Skip to content ↓ | Skip to navigation ↓

Reviewing the 2015 Verizon DBIR, it was interesting to see that the top target for cyber espionage was manufacturing. The DBIR reports mentions that while everyone has been interested in attribution when it comes to breaches, nearly two-thirds of the incidents reported had no attribution.

Although there are groups after governments, the bulk of the attacks were against manufacturing with the intention of stealing trade secrets.

What is not so surprising is the most commonly used attack vectors, including none other than phishing in the form of email attachments, links and increasingly web drive-by attacks.

On a recent tour around the country visiting groups of CISOs, one of the biggest frustrations has been phishing. Although many have had a number of trainings for staff with countless awareness campaigns, people still fall for phishing attacks.

As Dwayne mentioned in his post, phishing attacks have become more sophisticated. Many of the data breaches we have experienced over the past few years provide even more personal data available to malicious groups than ever before, making us all easier targets.

So, if training and awareness don’t work, what else can be done? The Verizon DBIR points to logging as an answer, not just your traditional system logs, but logging email transactions, DNS and web proxy requests:

Log all DNS requests and log all web proxy requests and invest in solutions that will help you ingest and analyze this data both on the fly and forensically. Even if you don’t manage to detect or deter these adversaries, you will at least have a much easier time figuring out what they did after the fact.

Logging this granular data may seem like it is impossible, or to many it may sound like it will require an expensive appliance or software package, however, it can be done on the cheap. One easy way to both collect DNS and web proxy data is by using Bro IDS.

Bro IDS is a robust and mature open source network analysis framework that goes beyond traditional IDS systems and allows for analysis of multiple protocols. The tool analyzes network traffic and extracts the data to log files, with different files for different protocols and data types and automatically rotates/archives them:

Screen Shot 2015-04-17 at 10.10.36 PM

As you can see, there is a log file for HTTP, DNS, SSH and some other files. These files are created automatically as the various protocols and data types detected. You will also notice there are log files created for “files.” This can be helpful in identifying malicious files that were downloaded from a phishing attack and can be correlated with HTTP and DNS traffic associated with that session ID.

So, we can see how Bro can allow us to log data related to phishing, which can help us investigate after the fact. However, what about real-time detection?

This is where Critical Stack comes in, the project is headed up by none other than Liam Randall, a well-known Bro guru, as well as Dustin Webber, creator of Snorby. They have made threat intelligence integration with Bro a breeze and provide an easy to integrate library of open source threat intelligence feeds.

For this example, there are two phishing threat intelligence feeds you can add to your collection, PhishTank and OpenPhish. You add the feeds to a “collection” and then assign the collection to a “sensor.” From there, you are provided some simple command line entries and your API key and you’re feed is integrated to your sensor.



By adding these feeds, they will automatically be updated and will monitor network traffic for links and domains of known phishing attacks. The output will be loaded into an “intel.log” file, which can also be routed in real-time via syslog. In addition, you can then correlate that traffic with any files downloaded to the system and check the hashes for known malware.

If you are interested in learning more, visit our booth at RSA next week, Liam  Randall and I will be presenting on Wednesday at 3:30 PM at the Tripwire booth (#3301). Liam will be providing a deeper dive into Bro and Critical Stack feeds and I will be show how to integrate this data with Tripwire’s suite for real-time network threat detection, alerting, automation and rapid forensics.