2024-10-22 –, Echternach & Diekirch
The goal of the tool suite is to make it easier to handle suspicious contents reported by your users, friends or constituents. It empowers them to check URLs, emails, or files they receive and take educated decisions without relying on you all the time.
This workshop will go in depth on how you can configure Lookyloo and Pandora, and all the other tools that make it a complete tool suite usable in your organization with minimal manual work. We will also look at the correlation features to pivot across captures to find phishing campaigns in the 4+ millions captures gathered across the years on the CIRCL Lookyloo instance.
Lookyloo is an analysis tool to investigate URLs, Pandora is a static file analyzer. They both have public demo interfaces (1, 2) and I presented them at last year pass the salt (and demo effect is still a thing).
I invite you to watch the videos before attending the workshop so we're all on the same page: this workshop will be very dense as we will cover many tools, so we will start with a quick introduction but we will also assume you have a rough idea of what the tools are.
This workshop will be similar to the one we gave at Pass the Salt 2024, but with new features and improvements.
The main tools we will use are the following:
- Lookyloo (to analyze URLs)
- Pandora (to analyze files)
- Lacus (optionally, to capture the URLs when you have a lot of them)
- An URL monitoring interface (to compare a specific URL over time)
- Phishtank Lookup (to check if a URL is known or not)
We will also have a look at what a capture means for Lookyloo, and a deep dive in the settings you can pass when you're triggering one.
Due to time constraints, won't have much time to troubleshoot sysadmin issues on your own machines. Do not worry though, there are pre-configured instances of all the tools you'll be able to play with during the session, and use their APIs. If you want to install the tools on your machine, you'll need admin right on a recent linux box, preferably Ubuntu 24.04.
Formerly member of CIRCL, I moved to France but didn't go that far in spirit as I'm still part of the developers and maintainers for a whole bunch of tools there. Some say it is too many, we disagree.