Table of Contents
Monitor the progress of the campaign: all available campaign statistics
Where can I see the logged data?
The progress of the campaign can always be monitored in "real-time" under the statistics tabs or after a campaign using the reporting options or the CSV export. If you run only one scenario, you can look at the statistics in the Top Menu called “Statistics”.
Real time statistics in LUCY
When you access the "summary" overview page you see the overall campaign statistics. Only if you add an awareness content to your campaign, you will see the circle statistics:
If you access "statistics" tab, you will have at least 11 submenus:
- time
- technical stats
- categories
- events
- countries
- top worst
- collected data
- recipients
- awareness website
- benchmark
- compare
What attack related metrics can be logged in LUCY?
The following list of information can be collected within a phishing campaign:
- Emails Opened: Recipients opened the email (this statistic is based on a tracking image within the email. Many email clients will block the automatic download of images. As a result, this number might not be very accurate). Please read more about this feature here.
- Link Clicks: Recipients clicked the link in the email (a unique randomized URL that is generated by LUCY to match the link with the email recipient). Each user (SMS or Mail) gets a unique link (see chapter how links are created). It can be activated only once using a GET request from the client. So if a client clicks on the link and forwards the email to a different person, who also clicks on that link, it will still be considered only as one click. As a result any SPAM filter that follows the links within the email before delivering it to the final recipient might generate some false positives. Therefore it is important to always perform a test run.
- Successful Attacks: Recipients submitted data in a form (e.g. login data that is submitted via a form based POST request), clicked on a link, executed a file etc. A complete list of success status is here.
- Invalid submits: Recipients submitted data in a form (e.g. login data) - but it did not meet the filters in those input fields which you might have defined. More info can be found here.
- Hourly Stats: Page views, link clicks, successful attacks, invalid submits, etc.
- Daily Stats: Page views, link clicks, successful attacks, invalid submits, etc.
- Recipient Criteria's: Based on the usage of additional fields in the recipients list you can sort and filter the statistics for each field
- Operating System Of recipient. This information is based on the user agent string. See https://en.wikipedia.org/wiki/User_agent
- Browser type Of recipient: This information is based on the user agent string. See https://en.wikipedia.org/wiki/User_agent
- Browser Plugins Of recipient: This information is based on the user agent string. See https://en.wikipedia.org/wiki/User_agent
- File downloads (Requires you to append the ?tracking variable at the end of the download link). More details can be found here.
- IP: Remote IP address of your recipient. If your user is accessing the internet using a firewall, web proxy or any other gateway, LUCY will only display the remote accessible IP. Please note: sometimes your security products (firewall, mail gateway, provider infrastructure, web proxy, local scanner, IPS etc.) may examine the URL's sent to a recipient. Therefore it is possible that "unknown" IP's appear in the log where access is measured based on the request in the recipient's browser. The URL defined within the campaign for the respective recipient is called (%link% variable). This link consists of the domain of the scenario and a random string of numbers and letters containing at least 16 digits (e.g. http://your.domain.com/b1gyg9ux95ilkoom). This URL cannot be guessed or brute forced by a computer within a reasonable period of time. Since the recording of the access is based on the logfile of the webserver, which measures whether the random URL's generated in the system appears in the queries, false positives or errors can be completely excluded in the statistics.
- Vulnerable Browser | Vulnerable Client: Based on the user agent, LUCY will tell you if there is any misuse. A User Agent is a short string that web browsers and other applications send to identify themselves to web servers. A user agent string contains the following information: Mozilla/[version] ([system and browser information]) [platform] ([platform details]) [extensions]. Unfortunately, most browsers falsify part of their User-Agent header in an attempt to be compatible with more web servers. LUCY also is only enumerate major versions (like IE 11) but not minor versions which would show the actual patch status, some results might be false positives. Example: if you don't use the latest IE (e.g. IE10) we will query the CVE database and present all vulnerabilities for IE10 (http://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-9900/version_id-138705/). But that does not mean the IE is not patched. This only displays all possible vulnerabilities for this browser version. Within the campaign statistics the vulnerable clients are displayed with an exclamation mark:
- Client and network based vulnerability report: If you embed LHFC within a campaign you can collect output from up to 45 vulnerability checks
- Additional stats: LUCY can determine additional info like:
- Flash
- VBScript
- PhoneGap
- Google Gears
- Silverlight
- Web Socket
- QuickTime
- RealPlayer
- WMP
- WebRTC
- ActiveX
- Session Cookies
- Persistent Cookies
- Tor
- FireBug
- Popup Blocker
- Unsafe ActiveX
* Time based stats: How long does the user stay on each landing page?
* User history: Historical user statistics
View the collected data from users (passwords, uploads etc.)
The actual collected data (user passwords, Output from Tools) are located within the scenario. You need to select “Collected Data” and the related scenario.
When you click “Click to View”, you are able to see the detailed data.
See advanced recipient statistics
When you click on Recipients, you can see the details about the user who clicked on a link, participated in an awareness campaign etc. Just click on the name and a sub menu with all details will open. The exact output of BeEF or the awareness page can be opened beneath each recipient (just click on the link to expand the details):
Note - Opened Emails Statistics: The general statistics are presented on the campaign Overview page. It also contains a statistics called “Opened Emails”. This statistic is based on a tracking image within the email. Many email clients will block the automatic download of images. As a result, this number might not be very accurate.
Note - Clicks Statistics: Some users might click on the link twice or refresh the webpage. This has also an effect on the “Clicks” or “Form Submits”.
Starting with LUCY 4.4 you have also a user history, that will show you all historical events related to a specific user for this and other campaigns. Please click on "user history" to open the timeline below:
Track e-learning (awareness)
LUCY allows you to monitor the eLearning Stats and track:
- Who participated in an eLearning,
- Which question got answered correctly
- How much time it took in average to answer a question
- Success_rate: how many times has the user been successfully attacked in one or multiple campaigns
- Click_rate: how many times has the user clicked on a link in one or multiple campaigns
- Answers_count: in how many interactive elements did the user participate?
- Correct_answers_count: how many of the interactive elements did the user answer correctly?
- Quiz_time_spent: how much time did the user spent on an interactive element in general or in particular
- Video watched: if a video was watched and if: was it watched until the end?
How can LUCY monitor the learning access?
Similar to the phishing page each awareness landing page has a randomized URL variable which could look like this: http://your.awareness-page.com/Zhsdg3 (where “Zhsdg3” is a randomized string generated in LUCY that is associated with a unique mail address). When the user makes a GET request to that URL, LUCY knows that the eLearning page has been accessed by the user and the user counts as trained. It is irrelevant for LUCY if on that awareness page has an embedded video or just some static HTML. If you want to go further and track if and how specific content is accessed within a landing page you need to click on “quiz enabled” within the awareness page (see https://wiki.thrivedx.com/doku.php?id=create_an_interactive_e-learning_template). You can use this embedded JavaScript to track basically any interaction on the awareness website (e.g. Place a START button to play a video and set the starting point for the script accordingly). If you want to see examples on how the interactive eLearning is implemented we recommend taking a look at some existing templates (e.g. https://wiki.thrivedx.com/doku.php?id=interactive_elearning_pages).
How can the awareness data be exported?
You can access the awareness data via:
- Reports (Raw CSV Report or PDF/HTML Export)
- Statistics/Recipients (expand recipient to see the details)
- Statistics/Awareness Website
Where are the training results located on the dashboard?
a) General training statistics can be accessed within a campaign under "summary"
b) The summarized training results can be accessed within a campaign under "statistics/awareness website"
c) The detailed training results for each recipients can be accessed under "statistics/recipients". You can sort the table by trained/untrained and at the bottom you can see the exact results (answers) from the specific user. If configured, you could also see the reputation level
Where can the recipient see his training results?
The recipient can access his training results via the end user page, where he is also able to print a certificate if he passed the training.
Note: If you want to track how users perform on an interactive quiz you need to activate this feature.
Deleting Data in Statistics
- Delete all Stats: Press "Reset Stats" - the data in the database for this campaign is deleted and cannot be restored.
- Delete Stats from a Single User: Go into Stats/Recipients and delete the specified user. The user will not appear in the stats anymore.
- Delete Stats from a User Group: If you remove a group from a running campaign all stats associated with this group will be deleted.
Compare Different Campaigns
Using the compare button within a single campaign you are able to compare the campaign statistics among different campaigns. In order to compare campaigns please go to "statistics" within the campaign and then click on "compare".
LUCY will allow you to compare your current campaign against all other campaigns visible for the current client.
Common Questions regarding the stats
- How can a click rate in recipient statistics be ever less than 100 %? That is calculated for a recipient over several campaigns: if the recipient has participated in 10 campaigns and clicked on a link in 5 campaigns, the click rate will be 50%. The same with the success rate
- How is it possible the awareness dashboard shows "N/A" for certain countries? Lets say a campaign has 3 victims, 1 from Switzerland and 2 N/A (as they never clicked). These 2 charts show - the percentage of users from countries that clicked or not clicked the awareness webpage link (it shows 100% from Switzerland never clicked and 100% from N/A never clicked) and the second chart shows absolute numbers - 1 from Switzerland never clicked the awareness link and 2 from N/A never clicked the link as well.