Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Phishing Intelligence Engine - BlueHat v17

892 views

Published on

The Phishing Intelligence Engine (PIE) is a framework that will assist with the detection and response to phishing attacks. An Active Defense framework built around Office 365, that continuously evaluates Message Trace logs for malicious contents, and dynamically responds as threats are identified or emails are reported.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Phishing Intelligence Engine - BlueHat v17

  1. 1. ©LogRhythm 2017. All rights reserved. Company Confidential (PIE) Phishing Intelligence Engine Active Defense PowerShell Framework for Office 365 BlueHat ‘17
  2. 2. Greg Foss Head of Global Security Operations OSCP, GMON, GAWN, GPEN, GWAPT, GCIH, CEH, APT
  3. 3. ©LogRhythm 2017. All rights reserved. Company Confidential Why focus on Phishing? We’re all spending too much time, effort, and resources on commodity phishing… Automate the boring stuff!
  4. 4. Email is the Gateway Corporate boundaries are a thing of the past…
  5. 5. Most Commonly Observed Attack 118 Unique Phishing Attacks against LogRhythm in Q3 Average 5 emails received per attack – many 100+ email cases
  6. 6. Types of Attacks
  7. 7. Metrics are only from the ones that make it through
  8. 8. Majority of Spam and Malware are Blocked Automatically
  9. 9. Office 365 – Weekly Reporting
  10. 10. Office 365 – Weekly Reporting
  11. 11. Office 365 – Weekly Reporting
  12. 12. Azure provides great data for threat analytics
  13. 13. Office 365’s detection is good – but nothing is perfect “Microsoft Office 365 missed 9.3% emails containing spam, phishing, and malware from the beginning of September through early October, report Cyren researchers, who analyzed 10.7 million messages.” https://www.darkreading.com/cloud/office-365-missed-34000-phishing-emails-last-month/d/d-id/1330282 REPORT: https://pages.cyren.com/201710_O365_GapAnalysis_Report_LP.html
  14. 14. It’s not Just Emails from Phishers to Worry About • Exchange OWA / O365 password spraying • Targeted mail scraping and extraction • Malicious rule creation • Passive account monitoring • Auto Forwarding • Email Spoofing • VoIP and SMS Spoofing • Data leakage • Ransomware • …
  15. 15. What can we do?
  16. 16. Inspiration - MailSniper! • https://www.blackhillsinfosec.com/introducing-mailsniper-a-tool-for- searching-eery-users-email-for-sensitive-data/ • Offensive Exchange and Office 365 PowerShell • Password spraying to gain access from the internet • Searches for sensitive data within all inboxes • Beau Bullock • https://www.blackhillsinfosec.com/team/beau-bullock/
  17. 17. https://github.com/LogRhythm-Labs/PIE
  18. 18. PIE – Phishing Intelligence Engine • Integrations - Office 365 - Threat Intelligence Feeds - Creation and utilization of Dynamic Threat Lists - Link and File Sandboxing - Domain and Sender analytics - ProxyCannon and ProxyChains - ? • Automated Actions - Email Response - Case Generation and Updating - Evidence collection - Deep email analysis - Validate Clicks - Quarantine mail - Reset passwords - Block senders - Metrics and Accountability - Coming soon – Active Defense
  19. 19. Simple and effective mechanisms to report phishing Commercial software available to do this, but why buy more things to manage?
  20. 20. Example Response Keep it generic and to the point Offer details if requested
  21. 21. • Office 365 Provides great PowerShell Integration Options! • You can scrape message trace logs, extract / quarantine mail, block senders, and more. • One problem – the default use cases are Slow and Cumbersome! Traditional PowerShell Email Quarantine Process
  22. 22. • Instead of opening each mailbox and looking for the message… • Use a pre-defined ‘Phishing Inbox’ to gather quarantined / extracted mail • Scrape the message trace logs to find valid recipients • Perform targeted actions on each inbox • Gather and report on Metrics for all attacks and recipients • Track attackers and block them in the future • Reduce your organization’s Mean Time To Detect and Respond! Optimize PowerShell Integration and Streamline Process
  23. 23. • Extract email from specific users • Extract email from all affected users • Block senders • Unblock senders • Reset Office 365 credentials • Evaluate Message Forwarding rules • Create and update LogRhythm Cases • And more…
  24. 24. Meat of the PIE
  25. 25. First things first…
  26. 26. Deploy the PIE files & Understand Logging Configuration
  27. 27. Alarming and Threat Intelligence
  28. 28. Automated Response via SmartResponse • Remember O365 Ninja? • All actions can be integrated and automated with the SIEM!
  29. 29. Get Creative! SmartResponse Chaining
  30. 30. 37
  31. 31. Automated Case Management and Metrics Attack Trending and Dynamic Case Metrics based on Tags
  32. 32. Deep Dive into the Analysis Phase PIE can take action based on threat scores from third-party API integrations
  33. 33. DEMO
  34. 34. Future Plans and Ongoing Support • Improve the codebase ☺ • Support for On-Premise Exchange • IDS, Firewall, and Endpoint integration • Web Leaderboard and Open Metrics • Implement Active Defense Scripts • Documentation and Installation Package • Seamless SIEM integration • Community Integrations! - What tools are you using? - What else do you want to see PIE do?
  35. 35. ©LogRhythm 2017. All rights reserved. Company Confidential https://github.com/LogRhythm-Labs/PIE
  36. 36. ©LogRhythm 2017. All rights reserved. Company Confidential Bonus Messing with Phishers…
  37. 37. What About VoIP and SMS?
  38. 38. What About VoIP and SMS?
  39. 39. Thank You! Questions? Greg . Foss [at] logrhythm . com @heinzarelli https://github.com/LogRhythm-Labs/PIE/

×