11-20-2017 01:05 PM
We have a phishing response procedure which includes obtaining target links in phishing emails and putting them in a custom URL category filter (called "Custom-Phising") in PAN-OS.
Due to the volume, I was thinking about using an EDL instead. I think this might simplify the process a little bit but not in a major way. Then I was thinking about taking it even further and feeding a phishing email sample into some sort of automation that automatically parses out the target links and puts them into the EDL.
That would really speed up and simplify the process.
Does anyone know of any tools or scripts that are already built that do this, or has anyone come up with a good way to do something like what I'm trying to do?
I know that PAN has the "phishing" URL category, but that's too slow for our needs. We are trying to prevent acces literally within a minute of a phishing email being received. Also, yes, I'm aware that there is the potential for a DOS if a phishing email contains links to valid sites. But I'd like to at least kick the tires.
11-23-2017 04:20 PM
Hi Mate,
Always another way to skin a cat. Can block all http posts, which is what phishing sites rely on. Can obviously allow for some as per requirments. But a block of http posts on unknown sites with a custom signature could save you alot of time.
is an old doc below;
hope it helps,
rob
11-28-2017 09:35 AM
That's certainly another security control that could be put in place and is absolutely a useful suggestion, but doesn't answer my original question about whether or not anyone is aware of any technology or method of taking an email as a source and pulling out the embedded target URLs that it uses.
12-19-2017 10:04 PM
I have my Palo Alto Networks Firewall intigrated with ProofPoint TAP, TRAP, WIldfire intigrated, MineMeld in use with multiple input/output nodes and aggregators sending data in different directions.
Proofpoint is setup to send parsed copies of questionable yet undetermined e-mails to an IBM X-Force Exchange collection which is email enabled. These appears as attachments in the collection, which is the lower right corner of their dashboard. This collection is intigrated, using my API keys, with VirusTotal, Riskiq.com and many others. Each of these services I have extended with other security APIs that said service supports out of the box. At the end of this, e-mail is sent to my IBM X-Force collection and becomes stripped out intel. IBM has stripped out indicators from these emails and added them to the collection as reports. These reports send to all of the various intigrations I've enabled. The results are summerized in the report output.
Or, said simply, I send a copy of a questionable e-mail to IBM, they process it as per how I have things configured, and I receive a TAXII/STIX feed that I can populated back down the the Palo Alto Networks firewall VIA MineMeld.
In my case, IoCs are being shared between many platforms. Should later on a SHA256 become detected as high confidence malware, I can automate the recall of related content after the fact. I send APIs requests to my various Antivirus products to request a detailed scan to report back to my software package. I can send a request to the firewall for all url access for the time period. I can grab a list of all DNS requests the client has made, looking for VPN over DNS type traffic. PanOS can consume these lists using MineMeld output nodes.
Anyway, I think that addresses your question and gives some examples on extended the idea. IBM Threat XChange is free for a basic account. The product set is enormous, can do anything, but good luck finding a flat price list. I recommend at least setting up a free account and making use of that. The free account gives one some very nice feautres for the price.
09-12-2022 09:40 AM
I think it would in the realms of coding something to parse the emails and feed the URLs into EDLs or directly into custom categories in PAN-OS. A way to avoid the majority of the coding would be to use Cortex XSOAR, which exists to do such this kind of job. You can use XSOAR for free (Community Edition) if you stay under the usage limits: https://start.paloaltonetworks.com/sign-up-for-community-edition.html
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
