While browsing r/netsec I came across Sublime Security — an “open platform for email security”. Sublime Security uses open-source detection rules that anyone can contribute to.
I’ll describe how I created my first detection rule in this article.
Initial Steps
First I gain a high-level understanding of the tool and get hands-on as soon as possible:
- Poke around the website and read through the examples in Use Cases and Attack Types.
- Review the documentation and read the introduction and MQL (Message Query Langauge) section.
- Experiment in the playground by modifying existing detection rules to get a feel for the query language. This useful tool simplifies the process of building EMLs and testing rules.
Notes:
- MDM (Message Data Model) is the JSON representation of an email
- MQL (Message Query Language) is Sublime’s query language, used to create Detection rules.
- MQL can reference anything in MDM
Creating a detection rule appears to be the best way to move forward. At the time of writing, Triage rules were still being built out and I couldn’t find any documentation on Discovery rules.
Low-Hanging Fruit
Next I identify low-hanging fruit to start small.
I looked through existing detection rules in Sublime Security’s GitHub repository for ideas and saw a collection of impersonation rules.
Most of these rules share similar syntax — great for copying and making minor tweaks.
I searched for commonly impersonated brands that didn’t have a detection rule in place and noticed Netflix wasn’t there. I searched for “Netflix” in the repository and Slack channel to make sure there wasn’t a reason it didn’t already exist.
I chose the Venmo impersonation rule as a starting template and copied and pasted it from GitHub to the Sublime Playground. I made an effort to understand every line of this rule, referencing the documentation and building EMLs to ensure the detection rule was flagging as expected.
Creating the Rule
I forked the sublime-rules repository, and created a branch and an impersonation_netflix.yml file. (If you’re lost, see GitHub Flow and GitHub Minesweeper.) I copy and paste the Venmo impersonation rule to this new .yml file.
I replaced all instances of “Venmo” with “Netflix”, found an article as a reference, and changed the description and name.
Next, I checked if Netflix used other domains for sending emails. If so, I needed to include it in the sender.email.domain.root_domain line so emails can bypass this rule.
After research (Google, netify, securitytrails) it appeared that Netflix.com was the only domain that sends Netflix related emails.
I pushed the changes and opened a PR.
Resolving Issues and Merging PR
The next day, a reviewer looked at the detection rule and pointed out a few mistakes:
- Line 15: sender.email.domain.domain not !~ ‘netflix.com’ — either the “not” or “!~” should be removed.
- Line 15: sender.email.domain.domain should be changed to sender.email.domain.root_domain.
I corrected my mistakes, and was left with the final detection rule:
After some time, the PR was approved.
