While playing around with using Elasticsearch as a SIEM I stumbled across an interesting finding. Elasticsearch under the hood uses Lucene and Lucene supports something called a fuzzy search. A fuzzy search looks for things that are similar to something you specify. For example if you did a fuzzy search against the word roam it might return foam or roams. This capability unlocks the door to some interesting continuous monitoring possibilities.
Take for example if someone were to try and spear phish a business. Often times an attacker would use a domain similar to the victim company's domain in order to increase the odds of successfully phishing the target. If an employee of hasecuritysolutions.com was being targeted an attacker might send an email by purchasing the domain hasecuritysolution.com.
Assuming an attacker did their research they might have crafted an email between two individuals that work together. In this image above the attacker sent an email acting as if it came from Sandy Miller to John Doe about an employee complaint. However, if you look at Sandy's email it is from hasecuritysolution.com, not the legitimate domain of hasecuritysolutions.com.
Now what if we had a way to take a production email domain and look for any emails delivered that look as if they came from a legitimate domain but were not actually the legitimate domain. My brain is a little fuzzy but I swear there is a way to do this. Oh wait, there is: fuzzy searching.
By adding the tilde (~) character after a search parameter it turns it into a fuzzy search. In this example I am using Kibana looking for any emails that came from a domain similar to hasecuritysolutions.com that are not actually from hasecuritysolutions.com. And the results are:
Two records were found and both came from hasecuritysolution.com
By using this simple technique it is possible to find things such as phishing attempts against an organizations email domain. What other use cases would fuzzy searching be useful for? I am not sure but am excited about the possibilities. I would think this would somehow help the forensics community as well. If you find another successful use case with fuzzy searching please let me know.
Apache Lucene - Query Parser Syntax - https://lucene.apache.org/core/2_9_4/queryparsersyntax.html#Fuzzy%20Searches