#SplunkLiveLDN: Defeating a Phishing Attack in 100 Minutes

Written by

Speaking at the Splunk Live conference in London, Nigel Spencer, head of security operations at Vocalink said that its deployment of Splunk was enabling compliance with various standards and creating an audit trail for changes “which provides us with a who, what, where, when and why analysis of a security event.”

He said that the real strength of the technology was in its ability to go back and look at past events within the infrastructure, and shared the timeline of an actual event. On one day at 11.25am the company received 64 phishing emails, 30 of which were delivered to valid email addresses and each contained a malicious attachment claiming to come from a UK retail bank.

Spencer said that four minutes later, users began to report their suspicions about the email using the Outlook plug in, and eight minutes later the security operations center began to triage an analysis process.

“By 11.55am, the response team confirmed that the email contained an XML script with embedded objects that had evaded our anti-malware and sandboxing controls, the team also confirmed that attempts had been made to connect to a server in Brazil,” he said.

By 12.17pm, Splunk log analysis showed that one user had opened the malicious attachment, and the attempted Brazilian server connection had been blocked by a web proxy and no second stage attack had taken place. Less than ten minutes later, at 12.24pm, the SOC team had determined that the attachment was a known exploit and by 1.09pm, a user had given over their laptop and the incident team stood down.

“The total time from detection to containment was 105 minutes, no malware persistence had been achieved and the confidentiality, integrity and availability of our systems and the data held had been maintained,” he said.

In giving closing advice from using Splunk technology in that instance, Spencer advised delegates that use cases answer these questions: have our use controls detected and prevented an attack, have we received an email as part of a wider phishing campaign, which users received the email and is there a known malicious file on a known user device.

Spencer also said that Splunk is used throughout the business and while he did not anticipate the members of the board using Splunk, it was more important that quantitative analysis can be provided to support the board’s common question: “How secure are we?”

What’s hot on Infosecurity Magazine?