PIE - BSides Vancouver 2018
1 like1,498 views
The document discusses the growing threat of phishing attacks, emphasizing that the majority go undetected despite filtering measures. It shares several case studies illustrating how such attacks have successfully penetrated defenses, suggesting the need for enhanced security protocols like MFA. Future plans for developing security tools include integrations with Office 365 and improved case management functionalities.
![Thank You!
Questions?
Greg . Foss [at] logrhythm . com
@heinzarelli
https://github.com/LogRhythm-Labs/PIE/](https://image.slidesharecdn.com/piebsides-vancouver2018-180314182455/85/PIE-BSides-Vancouver-2018-61-320.jpg)
PIE - BSides Vancouver 2018
- 1. ©LogRhythm 2017. All rights reserved. Company Confidential PIE Active Defense Against Phishing
- 2. Greg Foss Manager, Global Security Operations OSCP, GMON, GAWN, GPEN, GWAPT, GCIH, CEH, APT
- 3. Email is the Gateway Corporate boundaries are a thing of the past…
- 4. Most Common Attack - Phishing 242 Phishing Attacks in Q4 Average 5 emails received per case – many 100+ email cases
- 5. 31% 12% 12% 11% 10% 9% 5% 5% 3% 2% Phishing Attack by Type Credential Theft Link Spam Social Engineering Malicious Link Wire Fraud Attempt Credential Theft Attachment Malicious PDF Macro Enabled Document Encrypted Attachment False Positive
- 6. Metrics are only from the ones that make it through
- 7. Majority of Spam and Malware are Blocked Automatically
- 8. It’s not Just Emails from Phishers to Worry About • Exchange OWA / O365 password spraying • Targeted mail scraping and extraction • Malicious rule creation • Passive account monitoring • Auto Forwarding • Email Spoofing • VoIP and SMS Spoofing • Data leakage • General Malware • …
- 11. • Extract email from specific users • Extract email from all affected users • Block senders • Unblock senders • Reset Office 365 credentials • Evaluate Message Forwarding rules • Create and update LogRhythm Cases • And more…
- 12. Story Time!
- 13. Quick Metrics • 90% of phishing attacks that make it through Office365 filters are never seen by LogRhythm Employees… • Those that make their way to inboxes are tracked, documented, and quarantined following a report from a user. • Of messages reported 75% are quarantined automatically
- 14. Story #1 – Phishing Exercise
- 18. Users Reporting to Phishing Address
- 24. Automate Metric Collection - Basics
- 25. Automate Metric Collection – Focus on the Positive
- 26. Automate Cleanup and Email Quarantine
- 28. What are you asking, Andy?
- 29. Poof
- 32. Actually registered logrhytthm.com under real name
- 33. Turns out he was an older script kiddie
- 36. Story #3 – Operation Nigerian Rhythm Low and Slow dictionary attacks against O365 – going on for months
- 37. ~3.5k attempts in 1-week
- 38. Eventually – they got in via credential phishing
- 39. And blasted the entire Sales org an hour later…
- 45. Round 2 – Bigger, better, and more disruptive Initial Phish Second Wave
- 46. Nick David Bob
- 48. ENABLE MFA!
- 49. Story #4 - Mailsploit
- 53. PIE Future Plans and Development Priorities • 7.3.2 Case API Integration • O365 URL Rewriting integration • IDS, Firewall, and Endpoint integration • Support for On-Premise Exchange • Web Leaderboard and Open Metrics • Implement Active Defense Scripts • Seamless SIEM integration • Community Integrations! - What tools are you using? - What else do you want to see PIE do?
- 54. ©LogRhythm 2017. All rights reserved. Company Confidential https://github.com/LogRhythm-Labs/PIE
- 55. ©LogRhythm 2017. All rights reserved. Company Confidential Bonus Messing with Phishers…
- 59. What About VoIP and SMS?
- 60. What About VoIP and SMS?
- 61. Thank You! Questions? Greg . Foss [at] logrhythm . com @heinzarelli https://github.com/LogRhythm-Labs/PIE/