Phishing Intelligence Engine (PIE): Open-Source Release
By Greg Foss
We are pleased to announce the release of the LogRhythm Phishing Intelligence Engine (PIE), an integrated application with LogRhythm’s Threat Lifecycle Management (TLM) platform.
What is Phishing Intelligence Engine (PIE)?
LogRhythm’s PIE can help streamline and automate the entire process of tracking, analyzing, and responding to phishing emails. PIE helps fight one of the most commonly used methods for network infiltration—the phishing attack–to give you back valuable work time.
PIE is an open-source PowerShell framework that integrates with the LogRhythm TLM platform to help provide phishing attack detection and response to your organization. Built around Office 365, with the goal of expanding into on premise exchange in the near future, PIE continuously evaluates Message Trace logs for malicious content and dynamically responds as threats are identified or emails are reported.
The PIE framework consists of multiple scripts that are centered around the LogRhythm SIEM and work together to automate detection and response to cyberattacks. These scripts can be used with or without LogRhythm PIE was not built to replace any existing phishing prevention toolsets—its goal is to help fill in your current detection capabilities gaps.
What Does PIE Do?
PIE plugs security gaps through a number of unique features and capabilities including:
- Determining email risk by analyzing subjects, senders, and recipients using RegEx, Threat Feed Correlation, and various API integrations
- Automatically responding to attacks by quarantining mail, blocking senders, and checking for clicks
- Performing sandbox analytics on all flagged email attachments and links
- Employing dynamic case management integration and metrics tracking
- Preventing sensitive data loss and verifying corporate email security
Figure 1: PIE Framework
PIE currently takes advantage of the following API integrations for analysis and project management. Note: Please let us know what tools you’re using, we’re always looking for new ways to improve our detections!
- Cisco AMP Threat Grid: https://panacea.threatgrid.com
- Domain Tools: https://domaintools.com
- Get Link Info: http://getlinkinfo.com
- OpenDNS: https://www.opendns.com
- Phish Tank: http://www.phishtank.com
- Sucuri: https://sucuri.net
- Screenshot Machine: http://screenshotmachine.com
- URL Void: http://api.urlvoid.com
- VirusTotal: https://virustotal.com
- Wrike: https://www.wrike.com
- @SwiftOnSecurity RegEx: https://github.com/SwiftOnSecurity/PhishingRegex
Using PIE to Lower Phishing Detection and Response Time
Office 365 Message Trace Logging is at the core of the PIE infrastructure, allowing for the ingestion and dynamic analysis of email as these messages traverse your environment. Integrating this data with LogRhythm allows for quick and easy searching across all email data within your environment, via dashboards and drill-down analyst views.
Figure 2: Phishing Intelligence Engine Dashboard
Once this email data is flowing into your SIEM, you can integrate with the LogRhythm Threat Intelligence Services (TIS) to trigger alarms on known spammers and other malicious events within the data.
However, the data you generate internally is typically the best threat intel for your company. Therefore, every reported phishing attack that crosses a threshold is automatically added to an internal threat list, for alarming and possible blocking in the future.
Figure 3: LogRhythm AI Engine Alarms
Now alarms are great and all, but the real meat of the PIE centers around Security Automation and Orchestration (SAO). For every alarm that fires, you can choose to have automated actions take place. This can be anything from quarantining mail from every recipient within the company, to changing credentials, to adding blocks on senders—ensuring that specific user can no longer phish the organization.
Running SmartResponse and PowerShell Scripts
To set up these automated actions, you can run LogRhythm’s SmartResponse directly from the LogRhythm dashboard, or you can perform these actions outside of your SIEM altogether, using the O365-Ninja PowerShell script.
Figure 4: O365-Ninja SmartResponse Plug-in Options
Figure 5: O365-Ninja PowerShell
Regardless of how you decide to respond to events within your network, you have the option of using either the SmartResponse or the O365-Ninja PowerShell script to create and update LogRhythm cases for every event. This is very useful for tracking metrics, analyzing threat content within a message, and much more.
In fact, the true value of PIE comes from the messages that users report, or odd emails that are detected on the wire, that are then analyzed for malicious content. Below is an example case that is created whenever an email is analyzed by PIE:
Figure 6: LogRhythm Case Management Dashboard
Automating Phishing Email Analysis with PIE
In addition to the case that is created within the SIEM, PIE uses a weighted scoring mechanism to determine the risk of the email in question. Assuming the email passes the defined threshold of risk, PIE can act on malicious emails and automatically quarantine the email from all recipients within the company, documenting every step of the process within the LogRhythm case.
PIE will also create a raw case file containing all data related to the phishing attack, including a report containing general data about the email in question. This allows for quick and easy analysis, plus ongoing and persistent storage of all phishing attack cases—helping out significantly with metrics and reporting.
Figure 7: Case File, Spam Report, and Link
Metrics are tracked over time via tagging within the SIEM to create easy reporting and accountability.
Figure 8: Phishing Cases Tracked Over Time
The key to making everything work well together is with end-user reporting and education. To help with this, LogRhythm developed a Microsoft Outlook button that can be integrated with the end-user’s Outlook client.
Figure 9: Report Phishing Outlook Button
This button takes the currently viewed email and sends it along to the pre-defined phishing inbox as an attachment, resulting in easy processing and full automation. Even without the button, you can ask your organization to forward emails to a defined phishing inbox as an attachment, and PIE will take care of the rest.
Using the report phishing button, or simply employing phishing reporting protocol, will effectively free up your time. With PIE, you can focus on more interesting and pressing tasks, as opposed to digging through commodity phishing emails and responding to clicked links.
Take a bite out of the PIE and let us know what other integrations you would like to see in the future by commenting below.
More Posts from Greg Foss:
More Posts Like This:
Secure Sense is the security provider that cares. We are a team of experts with a passion for IT and protecting your organization is what motivates us daily. If you have questions or want to learn more about how Symantec can improve your organization’s security, our services or just want to chat security please give us a shout. If you’re looking to guest blog, please send an email here.