The document discusses the growing threat of phishing attacks, emphasizing that the majority go undetected despite filtering measures. It shares several case studies illustrating how such attacks have successfully penetrated defenses, suggesting the need for enhanced security protocols like MFA. Future plans for developing security tools include integrations with Office 365 and improved case management functionalities.

1. ©LogRhythm 2017. All rights reserved. Company Confidential
PIE
Active Defense Against Phishing

2. Greg Foss
Manager, Global Security Operations
OSCP, GMON, GAWN, GPEN, GWAPT, GCIH, CEH, APT

3. Email is the Gateway
Corporate boundaries are a thing of the past…

4. Most Common Attack - Phishing
242 Phishing Attacks in Q4
Average 5 emails received per case – many 100+ email cases

5. 31%
12%
12%
11%
10%
9%
5%
5%
3%
2%
Phishing Attack by Type
Credential Theft Link
Spam
Social Engineering
Malicious Link
Wire Fraud Attempt
Credential Theft Attachment
Malicious PDF
Macro Enabled Document
Encrypted Attachment
False Positive

6. Metrics are only from the ones that make it through

7. Majority of
Spam and
Malware are
Blocked
Automatically

8. It’s not Just Emails from Phishers to Worry About
• Exchange OWA / O365 password spraying
• Targeted mail scraping and extraction
• Malicious rule creation
• Passive account monitoring
• Auto Forwarding
• Email Spoofing
• VoIP and SMS Spoofing
• Data leakage
• General Malware
• …

9. https://github.com/LogRhythm-Labs/PIE

11. • Extract email from specific users
• Extract email from all affected users
• Block senders
• Unblock senders
• Reset Office 365 credentials
• Evaluate Message Forwarding rules
• Create and update LogRhythm Cases
• And more…

12. Story Time!

13. Quick Metrics
• 90% of phishing attacks that make it through Office365 filters are never seen
by LogRhythm Employees…
• Those that make their way to inboxes are tracked, documented, and
quarantined following a report from a user.
• Of messages reported 75% are quarantined automatically

14. Story #1 – Phishing Exercise

18. Users Reporting to Phishing Address

24. Automate Metric Collection - Basics

25. Automate Metric Collection – Focus on the Positive

26. Automate Cleanup and Email Quarantine

27. Story #2
November 2017

28. What are you
asking, Andy?

29. Poof

31. We had
been
watching
the
whole
time…

32. Actually registered logrhytthm.com under real name

33. Turns out he was an older script kiddie

36. Story #3 – Operation Nigerian Rhythm
Low and Slow dictionary attacks against O365 – going on for months

37. ~3.5k attempts in 1-week

38. Eventually – they got in via credential phishing

39. And blasted the entire Sales org an hour later…

43. It
happened
again…

45. Round 2 – Bigger, better, and more disruptive
Initial Phish Second Wave

46. Nick
David
Bob

48. ENABLE MFA!

49. Story #4 - Mailsploit

53. PIE Future Plans and Development Priorities
• 7.3.2 Case API Integration
• O365 URL Rewriting integration
• IDS, Firewall, and Endpoint integration
• Support for On-Premise Exchange
• Web Leaderboard and Open Metrics
• Implement Active Defense Scripts
• Seamless SIEM integration
• Community Integrations!
- What tools are you using?
- What else do you want to see PIE do?

54. ©LogRhythm 2017. All rights reserved. Company Confidential
https://github.com/LogRhythm-Labs/PIE

55. ©LogRhythm 2017. All rights reserved. Company Confidential
Bonus
Messing with Phishers…

59. What About VoIP and SMS?

60. What About VoIP and SMS?

61. Thank You!
Questions?
Greg . Foss [at] logrhythm . com
@heinzarelli
https://github.com/LogRhythm-Labs/PIE/