Sublime Security

[topher-lo]

User stories:

1. (Webhook trigger) Triage phishing alerts with Sublime and Slack app
2. (Webhook trigger) Correlate with events in SIEM, IdP, or EDR
3. (Webhook trigger) Open case and Slack notify if malicious email is opened
4. Run detection on past emails given signal from SIEM, IdP, or EDR

The Sublime platform API has multiple abstractions:

• BinExplode: API to upload and explode binary in Sublime
• Enrichment: not really enrichment? It's actually a custom deployment of Phishpedia: a deep learning classifier for benign / malicious webpages
• Lists: this is really great. Sublime curates important lists of data from:
  • Email tenants (Google workspace or M365) synced daily - $org_domains and $org_display_names
  • Historical context i.e. past communication info specific to the org's email envirornment
    • $receipient_domains: domains anyone in the org has sent (to, cc, bcc) an email to
    • $recipient_emails: emails anyone in the org has sent to
    • $sender_domains: domains anyone in the org has received an email from
    • $sender_emails: emails anyone in the org has received an email from
  • Threat intel curated Abuse.ch lists
    • URLs from top reporters (URLHaus)
    • Domains from top reporters (URLHaus)
    • SH256 hashes from top reporters (MalwareBazaar)
  • Sublime threat intel
    • Alexa / Tranco / CISCO top 1 million domains
    • Disposable email proiders
    • Common archive file extensions, which can be used to deliver malicious files.
    • File extensions of macro-supported documents, such as Microsoft Office files. Also includes file types that can load macros indirectly, eg via remote template injection.
    • Free email providers
    • Free file hosts
    • Free subdomain hosts
    • Top 1 million domains with the most referring subnets
    • Suspicious top level domains
    • URL shorteners
• Message Groups: API to analyze hunt and control groups of messages
• Messages: API to analyze and CRUD emails (and associated data e.g. attachments)
  • Analyze raw message
  • Trash message
  • And more...
• Rules: CRUD MQL detection rules
• User reports: org user reported emails

Also Webhooks

A webhook Action sends a notification to a URL of your choosing when one or more Rules with the Action flag an email message. The HTTP notification includes information about the message, the mailbox, the flagged Rules, and any triggered Actions, so you can set up an unlimited variety of integrations in response to flagged message events.

Here is some of what you can do with webhooks:

Send Flagged Message events to your SIEM for analytics or to correlate with events from other tools, such as your EDR
Send Flagged Message events to your SOAR, to trigger sophisticated DFIR workflows that are today only used on reported phish

MQL notes

• File format: https://docs.sublimesecurity.com/docs/yaml-files (note overloaded term "source" also refers to raw MQL)
• Two types of MQL rules:
  • Detection Rules run on live email flow and are used for phishing detection, DLP, and policy enforcement.
  • Triage Rules run on reported messages flagged messages and are used to automatically triage and remediate user reports.

Implementation details

• Non-exhaustive support. Match support provided in official Python Sublime package
• Also support URLHaus and MalwareHaus lists

Tests

• We need the swagger specs. Mock each endpoint + response using respx as opposed to testing in a live environment
• It'll be too cumbersome to build a test lab. Better to use swagger specs as a source of truth and not test live until the Sublime API is more stable.