Module 3
Operational Security - Safe Handling of links and infrastructure
Last updated on: 26 July 2024
Edit this page on GitHubModule 3
Last updated on: 26 July 2024
Edit this page on GitHubAs you go about investigating malicious phishing emails, attachments, websites, and other infrastructure, you will need to take some proactive steps to make sure that you keep yourself and the people you support safe. You will also need to know what to advise the recipient of the messages whenever they are faced with such incidents, and how they can safely report it to you for handling without compromising themselves. Be sure to study this skill and, if necessary, set up a safe environment before interacting with suspected malicious emails or web pages.
After completing this subtopic, practitioners should be able to do the following:
Many phishing emails and similar messages do not just try to get the targeted person to click on a link but may also attempt to collect data about them (we discuss this in more depth in Subtopic 6). When conducting an investigation, it’s important to handle messages and other infrastructure carefully, so as to not reveal too much information about your identity, work and organization to an attacker, as well as to protect devices and accounts.
We typically divide analysis up into two components: passive (Subtopics 4 and 5) and active (Subtopics 6 and 7). Passive analysis should not include any contact with an attackers’ servers, whereas active analysis does. It’s important for analysts to understand what types of activities directly interact with attacker infrastructure and can therefore be detected. Once analysts gain this understanding, they will be able to adapt the methods they use to relevant threat models.
We recommend consider the following operational security precautions when you conduct your analyses:
Depending on the sophistication of the attacks which you are dealing with, the sensitivity of the machine, data, and accounts you are utilizing, and even the sensitivity of your investigation activities and personal identity, you may need to adopt an appropriate safe environment for conducting investigation work. Consider the following suggestions when building your safety solution:
As you document potentially malicious URLs, it is common practice to ‘defang’ the URL so that the applications you use for notes or documentation do not automatically generate clickable links which unintentionally lead you (or anyone you are collaborating with) to click the link or otherwise instigate traffic to the URL from your working machine. Some applications, for example messengers, also automatically preview links (and fetch the content from a server in order to do so). Defanging URLs prevents them from doing so.
This is commonly done by replacing the protocol section of the URL with an invalid equivalent, and enclosing dots in the URL with [square brackets]. For example:
From live URL | To defanged URL |
---|---|
https://www.malicious-site.com | hxxps://www[.]malicious-site[.]com |
ftp://192.168.12.20 | fxp://192[.]168[.]12[.]20 |
This can be done manually using a text-only editor such as NotePad, Textedit, or Gedit. Also see utilities like https://defang.me/ or search for Defang tools in CyberChef.
If you suspect that an attacker might have gained access to the targeted person’s email or messaging account or is monitoring their machine (the former might have been the result of a successful phishing attack, while the latter might be caused by malware, caused for example by running a malicious attachment), ask the targeted person not to use this machine and account until you can figure out what is going on. If possible, communicate with the targeted person through another account and another device—for example, Signal or WhatsApp on their personal device.
If you suspect that a targeted person’s accounts might have been compromised, ask them to immediately change their passwords and force the account to log out of all other locations (most major services have a setting like this). This should stop the attacker from having any further access to the account. It will, however, alert them that the targeted person has realized that something is wrong. The attacker might already have downloaded a significant amount of data from the account.
If you suspect that a targeted person’s device has been compromised, ask them to change their account passwords on a different device and avoid using that device until an investigation is complete. Follow the steps outlined in the Malware Detection learning path.
NoScript
FreeA browser extension for Firefox and Chromium-based browsers, which allows you to selectively block or allow the execution of JavaScript. When looking at potentially malicious websites, it enables you to load the site while disabling much of its potentially damaging functionality.
CyberChef
FreeA comprehensive tool for converting between different formats, also able to automatically defang URLs and IP addresses.
Congratulations on finishing Module 3!
Mark the checkbox to confirm your completion and continue to the next module.
Marks the current module as completed and saves the progress for the user.
You've completed all modules in this learning path.