Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Automating Phishing Analysis using BRO InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Automating Phishing Analysis using BRO

Published: 2015-12-04
Last Updated: 2015-12-04 21:32:36 UTC
by Tom Webb (Version: 2)
4 comment(s)

(UPDATE: Reader Tommy found a issue with script (THANKS!), New version 1.1 is posted.)

 

Determining the effectiveness of Phishing campaigns using metrics is great to be able to target awareness training for users and determining the effectiveness of your technical controls. The main questions you are trying to answer are :

  • How many people were targeted by the phish?

  • How many people replied? (If applicable)

  • How many people visited the website in the email?

  • How many people submitted credentials to the website?

 

Getting these answers with manual digging can be a chore, but if you are running security onion (securityonion.net) with BRO,  I wrote a script that will gather this information for you.  

 

The basic setup is at the top of the script and you need to setup the location of your compressed files for BRO. This should be the top folder where each day is listed.  Also, if you want to change the temp or log location, you can do this.

 

brolog=/nsm/sensor_data/itso-sen-1/bro/itso-sen-1-eth4

WORKINGDIR=$(/bin/mktemp -d)

STATS_LOG=/var/log/phish-stats.log

 

Make sure the script has permissions:

$chmod 750 /usr/local/bin/bro-phish.sh

 

The arguments for the script are  SUBJECT EMAIL_SENDER SPOOFED_SITE DATE.  In this case the attacker used the email address “john@mydomain.com”  with the subject of “NOTICE” and the website they wanted you to click on was  hxxp://www.newversion.esy.es.

 

$bro-phis.sh "NOTICE" john@mydomain.com hxxp://www.newversion.esy.es 2015-11-03

 

#######Summary Details#####

Total number of emails:50

Possible replies to mail:0

Total numbers of visitors to site:5

Number of POSTS to the website:1

 

#######DETAILS#####

Malicious IP mail sent from: 192.168.200.2

Senders email address: john3468@mydomain.com

Senders mail agent: PHPMailer [version 1.71-blue_mailer]

 

IPs that accessed Phishing Site:

172.16.174.181, 172.16.49.116, 172.16.79.152, 172.16.79.184,172.16.79.193

 

IPs that sent POSTS to phishing Site:

172.16.79.184

 

Technical Response

While BRO doesn’t capture the POST data by default, you’ll have to rely on a full packet capture device or match up users to IP’s on your network to determine who submitted credentials. Once you have the user you should:

  • Determine if credentials were used for malicious activity.

  • Reset user(s) password. And monitor accounts for possible login from external IP’s.

 

Additionally, you should

  • Sinkhole the DNS/URL to prevent others from accessing the site.

  • Submit to phishtank and other reputations websites

 

Non-Technical Response

Review why the phish was successful and determine if your current awareness training covers the topic appropriately.  The user(s) who submitted credentials should receive a refresher for your awareness training. An additional follow-up from the security group or their supervisor should happen with the specifics on the incident and how they can improve in the future.

 

Metrics

By tracking how successful each phishing campaign is, you can start determining how successful both your technical and non-technical controls are.  As time goes by you should see a decrease in how many visits to the site and credentials submitted.

 

Log file

When you run the script, it generates a log file (Default /var/log/phish-stats.log). This will allow you to gather metrics on each campaign in a quick and easy way. The log is “|” delimited and the format is below. You can load this file up into excel and do some number magic to see your progress.

 

"$date|$sender|$subject|$total_mail|$email_responses|$web_visits|$post_web_visits|$malicious_ip|$mail_agent|$vic_ip"

 

2015-11-03|john@mydomain.com|NOTICE|50|0|5|1|172.16.174.181, 172.16.49.116, 172.16.79.152, 172.16.79.184|-|-|

 

You can access the script on my github at hxxps://goo.gl/zJnEH4 or (hxxps://github.com/tcw3bb/ISC_Posts/blob/master/bro-phish.sh)

 
--

Tom Webb

4 comment(s)
Diary Archives