User Tools

Site Tools


threat_analyzer_-_mail_plugin

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
threat_analyzer_-_mail_plugin [2018/05/24 08:52]
lucy [Incident Dashboard - Filters & Views]
threat_analyzer_-_mail_plugin [2019/06/03 16:57] (current)
lucy
Line 1: Line 1:
 ====== Phishing Incidents (threat analyzer) ====== ====== Phishing Incidents (threat analyzer) ======
  
-LUCY comes with a “Phish Alert” plugin for mail clients. This add-in gives your users a safe way to forward suspected Emails with only one click and have them analzed ​automatically by the threat analyzer in LUCY. The tool empowers users to proactively participate in an organization’s security program and makes it easy for your employees to report any suspicious email they receive. If you enabled "Send Reports Over HTTP", mail will get forwarded to LUCY. You will find them on the "​incident"​ menu:+LUCY comes with a “Phish Alert” plugin for mail clients. This add-in gives your users a safe way to forward suspected Emails with only one click and have them analyzed ​automatically by the threat analyzer in LUCY. The tool empowers users to proactively participate in an organization’s security program and makes it easy for your employees to report any suspicious email they receive. If you enabled "Send Reports Over HTTP", mail will get forwarded to LUCY. You will find them on the "​incident"​ menu:
  
 {{ threat0.png?​600 }} {{ threat0.png?​600 }}
Line 10: Line 10:
 **Filter by status:** At the top level, LUCY allows you to filter the reported mails by the status of the ticket: **Filter by status:** At the top level, LUCY allows you to filter the reported mails by the status of the ticket:
  
-{{ dl_ot2.png?600 }}+{{:​phishing_incident_1.png?600|}}
  
-The default status is "​open"​unless it is a phishing simulation ​dedtected ​by LUCY. The other possible status are:+The default status is "​open"​ unless it is a phishing simulation ​detected ​by LUCY. The other possible status are:
  
   * Open   * Open
Line 37: Line 37:
   - Threat Details can be viewed by clicking on the date   - Threat Details can be viewed by clicking on the date
  
-{{ threat1.png?​600 }}+
 ===== Automatic Incident Analysis (Threat Analyzer) ===== ===== Automatic Incident Analysis (Threat Analyzer) =====
  
 There are a few automatic analysis routines build into LUCY (e.g. check an IP in Google'​s Safe Browsing Database or Phishtank Database). More checks will follow in the upcoming versions. There are a few automatic analysis routines build into LUCY (e.g. check an IP in Google'​s Safe Browsing Database or Phishtank Database). More checks will follow in the upcoming versions.
  
-LUCY will automatically flag mail simulations. All other mails can then be manually verified by the administrator. All mails can be downloaded as .msg file and/or add an incident report. When you click on a reported mail you will first see the overall risk score. The overall risk score is a weighted average of the following score from different scans:+LUCY will automatically flag mail simulations. All other emails ​can then be manually verified by the administrator. All emails ​can be downloaded as .msg file and/or add an incident report. When you click on a reported mail you will first see the overall risk score. The overall risk score is a weighted average of the following score from different scans:
  
   * Header Analysis   * Header Analysis
Line 56: Line 56:
 The current sources (LUCY 3.7) are: The current sources (LUCY 3.7) are:
  
-  * https://safebrowsing.googleapis.com/v4/threatMatches:​find (port 443)+  * https://developers.google.com/​safe-browsing/v4/lookup-api
   * http://​data.phishtank.com/​data/​online-valid.csv (port 80)   * http://​data.phishtank.com/​data/​online-valid.csv (port 80)
   * DNS BL queries to bl.spamcop.net and zen.spamhaus.org   * DNS BL queries to bl.spamcop.net and zen.spamhaus.org
   * CI Army (list) (http://​cinsscore.com/​) - Network security Block Lists.   * CI Army (list) (http://​cinsscore.com/​) - Network security Block Lists.
-  * Palevo Blocklists (https://​palevotracker.abuse.ch/​blocklists.php) - Botnet C&C blocklists. 
   * Cybercrime tracker (http://​cybercrime-tracker.net/​) -   * Cybercrime tracker (http://​cybercrime-tracker.net/​) -
  
Line 74: Line 73:
 ===== Detection of real phishing mails vs. Phishing simulations ===== ===== Detection of real phishing mails vs. Phishing simulations =====
  
-The plugin automatically handles emails created in a phishing ​simulations ​from LUCY: it will ensure that only reports of potentially malicious emails are delivered to appropriate security staff. All emails created by LUCY itself will create a custom message to inform the user, that the mail has been send as a part of a security ​ awareness program. LUCY generated phishing ​mails won't be forwarded to the security team. But they will be reported back to LUCY in order to process the information within the campaign statistics. The reported ​mails will then be purged from the successful attack listings in LUCY.+The plugin automatically handles emails created in a phishing ​simulation ​from LUCY: it will ensure that only reports of potentially malicious emails are delivered to appropriate security staff. All emails created by LUCY itself will create a custom message to inform the user, that the mail has been sent as a part of a security awareness program. LUCY generated phishing ​emails ​won't be forwarded to the security team. But they will be reported back to LUCY in order to process the information within the campaign statistics. The reported ​emails ​will then be purged from the successful attack listings in LUCY.
  
  
Line 87: Line 86:
   * Incident tab:   * Incident tab:
  
-{{ incident-dashboardssa.png?600 }}+{{:​incidents_3.png?600|}}
  
   * Under the campaign statistics (recipients) under the "​reported"​ item:   * Under the campaign statistics (recipients) under the "​reported"​ item:
Line 97: Line 96:
 {{ incidentsja21.png?​600 }} {{ incidentsja21.png?​600 }}
  
-In LUCY 4.4, the incidents ​reports will also be integrated on the dashboard under the general statistics.+In LUCY, the incident ​reports will also be integrated on the dashboard under the general statistics.
  
threat_analyzer_-_mail_plugin.1527144749.txt.gz · Last modified: 2018/05/24 08:52 by lucy