Lumu’s email analysis ingests your email metadata and correlates it with other metadata sources to let you know how adversaries are trying to compromise your network infrastructure.

Lumu Email Intelligence

Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools.

In this section of the Lumu Portal, you can manage the analysis of email intelligence. This unique threat intelligence source can help you understand who adversaries are attempting to compromise in your organization and how they are being targeted, and will also help you make strategic and tactical decisions to disrupt the cycle.

The Email Intelligence feature ingests email data and runs advanced correlations between your inbox, known IoCs, and network traffic to support the Continuous Compromise Assessment of your organization.

Set up Email Intelligence for your Organization

Lumu unlocks the value of your inbox with 3 simple steps:


The Email Intelligence feature is a part of the Lumu paid subscription tiers, which offer you additional correlation capabilities, and overall better compromise detection.

Forward your inbox to Lumu

Lumu will assign a unique email address to your organization in the Lumu Portal. 



Email Intelligence settings - Lumu Portal

The next step is configuring your spam filtering solution to forward all your email metadata to the unique email address provided by Lumu. Below we provide guidance to some providers:

Related documentation:

If you need help to set up Email Intelligence for your company, or your email filtering solution requires a specific approach on forwarding inbox metadata to Lumu, contact our support team.

Summary

This section contains the configuration settings and a general overview of the inbox data analyzed. The Email Intelligence Activity visualization shows the total number of email messages analyzed by Lumu.



Figure 1 - Summary of Emails Analyzed.

Campaigns

The Malicious Campaigns section allows you to drill down into detailed, factual data about the attack campaigns targeting your organization’s inbox. This information can help you adjust your cyber-defense and inform future investments

In this area, you can see how many malicious campaigns target your company (1), the indicators of compromise (IoC), and the total number of recipients. The heat map (2) displays malicious campaign attack patterns to see when the adversaries are sending malicious messages. In the trends area, Lumu shows the distribution of IoCs (3) by threat type (Malware, Spam, Phishing, etc) and the top targeted recipients (4) of malicious campaigns in your organization.



Figure 2 - Summary of malicious campaigns.

In the Campaign Details area, you can see the malicious campaign grouped by subject and sender address (1) and their details, such as the number of emails (2), the quantity of IoCs (3), and the number of target recipients (4) of each campaign.

Figure 3 - Malicious Campaigns details - general.

You can click on a campaign to see more details such as all the email addresses targeted by the adversary with date and time (1), the domain of each IoCs found in the campaign (2), and the attachments hash information (3).



Figure 4 - Malicious Campaigns details - specific.

If you want to explore the IoC and its correlation with other network metadata sources, click on the magnifying glass icon to navigate to the Compromise Context area.

Does Lumu Email do any Email filtering? Check out the frequently asked questions about Lumu Email Intelligence

Correlation

This is a comprehensive view of the distribution of the compromise activity (1) that Lumu detected in your inbox according to your assigned labels. You can click on the zoomable chart (3) to drill deeper into your labeled threat activity, which reveals how and where compromises are spreading inside an organization’s network infrastructure. You can filter (3) the threat information by label or date.


Figure 5 - Network correlation with Lumu Email.

Remember to assign labels to your traffic to help easily identify the compromise distribution across your infrastructure, in a way that makes sense for your organization.

The Correlation Details show the list of IoCs grouped by domains with information regarding threat types (1), IoC details (2), the last time (3) Lumu found this threat in your inbox data, and the total of contacts (4) between the IoC and your infrastructure.

Figure 6 - Network Correlation with Lumu Email Intelligence

Click on an IoC domain to explore the Compromise Context area. This capability shows the IoC correlated with other metadata sources. This additional context will help to understand how a particular compromise is spreading and how long it has been in your network.


Figure 7 - Compromise Context.

The Compromise Context feature allows organizations to enrich confirmed compromise information and understand how the attack is moving, giving security teams the factual data to implement the right response to the most important compromise questions. Explore the Compromise Context feature in our documentation.

Incident Response

We recommend being familiar with Lumu Incident Response Playbooks that are based on the National Institute of Standards and Technology (NIST) Framework and include best practices for how to use Lumu to respond to specific attacks.

Know more about the Lumu Portal:


        • Related Articles

        • Lumu Portal

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. The Lumu ...
        • How to configure SSO in the Lumu Portal using Okta

          Single Sign-on (SSO) allows you to log in to the Lumu portal through Identity Providers using their current credentials. Instead of requiring users to manage multiple usernames and passwords, SSO allows you to log in to multiple applications using ...
        • Collectors and Integrations

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. Lumu ...
        • Lumu Portal Two-Factor Authentication

          The Lumu Portal offers secure login alternatives through the use of two-factor authentication (2FA), in this case, One-time Password (OTP) on top of your account password. You can use the Authenticator app you prefer, such as Google Authenticator and ...
        • Lumu Playback

          The cybersecurity industry has developed numerous methods to defend against zero-day threats and emerging attacks. However, many attacks still slip through undetected due to the increasingly sophisticated evasion tactics employed by cybercriminals. A ...