Phishing Intelligence Engine (PIE): Open-Source Release

We are pleased to announce the release of the LogRhythm Phishing Intelligence Engine (PIE), an integrated app with LogRhythm’s Threat Lifecycle Management (TLM) platform.

alt.text

What is Phishing Intelligence Engine (PIE)?

LogRhythm’s PIE can help streamline and automate the entire process of tracking, analyzing, and responding to phishing emails. PIE helps fight one of the most commonly used methods for network infiltration—the phishing attack–to give you back valuable work time.

PIE is an open-source PowerShell framework that integrates with the LogRhythm TLM platform to help provide phishing attack detection and response to your organization. Built around Office365 with the goal of expanding into on premise exchange in the near future, PIE continuously evaluates Message Trace logs for malicious content and dynamically responds as threats are identified or emails are reported.

Click here to view and download PIE.

The PIE framework consists of multiple PowerShell scripts that work together with the LogRhythm TLM Platform to automate detection and response to phishing cyberattacks. These scripts can be used with or without LogRhythm. While the PIE framework can be used without LogRhythm, working together provides an automated solution leveraging commercial or opensource sandboxing for threat validation.

What Does PIE Do?

PIE plugs security gaps through a number of unique features and capabilities including:

  • Determining email risk by analyzing subjects, senders, and recipients using RegEx, Threat Feed Correlation, and various API integrations to sandboxing tools

  • Automatically responding to attacks by quarantining mail, blocking senders, and checking embedded links for potential threats

  • Performing sandbox analytics on all automatically flagged email attachments and embedded links

  • Employing dynamic integration with LogRhythm Case Management or other project management tools and metrics tracking

  • Preventing sensitive data loss and validating corporate email security controls

alt.text Figure 1: PIE Framework

Using PIE to Lower Phishing Detection and Response Time

Office 365 Message Trace Logging is at the core of the PIE infrastructure, allowing for the ingestion and dynamic analysis of email as these messages traverse your environment. Integrating this data with LogRhythm allows for quick and easy searching across all email data within your environment, via dashboards and drill-down analyst views.

alt.text Figure 2: Phishing Intelligence Engine Dashboard

Once this email data is being collected, you can integrate with the LogRhythm Threat Intelligence Services (TIS) to trigger alarms on known spammers and other malicious events within the data.

However, the data you generate internally is typically the best threat intel for your company. Therefore, every reported phishing attack that crosses a threshold is automatically added to an internal threat list, for alarming and possible blocking in the future.

alt.text Figure 3: LogRhythm AI Engine Alarms

Now alarms are great and all, but the real meat of the PIE centers around Security Automation and Orchestration (SAO). For every alarm that fires, you can choose to have automated actions take place. This can be anything from quarantining mail from every recipient within the company, to changing credentials, to adding blocks on senders—ensuring that specific user can no longer phish the organization.

Running SmartResponse and PowerShell Scripts

To set up these automated actions, you can run LogRhythm’s SmartResponse directly from the LogRhythm dashboard, or you can perform these actions outside of the TLM platform altogether, using the O365-Ninja PowerShell script.

alt.text Figure 4: O365-Ninja LogRhythm SmartResponse™ Plug-in Options

alt.text Figure 5: O365-Ninja PowerShell

Regardless of how you decide to respond to events within your network, you have the option of using either the LogRhythm SmartResponse or the O365-Ninja PowerShell script to create and update LogRhythm Cases for every event. This is very useful for tracking metrics, analyzing threat content within a message, and much more.

In fact, the true value of PIE comes from the messages that users report, or odd emails that are detected on the wire, that are then analyzed for malicious content. Below is an example case that is created whenever an email is analyzed by PIE:

alt.text Figure 6: LogRhythm Case Management Dashboard

Automating Phishing Email Analysis with PIE

In addition to the case that is created within the LogRhythm TLM Platform, PIE uses a weighted scoring mechanism to determine the risk of the email in question. Assuming the email passes the defined threshold of risk, PIE can act on malicious emails and automatically quarantine the email from all recipients within the company, documenting every step of the process within the LogRhythm case.

PIE will also create a raw case file containing all data related to the phishing attack, including a report containing general data about the email in question. This allows for quick and easy analysis, plus ongoing and persistent storage of all phishing attack cases—helping out significantly with metrics and reporting.

alt.text Figure 7: Case File, Spam Report, and Link

Metrics are tracked over time via tagging within LogRhythm Case Management to create easy reporting and accountability.

alt.text Figure 8: Phishing Cases Tracked Over Time

The key to making everything work well together is with end-user reporting and education. To help with this, LogRhythm developed a Microsoft Outlook button that can be integrated with the end-user’s Outlook client.

alt.text Figure 9: Report Phishing Outlook Button

This button takes the currently viewed email and sends it along to the pre-defined phishing inbox as an attachment, resulting in easy processing and full automation. Even without the button, you can ask your organization to forward emails to a defined phishing inbox as an attachment, and PIE will take care of the rest.

Using the report phishing button, or simply employing phishing reporting protocol, will effectively free up your time. With PIE, you can focus on more interesting and pressing tasks, as opposed to digging through commodity phishing emails and responding to clicked links.

PIE Integrations

PIE currently takes advantage of the following API integrations for analysis and project management. Note: Please let us know what tools you’re using, we’re always looking for new ways to improve our detections!

Take a bite out of the PIE and let us know what other integrations you would like to see in the future by commenting below.

Download Pie Now

How to Make Your SIEM Speak

Xfinity Pineapple

Automate Project Management with SmartResponse

Breaking Down the Anatomy of a Phishing Attack

10 Things to Watch: Detecting a Phishing Email

Catching the “Inception Framework” Phishing Attack