Preparing users for phishing attacks with Splunk

Why waste time and energy trying to crack passwords or hack through some obscure and complex vulnerability when there is a much easier way to breach a computer network?

Want a break in? Just ask for an invitation.

Phishing is probably the simplest way to get reliable, authentic access to a target network. By baiting users into visiting a website or downloading code, hackers can persuade them to hand over valuable access to vital data stored in even the most secure environments.

One Splunk customer in the healthcare industry found an ingenious way to fight back. Techniques they developed with Splunk have helped them harden their network against social engineering attacks and better protect patient data. The tactic has been cheap, revealing, and has saved them tons of money.

Medical data has become the most valuable stolen information in online markets. That puts healthcare organizations in a uniquely vulnerable position.

One healthcare provider was searching for a way to deliver what might be thought of as a “phish bait” service. They would test their own network with phony phishing attacks in order to heighten general awareness of the practice and identify unprepared users.

Finding an external provider for such a service was proving to be expensive and they were looking for alternatives. They settled on an internally managed approach based on Splunk.

They now create and distribute their own phony phishing emails and index the results into Splunk for reporting, analytics, and even remediation.

Here’s how it works:

  • Install Splunk on a web server hosting the phony phishing site.
  • Send a phishing email to a randomized list of internal users using a script.
  • Each email contains a link to the phishing site, including a customized session ID unique to that user.
  • The web page informs the user that this was a test and that in a real example their account information would have been compromised.
  • Session ID’s from the “compromised” users are indexed into Splunk.attacks

Reports are generated on a scheduled basis. The reports inform department managers of results. Repeat offenders (yes, there are people who fell for this more than once) are given special attention.

The team was able to demonstrate the campaign to executives with Splunk reports showing the progress of the “attack” as it developed in real time. The success of this campaign has opened up new opportunities for the Splunk users to demonstrate the capabilities of the platform in numerous other areas.

Chris Ladd

Posted by