raise your hands – who has to deal with phishing?

Okay.  I couldn’t see who raised their hands, but given its ubiquity within everyone’s enterprise, I’m going to go with just about everyone.  You might not deal with it directly but someone in your SOC or security team definitely does.

CRITs contains an entire section on delving into phishing and the data associated with phishing emails.  At the simplest level, it provides an interface for you to upload an email.  CRITs takes that email and shreds it into pieces, storing all the data within it into searchable fields.  It also has a couple of parsers to help assemble interesting indicators from the raw content.  Correlation also happens automatically in the background.  The targets of the phishing email go into a Targets collection. If you determine a campaign exists, you can then graph the Emails and Targets accordingly.    Got an attachment?  That is automatically sent to the Samples collection.  Depending on what services have been arranged, that file is then unwrapped, detonated in a sandbox, parsed, etc.

Plenty more happens, but you’ll see where I’m going.  What gets exposed and what you link then is open for pivoting to find connections.  X-Mailer look interesting?  Pivot on it and see if you’ve noted it before.  Message-ID?  Same.  Maybe it’s recycled, maybe it’s part of a chain, or maybe it’s unique.  You can find out pretty quickly.  Want to know if an entire division was targeted in that last phishing campaign?  You can determine that pretty quickly with CRITs by using the Targets collection.  How about whether one or a group of people seems to constantly get targeted?  Again, use that Targets collection.  While CRITs doesn’t natively support the idea of tracking an item (laptop, computer, etc.) with a small bit of finagling you can make it show the same information by item as well.

CRITs has a lot of capability under the hood.  If you are struggling with phishing, it can be a powerful tool in your arsenal.  Especially if you are looking to connect that phishing activity to an Actor focused on your enterprise.

About the author

Monty St John

Monty is a security professional with more than two decades of experience in threat intelligence, digital forensics, malware analytics, quality services, software engineering, development, IT/informatics, project management and training. He is an ISO 17025 laboratory auditor and assessor, reviewing and auditing 40+ laboratories. Monty is also a game designer and publisher who has authored more than 24 products and 35 editorial works.