Skip to content

Detecting, Investigating and Tracking Malicious Infrastructure

What you'll learn

This learning path shows how to analyze both phishing messages and the infrastructure they link to.

Last updated on: 20 August 2024

Modules

Start here

Introduction

Read the learning path overview, objectives, associated threats, and prerequisites

Module 1

Triage - Deciding when to investigate

When you receive or are forwarded a suspicious message, conduct initial triage in order to determine if it is indeed malicious, to figure out the best rapid response for the targeted recipient(s) if it is, and to determine if further investigation is needed. For most messages, it’s enough to conduct basic heuristics to separate untargeted from targeted threats and to identify harm-reducing actions

Module 2

Interpersonal Skills for Malicious Infrastructure/Phishing Response

After completing this subtopic, practitioners will be able to support those who might have received or clicked on malicious emails or links in a responsible way, embodying empathy and focusing on harm reduction informed by the targeted person’s own threat model

Module 3

Operational Security - Safe Handling of links and infrastructure

"As you go about investigating malicious phishing emails, attachments, websites, and other infrastructure, you will need to take some proactive steps to make sure that you keep yourself and the people you support safe. Be sure to study this skill and, if necessary, set up a safe environment before interacting with suspected malicious emails or web pages"

Module 4

Passive Investigation - Analyze URLs, hostnames, and IP addresses

A practitioner can use the skills outlined in this subtopic to begin a passive investigation against servers on the internet. A passive investigation is one that does not load any websites, but only looks up publicly available data on them. It utilizes open source intelligence (OSINT) tools and resources which can give us many details about the digital footprint of attack infrastructure without an attacker noticing that we are investigating

Module 5

Passive Investigation - Analyze email headers

The subtopic will teach you how to analyze the extensive metadata which documents an email’s origin, the servers it traveled through, information about possible spam checks, and much more. This metadata can form a crucial part of any in-depth investigation into potentially malicious emails

Module 6

Active Investigation - Analyze malicious emails

Whether they be pure social engineering, phishing, or malware delivery, malicious emails can be quite complex. This module will teach you how to interpret and understand them and find the infrastructure that they link to

Module 7

Active Investigation - Analyze malicious webpages

This module will teach you to look at attacker-controlled websites to understand their actions and potentially uncover further attacker-controlled infrastructure or attack vectors used in the attacks

Module 8

Documenting Findings

This module teaches you how to write up and share the results of your investigation and include appropriate indicators of compromise (IoCs)

Module 9

Response - Infrastructure takedown

Here, we cover abuse-reporting and other safe browsing and sinkhole mechanisms. This includes contacting the infrastructure provider to report malicious infrastructure so that it can be taken down

Module 10

Capture-the-flag exercise

We have also designed a capture-the-flag exercise in which learners can analyze a phishing email and the infrastructure it links to. The exercise can be used as an additional practice or skill verification exercise, and can be found here