What is Phishing Intelligence Engine (PIE)?
LogRhythm’s PIE can help streamline and automate the entire process of tracking, analyzing, and responding to phishing emails. PIE helps fight one of the most commonly used methods for network infiltration—the phishing attack–to give you back valuable work time.
PIE is an open-source PowerShell framework that integrates with the LogRhythm NextGen SIEM Platform to help provide phishing attack detection and response to your organization. Built around Office365 with the goal of expanding into on premise exchange in the near future, PIE continuously evaluates Message Trace logs for malicious content and dynamically responds as threats are identified or emails are reported.
The PIE framework consists of multiple PowerShell scripts that work together with the LogRhythm TLM Platform to automate detection and response to phishing cyberattacks. These scripts can be used with or without LogRhythm. While the PIE framework can be used without LogRhythm, working together provides an automated solution leveraging commercial or opensource sandboxing for threat validation.
What Does PIE Do?
PIE plugs security gaps through a number of unique features and capabilities including:
Determining email risk by analyzing subjects, senders, and recipients using RegEx, Threat Feed Correlation, and various API integrations to sandboxing tools
Automatically responding to attacks by quarantining mail, blocking senders, and checking embedded links for potential threats
Performing sandbox analytics on all automatically flagged email attachments and embedded links
Employing dynamic integration with LogRhythm Case Management or other project management tools and metrics tracking
Preventing sensitive data loss and validating corporate email security controls
Figure 1: PIE Framework
Using PIE to Lower Phishing Detection and Response Time
Office 365 Message Trace Logging is at the core of the PIE infrastructure, allowing for the ingestion and dynamic analysis of email as these messages traverse your environment. Integrating this data with LogRhythm allows for quick and easy searching across all email data within your environment, via dashboards and drill-down analyst views.
Figure 2: Phishing Intelligence Engine Dashboard
Once this email data is being collected, you can integrate with the LogRhythm Threat Intelligence Services (TIS) to trigger alarms on known spammers and other malicious events within the data.
However, the data you generate internally is typically the best threat intel for your company. Therefore, every reported phishing attack that crosses a threshold is automatically added to an internal threat list, for alarming and possible blocking in the future.
Figure 3: LogRhythm AI Engine Alarms
Now alarms are great and all, but the real meat of the PIE centers around security orchestration, automation, and response (SOAR). For every alarm that fires, you can choose to have automated actions take place. This can be anything from quarantining mail from every recipient within the company, to changing credentials, to adding blocks on senders—ensuring that specific user can no longer phish the organization.
Running SmartResponse and PowerShell Scripts
To set up these automated actions, you can run LogRhythm’s SmartResponse directly from the LogRhythm dashboard, or you can perform these actions outside of the TLM platform altogether, using the O365-Ninja PowerShell script.
Figure 4: O365-Ninja LogRhythm SmartResponse™ Plug-in Options
Figure 5: O365-Ninja PowerShell
Regardless of how you decide to respond to events within your network, you have the option of using either the LogRhythm SmartResponse or the O365-Ninja PowerShell script to create and update LogRhythm Cases for every event. This is very useful for tracking metrics, analyzing threat content within a message, and much more.
In fact, the true value of PIE comes from the messages that users report, or odd emails that are detected on the wire, that are then analyzed for malicious content. Below is an example case that is created whenever an email is analyzed by PIE:
Figure 6: LogRhythm Case Management Dashboard
Automating Phishing Email Analysis with PIE
In addition to the case that is created within the LogRhythm TLM Platform, PIE uses a weighted scoring mechanism to determine the risk of the email in question. Assuming the email passes the defined threshold of risk, PIE can act on malicious emails and automatically quarantine the email from all recipients within the company, documenting every step of the process within the LogRhythm case.
PIE will also create a raw case file containing all data related to the phishing attack, including a report containing general data about the email in question. This allows for quick and easy analysis, plus ongoing and persistent storage of all phishing attack cases—helping out significantly with metrics and reporting.
Figure 7: Case File, Spam Report, and Link
Metrics are tracked over time via tagging within LogRhythm Case Management to create easy reporting and accountability.
Figure 8: Phishing Cases Tracked Over Time
The key to making everything work well together is with end-user reporting and education. To help with this, LogRhythm developed a Microsoft Outlook button that can be integrated with the end-user’s Outlook client.
Figure 9: Report Phishing Outlook Button
This button takes the currently viewed email and sends it along to the pre-defined phishing inbox as an attachment, resulting in easy processing and full automation. Even without the button, you can ask your organization to forward emails to a defined phishing inbox as an attachment, and PIE will take care of the rest.
Using the report phishing button, or simply employing phishing reporting protocol, will effectively free up your time. With PIE, you can focus on more interesting and pressing tasks, as opposed to digging through commodity phishing emails and responding to clicked links.
PIE currently takes advantage of the following API integrations for analysis and project management. Note: Please let us know what tools you’re using, we’re always looking for new ways to improve our detections!
Cisco AMP Threat Grid: https://panacea.threatgrid.com
Domain Tools: https://domaintools.com
Get Link Info: http://getlinkinfo.com
Phish Tank: http://www.phishtank.com
Screenshot Machine: http://screenshotmachine.com
URL Void: http://api.urlvoid.com
@SwiftOnSecurity RegEx: https://github.com/SwiftOnSecurity/PhishingRegex
Take a bite out of the PIE and let us know what other integrations you would like to see in the future by commenting below.