Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

PIE - BSides Vancouver 2018

825 Aufrufe

Veröffentlicht am

The Phishing Intelligence Engine (PIE) is a framework that will assist with the detection and response to phishing attacks. An Active Defense framework built around Office 365, that continuously evaluates Message Trace logs for malicious contents, and dynamically responds as threats are identified or emails are reported. This talk covers the framework and then dives into some stories from the field.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

PIE - BSides Vancouver 2018

  1. 1. ©LogRhythm 2017. All rights reserved. Company Confidential PIE Active Defense Against Phishing
  2. 2. Greg Foss Manager, Global Security Operations OSCP, GMON, GAWN, GPEN, GWAPT, GCIH, CEH, APT
  3. 3. Email is the Gateway Corporate boundaries are a thing of the past…
  4. 4. Most Common Attack - Phishing 242 Phishing Attacks in Q4 Average 5 emails received per case – many 100+ email cases
  5. 5. 31% 12% 12% 11% 10% 9% 5% 5% 3% 2% Phishing Attack by Type Credential Theft Link Spam Social Engineering Malicious Link Wire Fraud Attempt Credential Theft Attachment Malicious PDF Macro Enabled Document Encrypted Attachment False Positive
  6. 6. Metrics are only from the ones that make it through
  7. 7. Majority of Spam and Malware are Blocked Automatically
  8. 8. It’s not Just Emails from Phishers to Worry About • Exchange OWA / O365 password spraying • Targeted mail scraping and extraction • Malicious rule creation • Passive account monitoring • Auto Forwarding • Email Spoofing • VoIP and SMS Spoofing • Data leakage • General Malware • …
  9. 9. https://github.com/LogRhythm-Labs/PIE
  10. 10. • Extract email from specific users • Extract email from all affected users • Block senders • Unblock senders • Reset Office 365 credentials • Evaluate Message Forwarding rules • Create and update LogRhythm Cases • And more…
  11. 11. Story Time!
  12. 12. Quick Metrics • 90% of phishing attacks that make it through Office365 filters are never seen by LogRhythm Employees… • Those that make their way to inboxes are tracked, documented, and quarantined following a report from a user. • Of messages reported 75% are quarantined automatically
  13. 13. Story #1 – Phishing Exercise
  14. 14. Users Reporting to Phishing Address
  15. 15. Automate Metric Collection - Basics
  16. 16. Automate Metric Collection – Focus on the Positive
  17. 17. Automate Cleanup and Email Quarantine
  18. 18. Story #2 November 2017
  19. 19. What are you asking, Andy?
  20. 20. Poof
  21. 21. We had been watching the whole time…
  22. 22. Actually registered logrhytthm.com under real name
  23. 23. Turns out he was an older script kiddie
  24. 24. Story #3 – Operation Nigerian Rhythm Low and Slow dictionary attacks against O365 – going on for months
  25. 25. ~3.5k attempts in 1-week
  26. 26. Eventually – they got in via credential phishing
  27. 27. And blasted the entire Sales org an hour later…
  28. 28. It happened again…
  29. 29. Round 2 – Bigger, better, and more disruptive Initial Phish Second Wave
  30. 30. Nick David Bob
  31. 31. ENABLE MFA!
  32. 32. Story #4 - Mailsploit
  33. 33. PIE Future Plans and Development Priorities • 7.3.2 Case API Integration • O365 URL Rewriting integration • IDS, Firewall, and Endpoint integration • Support for On-Premise Exchange • Web Leaderboard and Open Metrics • Implement Active Defense Scripts • Seamless SIEM integration • Community Integrations! - What tools are you using? - What else do you want to see PIE do?
  34. 34. ©LogRhythm 2017. All rights reserved. Company Confidential https://github.com/LogRhythm-Labs/PIE
  35. 35. ©LogRhythm 2017. All rights reserved. Company Confidential Bonus Messing with Phishers…
  36. 36. What About VoIP and SMS?
  37. 37. What About VoIP and SMS?
  38. 38. Thank You! Questions? Greg . Foss [at] logrhythm . com @heinzarelli https://github.com/LogRhythm-Labs/PIE/

×