Detecting, Investigating and Tracking Malicious Infrastructure
What you'll learn
This learning path shows how to analyze both phishing messages and the infrastructure they link to.
Last updated on: 20 August 2024
What you'll learn
This learning path shows how to analyze both phishing messages and the infrastructure they link to.
Last updated on: 20 August 2024
Modules
Start here
Read the learning path overview, objectives, associated threats, and prerequisites
Module 1
When you receive or are forwarded a suspicious message, conduct initial triage in order to determine if it is indeed malicious, to figure out the best rapid response for the targeted recipient(s) if it is, and to determine if further investigation is needed. For most messages, it’s enough to conduct basic heuristics to separate untargeted from targeted threats and to identify harm-reducing actions
Module 2
After completing this subtopic, practitioners will be able to support those who might have received or clicked on malicious emails or links in a responsible way, embodying empathy and focusing on harm reduction informed by the targeted person’s own threat model
Module 3
"As you go about investigating malicious phishing emails, attachments, websites, and other infrastructure, you will need to take some proactive steps to make sure that you keep yourself and the people you support safe. Be sure to study this skill and, if necessary, set up a safe environment before interacting with suspected malicious emails or web pages"
Module 4
A practitioner can use the skills outlined in this subtopic to begin a passive investigation against servers on the internet. A passive investigation is one that does not load any websites, but only looks up publicly available data on them. It utilizes open source intelligence (OSINT) tools and resources which can give us many details about the digital footprint of attack infrastructure without an attacker noticing that we are investigating
Module 5
The subtopic will teach you how to analyze the extensive metadata which documents an email’s origin, the servers it traveled through, information about possible spam checks, and much more. This metadata can form a crucial part of any in-depth investigation into potentially malicious emails
Module 6
Whether they be pure social engineering, phishing, or malware delivery, malicious emails can be quite complex. This module will teach you how to interpret and understand them and find the infrastructure that they link to
Module 7
This module will teach you to look at attacker-controlled websites to understand their actions and potentially uncover further attacker-controlled infrastructure or attack vectors used in the attacks
Module 8
This module teaches you how to write up and share the results of your investigation and include appropriate indicators of compromise (IoCs)
Module 9
Here, we cover abuse-reporting and other safe browsing and sinkhole mechanisms. This includes contacting the infrastructure provider to report malicious infrastructure so that it can be taken down
Module 10
We have also designed a capture-the-flag exercise in which learners can analyze a phishing email and the infrastructure it links to. The exercise can be used as an additional practice or skill verification exercise, and can be found here