(UPDATE: Reader Tommy found a issue with script (THANKS!), New version 1.1 is posted.)
Determining the effectiveness of Phishing campaigns using metrics is great to be able to target awareness training for users and determining the effectiveness of your technical controls. The main questions you are trying to answer are :
Getting these answers with manual digging can be a chore, but if you are running security onion (securityonion.net) with BRO, I wrote a script that will gather this information for you.
The basic setup is at the top of the script and you need to setup the location of your compressed files for BRO. This should be the top folder where each day is listed. Also, if you want to change the temp or log location, you can do this.
brolog=/nsm/sensor_data/itso-sen-1/bro/itso-sen-1-eth4 WORKINGDIR=$(/bin/mktemp -d) STATS_LOG=/var/log/phish-stats.log
Make sure the script has permissions: $chmod 750 /usr/local/bin/bro-phish.sh
The arguments for the script are SUBJECT EMAIL_SENDER SPOOFED_SITE DATE. In this case the attacker used the email address “john@mydomain.com” with the subject of “NOTICE” and the website they wanted you to click on was hxxp://www.newversion.esy.es.
$bro-phis.sh "NOTICE" john@mydomain.com hxxp://www.newversion.esy.es 2015-11-03
#######Summary Details##### Total number of emails:50 Possible replies to mail:0 Total numbers of visitors to site:5 Number of POSTS to the website:1
#######DETAILS##### Malicious IP mail sent from: 192.168.200.2 Senders email address: john3468@mydomain.com Senders mail agent: PHPMailer [version 1.71-blue_mailer]
IPs that accessed Phishing Site: 172.16.174.181, 172.16.49.116, 172.16.79.152, 172.16.79.184,172.16.79.193
IPs that sent POSTS to phishing Site: 172.16.79.184
Technical Response While BRO doesn’t capture the POST data by default, you’ll have to rely on a full packet capture device or match up users to IP’s on your network to determine who submitted credentials. Once you have the user you should:
Additionally, you should
Non-Technical Response Review why the phish was successful and determine if your current awareness training covers the topic appropriately. The user(s) who submitted credentials should receive a refresher for your awareness training. An additional follow-up from the security group or their supervisor should happen with the specifics on the incident and how they can improve in the future.
Metrics By tracking how successful each phishing campaign is, you can start determining how successful both your technical and non-technical controls are. As time goes by you should see a decrease in how many visits to the site and credentials submitted.
Log file When you run the script, it generates a log file (Default /var/log/phish-stats.log). This will allow you to gather metrics on each campaign in a quick and easy way. The log is “|” delimited and the format is below. You can load this file up into excel and do some number magic to see your progress.
"$date|$sender|$subject|$total_mail|$email_responses|$web_visits|$post_web_visits|$malicious_ip|$mail_agent|$vic_ip"
2015-11-03|john@mydomain.com|NOTICE|50|0|5|1|172.16.174.181, 172.16.49.116, 172.16.79.152, 172.16.79.184|-|-|
You can access the script on my github at hxxps://goo.gl/zJnEH4 or (hxxps://github.com/tcw3bb/ISC_Posts/blob/master/bro-phish.sh) --
Tom Webb |
Tom 59 Posts ISC Handler Dec 4th 2015 |
Thread locked Subscribe |
Dec 4th 2015 6 years ago |
This is an awesome idea!
Is there a link to download the script? Thanks, |
Anonymous |
Quote |
Dec 4th 2015 6 years ago |
Dah! I see the link.
|
Anonymous |
Quote |
Dec 4th 2015 6 years ago |
FYI, I've been writing a library that allows Python to stream and decode bro logs into json format. https://github.com/red-green/broscanner
|
red0green 4 Posts |
Quote |
Dec 4th 2015 6 years ago |
Great script! Thank you so much!
|
red0green 2 Posts |
Quote |
Dec 4th 2015 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!