# 社交工程演練分析-以Phishing Frenzy平台為例

## 何謂社交工程(Social Engineering)?
簡而言之，就是透過假冒身份或者拋出誘人的議題，引導受害者的行為，進一步套取機密資訊或甚至是財務<br>
電子郵件是常見的手法之一，這種郵件又稱做釣魚郵件(phishing email)，比喻受害人就像魚一樣上鉤受騙<br>
釣魚郵件經常透過偽造的網站連結騙取受害人的機密資訊，例如：偽造的網站上輸入重要資訊，則攻擊者便取得相關資訊<br>

## 何謂社交工程演練?
如同前文提到，社交工程攻擊可能對個人或公司造成傷害<br>
因此公司會委託檢測廠商進行社交工程演練，透過仿真的釣魚郵件，測試同仁的資訊安全意識<br>
若發現有同仁會閱讀郵件或點擊連結，則公司應特別留意這些同仁，或者督促同仁參加資安教育訓練<br>

## Phishing Frenzy是什麼?
Phishing Frenzy是一個開源的社交工程演練平台，我們可以透過平台設計、寄送釣魚郵件<br>
由於架構簡單而且功能也堪稱齊全，因此Phishing Frenzy頗受資訊人員青睞<br>

## 前言
本專案模擬某公司委託我方進行社交工程演練<br>
我們依據公司提供的郵件清單，寄送3封郵件給每位同仁，並且透過Phishing Frenzy平台回收3封郵件的演練報告<br>
接下來，我們會整理演練結果，並在會議中跟客戶分享我們的發現

## Step 1. 引用模組或套件

In [1]:
import numpy as np
import pandas as pd

## Step 2. 讀取郵件清單

In [2]:
email = pd.read_excel("email.xlsx")

In [3]:
email.head()

Unnamed: 0,Name,Department,Email
0,陳○○,Executive Office,employee1@email.com.tw
1,陳○○,Executive Office,employee2@email.com.tw
2,高○○,Executive Office,employee3@email.com.tw
3,蔡○○,Executive Office,employee4@email.com.tw
4,林○○,Executive Office,employee5@email.com.tw


郵件清單包含3個欄位，分別為姓名、部門和郵件位址<br>
我們希望將郵件清單和各封郵件的演練報告合併在一起，方便分析檢視<br>
因此接著來看演練報告的內容和格式

## Step 3. 讀取演練報告

In [4]:
first_report = pd.read_excel('first.xlsx')

In [5]:
first_report.head()

Unnamed: 0,Email,Email First Viewed,Email Viewed,Link First Clicked,Link Clicked
0,employee6@email.com.tw,,False,,False
1,employee12@email.com.tw,,False,,False
2,employee18@email.com.tw,,False,,False
3,employee24@email.com.tw,,False,,False
4,employee30@email.com.tw,,False,,False


報告包含5個欄位，分別為：<br>
1. Email：郵件位址
2. Email First Viewed：第一次閱讀郵件的時間
3. Email Viewed：是否閱讀郵件
4. Link First Clicked：第一次點擊連結的時間
5. Link Clicked：是否點擊連結

觀察後做出以下結論：
1. 報告的「Email」欄位即為郵件清單的「Email」欄位，可以作為合併資料時的基準
2. 欄位沒有包含報告名稱，每份報告的欄位名稱都相同；為避免合併資料時造成錯誤，在合併前需要先調整欄位名稱
3. 由於我們只想瞭解收件者有無動作，不考慮發生時間，因此省略「Email First Viewed」、「Link First Clicked」欄位

我們可以讀取3份報告後，分別存入對應變數中(例如：first_report、second_report...)，再和郵件清單合併<br>
但未來在執行社交工程演練時，可能不只3封郵件，再加上動作是重複的，因此使用迴圈來完成工作比較合適

## Step 4. 讀取演練報告，並且和郵件清單合併

In [6]:
report_name_list = ['first.xlsx', 'second.xlsx', 'third.xlsx'] #演練報告的名稱
report_list = [] #用於暫存演練報告

for report_name in report_name_list:
    report_name_cleaned = report_name.split(".")[0].capitalize() #取得演練報告的名稱
    report = pd.read_excel(report_name) #讀取演練報告
    report = report[['Email', 'Email Viewed', 'Link Clicked']] #篩選出需要的欄位
    report.rename(columns={'Email Viewed':report_name_cleaned + ' Email Viewed', 'Link Clicked':report_name_cleaned + ' Link Clicked'}, inplace=True) #調整欄位名稱，避免重複
    report_list.append(report) #將演練報告加入report_list，稍後用於合併
    
for report in report_list:
    email = email.merge(report, on='Email') #將郵件清單和演練報告進行合併

檢視合併後的的郵件清單

In [7]:
email.head()

Unnamed: 0,Name,Department,Email,First Email Viewed,First Link Clicked,Second Email Viewed,Second Link Clicked,Third Email Viewed,Third Link Clicked
0,陳○○,Executive Office,employee1@email.com.tw,True,False,True,False,True,False
1,陳○○,Executive Office,employee2@email.com.tw,False,False,False,False,False,False
2,高○○,Executive Office,employee3@email.com.tw,False,False,False,False,False,False
3,蔡○○,Executive Office,employee4@email.com.tw,False,False,False,False,False,False
4,林○○,Executive Office,employee5@email.com.tw,False,False,False,False,False,False


在開始分析演練結果前，我們可以新增幾個欄位，方便之後分析和檢視

## Step 5. 新增有助於分析和檢視的欄位

新增2個欄位：「Email Viewed」和「Link Clicked」，代表收件者有沒有閱讀郵件或點擊連結

In [8]:
email['Email Viewed'] = np.where(email[['First Email Viewed', 'Second Email Viewed', 'Third Email Viewed']].sum(axis=1) != 0, True, False)
email['Link Clicked'] = np.where(email[['First Link Clicked', 'Second Link Clicked', 'Third Link Clicked']].sum(axis=1) != 0, True, False)

再新增3個欄位：「Number of Views」、「Number of Clicks」和「Number of Actions」，代表閱讀郵件、點擊連結和總行為次數

In [9]:
email['Number of Views'] = email[['First Email Viewed', 'Second Email Viewed', 'Third Email Viewed']].sum(axis=1)
email['Number of Clicks'] = email[['First Link Clicked', 'Second Link Clicked', 'Third Link Clicked']].sum(axis=1)
email['Number of Actions'] = email.iloc[:, 3:11].sum(axis=1)

檢視新增欄位後的郵件清單

In [10]:
email.head()

Unnamed: 0,Name,Department,Email,First Email Viewed,First Link Clicked,Second Email Viewed,Second Link Clicked,Third Email Viewed,Third Link Clicked,Email Viewed,Link Clicked,Number of Views,Number of Clicks,Number of Actions
0,陳○○,Executive Office,employee1@email.com.tw,True,False,True,False,True,False,True,False,3,0,4
1,陳○○,Executive Office,employee2@email.com.tw,False,False,False,False,False,False,False,False,0,0,0
2,高○○,Executive Office,employee3@email.com.tw,False,False,False,False,False,False,False,False,0,0,0
3,蔡○○,Executive Office,employee4@email.com.tw,False,False,False,False,False,False,False,False,0,0,0
4,林○○,Executive Office,employee5@email.com.tw,False,False,False,False,False,False,False,False,0,0,0


有關資料預處理的部份到此告一段落<br>
由於phishing frenzy提供表格化的演練報告，因此不需要做太多調整，情境較為單純<br>
我們接著開始對演練內容進行分析和檢視

## Step 6. 演練分析和檢視

### 首先，我們從個人的角度去分析和檢視

Qestion 1. 哪位收件者閱讀最多社交工程郵件? Answer：陳○○、王○○和顏○○，3次

In [11]:
email.sort_values('Number of Views', ascending=False)[['Name', 'Department', 'Number of Views']].head(5)

Unnamed: 0,Name,Department,Number of Views
0,陳○○,Executive Office,3
568,王○○,Customer Service,3
268,顏○○,Finance & Accounting,3
124,黃○○,Agency Channel,2
621,楊○○,Customer Service,2


Question 2. 哪位收件者點擊最多次連結? Answer：多位同仁點擊1次，並列第一

In [12]:
email.sort_values('Number of Clicks', ascending=False)[['Name', 'Department', 'Number of Clicks']].head(5)

Unnamed: 0,Name,Department,Number of Clicks
456,蔡○○,Customer Service,1
370,鍾○○,Human Resources,1
221,林○○,Bancassurance & Institution Dept,1
119,詹○○,Agency Channel,1
170,莊○○,Agency Channel,1


Question 3. 哪位收件者執行最多次動作? Answer：鍾○○，共5次

In [13]:
email.sort_values('Number of Actions', ascending=False)[['Name', 'Department', 'Number of Actions']].head(5)

Unnamed: 0,Name,Department,Number of Actions
370,鍾○○,Human Resources,5
0,陳○○,Executive Office,4
684,蒲○○,Customer Service,4
200,李○○,Bancassurance & Institution Dept,4
285,洪○○,Finance & Accounting,4


Question 4. 哪一封信的閱讀次數最高? Answer：第二封信，18次

In [14]:
email[['First Email Viewed', 'Second Email Viewed', 'Third Email Viewed']].sum().sort_values(ascending=False)

Second Email Viewed    18
Third Email Viewed     14
First Email Viewed      9
dtype: int64

Question 5. 哪一封信的點擊連結次數最多? Answer：第二、三封信，9次

In [15]:
email[['First Link Clicked', 'Second Link Clicked', 'Third Link Clicked']].sum().sort_values(ascending=False)

Third Link Clicked     9
Second Link Clicked    9
First Link Clicked     1
dtype: int64

### 接著，從部門的角度去分析和檢視

In [16]:
groupby_department = email.groupby('Department').sum() #依部門分組

In [17]:
groupby_department.head() # 檢視依部門分組後的前5列

Unnamed: 0_level_0,First Email Viewed,First Link Clicked,Second Email Viewed,Second Link Clicked,Third Email Viewed,Third Link Clicked,Email Viewed,Link Clicked,Number of Views,Number of Clicks,Number of Actions
Department,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1,Unnamed: 7_level_1,Unnamed: 8_level_1,Unnamed: 9_level_1,Unnamed: 10_level_1,Unnamed: 11_level_1
Agency Channel,1.0,0.0,4.0,1.0,3.0,2.0,7.0,3.0,8,3,21
Bancassurance & Institution Dept,1.0,0.0,3.0,3.0,2.0,2.0,6.0,5.0,6,5,22
Commercial Insurance,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0,0,0
Compliance & Legal,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0,0,0
Consumer Insurance,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0,0,0


Question 6. 哪個部門有最多閱讀郵件的人? Answer：Customer Service，共11次

In [18]:
groupby_department['Email Viewed'].sort_values(ascending=False).head()

Department
Customer Service                    11.0
Agency Channel                       7.0
Bancassurance & Institution Dept     6.0
Finance & Accounting                 3.0
Technology & Application             1.0
Name: Email Viewed, dtype: float64

Question 7. 哪個部門有最多點擊連結的人? Answer：Customer Service，共8次

In [19]:
groupby_department['Link Clicked'].sort_values(ascending=False).head()

Department
Customer Service                    8.0
Bancassurance & Institution Dept    5.0
Agency Channel                      3.0
Finance & Accounting                2.0
Human Resources                     1.0
Name: Link Clicked, dtype: float64

我們發現Customer Service部門有最多閱讀郵件和點擊連結的人，可能的原因如下：<br>
(1)該部門的資安意識較為薄弱，因此比較容易被釣魚<br>
(2)該部門的同仁較多，或許就比例上而言，與其他部門相同<br>

由於我們無法從報告推論出(1)，因此我們就來檢驗一下(2)<br>
作法是使用比例來觀察各部門的表現，而非單純的加總數字

In [20]:
department_count = email.groupby('Department').count() # 計算各部門人數
groupby_department_ratio = groupby_department/department_count * 100 # 將各部門的加總除以部門人數，得出比率

In [21]:
groupby_department_ratio.head() # 顯示前5列

Unnamed: 0_level_0,Email,Email Viewed,First Email Viewed,First Link Clicked,Link Clicked,Name,Number of Actions,Number of Clicks,Number of Views,Second Email Viewed,Second Link Clicked,Third Email Viewed,Third Link Clicked
Department,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1,Unnamed: 7_level_1,Unnamed: 8_level_1,Unnamed: 9_level_1,Unnamed: 10_level_1,Unnamed: 11_level_1,Unnamed: 12_level_1,Unnamed: 13_level_1
Agency Channel,,7.865169,1.123596,0.0,3.370787,,23.595506,3.370787,8.988764,4.494382,1.123596,3.370787,2.247191
Bancassurance & Institution Dept,,9.090909,1.515152,0.0,7.575758,,33.333333,7.575758,9.090909,4.545455,4.545455,3.030303,3.030303
Commercial Insurance,,0.0,0.0,0.0,0.0,,0.0,0.0,0.0,0.0,0.0,0.0,0.0
Compliance & Legal,,0.0,0.0,0.0,0.0,,0.0,0.0,0.0,0.0,0.0,0.0,0.0
Consumer Insurance,,0.0,0.0,0.0,0.0,,0.0,0.0,0.0,0.0,0.0,0.0,0.0


Question 8. 哪個部門閱讀社交工程郵件的比率最高? Answer：Executive Office，14.29%

In [22]:
groupby_department_ratio['Email Viewed'].sort_values(ascending=False).head()

Department
Executive Office                    14.285714
Bancassurance & Institution Dept     9.090909
Agency Channel                       7.865169
Finance & Accounting                 7.500000
Product Development & Marketing      7.142857
Name: Email Viewed, dtype: float64

Question 9. 哪個部門點擊連結的比率最高? Answer：Bancassurance & Institution Dept，7.58%

In [23]:
groupby_department_ratio['Link Clicked'].sort_values(ascending=False).head()

Department
Bancassurance & Institution Dept    7.575758
Human Resources                     6.666667
Finance & Accounting                5.000000
Agency Channel                      3.370787
Customer Service                    2.116402
Name: Link Clicked, dtype: float64

比較後發現，使用加總或比率得出來的結果，差異相當大<br>
我們可以推斷，Customer Service部門擁有最多閱讀郵件和點擊連結的人，但原因並非資安意識薄弱<br>

### 最後，從公司整體的角度去分析和檢視

Question 10. 公司有多少人閱讀郵件、比率為何? Answer：31人，4.13%

In [24]:
print(email['Email Viewed'].sum()) #閱讀次數
print(email['Email Viewed'].sum()/email.shape[0] * 100) #閱讀比率

31
4.133333333333333


Question 11. 公司有多少人點擊連結、比率為何? Answer：19人，2.53%

In [25]:
print(email['Link Clicked'].sum()) #點擊次數
print(email['Link Clicked'].sum()/email.shape[0] * 100) #點擊比率

19
2.533333333333333


顯然閱讀郵件的人比點擊連結的人更多<br>

有關分析和檢視的部份到此告一段落，當然還可以將問題延伸下去，不過要向客戶報告演練結果，上述的資訊已經足夠了<br>
一般而言，完成社交工程演練後，除了將上述的分析結果以投影片的方式提供給客戶<br>
我們會提供關注名單，請客戶督促名單中的同仁完成教育訓練(通常有任一行為的同仁即列入關注名單)

## Step 7. 產生關注名單

In [26]:
email[email['Number of Actions'] != 0][['Name', 'Department', 'Email']].to_excel('list_of_concerns.xlsx', index=False)

以上即為社交工程演練分析的大致流程