The guidelines provided in this article help SOC professionals in understanding and respond to security monitoring requirements in a more professional manner. Additionally, the use cases and correlation rules proposed in this article aid in making the security monitoring service more relevant to the threat landscape. The use cases recommended are for the event source category.
The major event source categories considered
Anti-spam
Anti-virus
End-point threat protection/Application control/whitelisting solution Web/Application server or database
Data loss prevention /File integrity monitor
Financial application
Host-based firewall
Single sign-on
IPS/IDS
Network-based firewall
Network user behavior analysis
Operating system
Storage
VPN
Vulnerability Scanning solution
NAC solution
Anti-Spam
There are several solutions like gateway-based filters, client-side applications, and mail server integrated solutions for anti-spam. The gateway filters are dedicated anti-spam solutions that are often coupled with anti-virus to provide an end-to-end mail filtering service.
Gateway filters off-load the performance and bandwidth consumption issues of running them on the mail server directly. Mail servers integrated anti-spam solutions run on the server directly processes the spam inline. A client-side application that runs on the end user’s system directly to process spam is not a widely-used solution in a corporate environment. However, the heuristic capabilities of these solutions and lower pricing make it the perfect choice for a home user.
Anti-Spam Detection and Processing Techniques
Anti-spam solutions use different techniques for the detection and processing of spam. These include and not limited to:
- Hashing or checksums
- Open relay checks
- RBL check
- Bayesian filter
- Heuristic
- Signatures
- Blacklisting and whitelisting
Hashing or Checksums
Hash values of a specific portion of the spam emails are computed and stored in the anti-spam solutions. An email that matches the stored hash will be flagged as spam.
Open Relay Checks
Open relay checks verify whether the source mail server permits relays. Mail servers that are configured to relay can be misconfigured by the attacker to limit problems with SPAM black listing. Anti-spam solutions block email from source servers that permit relaying.
RBL check
Malicious Anti-spam solutions may use real-time black lists for blocking spam emails.
Bayesian Filter
Bayesian filters use user input for calculating the statistical probability of email spam.
Heuristic
The probability of spam is calculated statistically by the combination of a variety of detection mechanisms to recognize specific patterns that indicate spam.
Signatures
Specific keywords within a message are checked for the identification of spam.
Black Listing and White Listing
In the black listing, the anti-spam solution blocks messages from a specific user-defined source address, domain, or IP. Anti-spam solutions can also be configured to permit messages from user-defined white lists only.
Anti-Spam Event Categories
As a security analyst one should consider developing and implementing at least the below set of recommended use cases and correlation rules for an anti-spam event source.
Below are the major event source categories to be considered from a security perspective.
Email spam
Instant messaging spam
Comment spam
Junk FAX (Out of Scope for Security Analytics)
Internet telephony spam
Unsolicited text messages (Out of Scope for Security Analytics)
Recommended Use Cases and Correlation Rules
No | Use Case | Event Type /Category | Correlation Rule |
1 | Trigger alert for the EMAIL. SPAM originated from inside | General Email SPAM | ATYPICAL/UNUSUAL outbound Email, possible SPAM |
2 | Trigger alert for SPAM in the incoming Email with RBL,IP reputation & MIME header checks. | General Email SPAM | ATYPICAL/UNUSUAL inbound Email, possible SPAM, TOP SPAM sources reported |
3 | Trigger Alarm if Phishing content is found in an email | General Email SPAM | PHISHING content inside the email, possible spear-phishing attempt/ SPAM |
4 | Trigger Alarm if SPAM content is found in an IM flow | Instant messaging SPAM | ATYPICAL/UNUSUAL Instant messaging communication, possible SPAM |
5 | Trigger Alarm if SPAM content is found in a VOIP flow | Internet Telephony SPAM | ATYPICAL/UNUSUAL Internet Telephony communication detected, possible SPAM |