Keepnet Labs E-Mail Threat Simulator allows institutions to defend against major attack vectors. Especially in recent years, it has been observed that the number of target-oriented attacks has increased significantly. Generally, it was determined that the targets of the attacks were large corporations, government agencies and political organizations. The more information an organization has, the higher the likelihood of exposure to cyber attacks.
Despite the widespread use of email filters, the majority of attacks are still coming through e-mail. The poor configuration or poor implementation of these products can lead to false assumptions that you are safe. Keepnet Labs allows you to test these assumptions, see your security situation, and take steps to improve the vulnerabilities resulting from the e-mail.
Creating a Trusted Account for E-mail Security Tests
Keepnet Labs E-Mail Threat Simulator module details require a test account for making and reporting the tests listed here. This document contains sample configurations for making possible security and reliability checks with this test account.
The test account will only receive e-mail, and will not be able to send mail to any internal or external e-mail address except Keepnet Labs. This is a safe configuration option that will prevent potential violations.
Creating a Test Account
The test account required for operations can be created with Exchange Powershell using the following command:
The Exchange Management Shell is started with a user who has Organization Administration permissions.
New-Mailbox -UserPrincipalName “UserPrincipalName” -Alias “Mail Alias” -Name “Mailbox Account Name” -Database “Database Name” -OrganizationalUnit “<Organizational Unit>” -ResetPasswordOnNextLogon $false –password (ConvertTo-SecureString -String “Password” -AsPlainText -Force)
New-Mailbox -UserPrincipalName ets@yourdomain.com -Alias ets -Name ETS -Database PERDB -OrganizationalUnit OU=SNR,DC=keepnet,DC=aws -ResetPasswordOnNextLogon $false –password (ConvertTo-SecureString -String ‘StR0ngP@ssw0rd’ -AsPlainText -Force)
Restriction of the Authority of the Test Account
We can create a test account as a dummy user and make various restrictions in terms of using e-mail services. The following are examples of ways to restrict the ability to send and receive e-mail for a ştest account.
Restrict Email Address
To avoid sending emails to any internal or external e-mail address other than ets@keepnethood.com, you can apply the following configuration steps in order.
Login to https://ExchangeServer/ecp with Organization Admin authority. Go to Mail Flow> Rules and add a new rule from the plus sign. By giving the rule a name, the following rules apply:
In the “Apply this rule if” condition, “the sender is” is selected and added to the Test account.
In the “Do the following” action, the option “Delete the message without notifying anyone” is selected.
Click More Options to display the Exception field.
The “Except if” condition is activated by “The recipient> the address includes any of these words” and is saved by entering “ets@keepnethood.com” address.
Enable Mailbox Audit Logging for Test Account
The mailboxes that are created on the Exchange server have audit logs closed by default. To log all the processes that are created through the test account, the mailbox audit log on the test account can be enabled with the following command:
Set-Mailbox -Identity “<Test Account>” -AuditEnabled $true
Set-Mailbox -Identity “ETS Test Account” -AuditEnabled $true
The following command also enables mailbox audit logs on all mailboxes:
Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq “UserMailbox”} | Set-Mailbox -AuditEnabled $true
Mailbox Audit logs to be recorded on the log can be edited with the following command. Here, different parameters are activated for 3 different groups. Since the records to be activated for the owner groups will record user’s actions on his/her account, If not required, it may not be activated in order not to keep too much log. Admin and Delegate group event records can be activated and recorded on the authorized account on that mailbox.
Set-Mailbox -Identity “ETS Test Account” –AuditAdmin Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create –AuditDelegate Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create -AuditEnabled $true
By adding this command to the user creation procedure and after each created mail account, mailbox audit event records can be activated in each new mail account that is created automatically or manually.
Activating Admin Audit Event Logs
The following command can be run once to enable Admin Audit logs:
Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogParameters * -AdminAuditLogCmdlets *
With the following command search can be made in the Admin Audit logs:
Search-AdminAuditLog
Search-Adminauditlog –cmdlets New-Sendconnector -startdate 04/20/2014 -enddate 5/5/2015
The following command will search for the parameters specified in Admin Audit Logs and mail the result to admin@yourdomain.com:
New-AdminAuditLogSearch -Name “Mailbox Quota Change Audit” -Cmdlets Set-Mailbox -Parameters UseDatabaseQuotaDefaults, ProhibitSendReceiveQuota, ProhibitSendQuota -StartDate 01/20/2017 -EndDate 05/05/2018 -StatusMailRecipients admin@yourdomain.com
“This post is originally published at www.keepnetlabs.com”
Teknoloji Haberleri