I ventured into creating a phishing email playbook for a SOC, leveraging the NIST framework. Developing SOC playbooks can be challenging, requiring meticulous attention to detail. It’s hard to fathom the complexity that awaits when tackling even more advanced playbooks.
Preparation Phase
During the preparation phase, the goals are twofold: firstly, to ensure that the organisation is equipped to handle a cyber incident in a prompt and efficient manner, and secondly, to educate employees about their responsibilities in addressing a Phishing incident, which includes making use of appropriate reporting channels.
| Implement Solutions | Implemented anti-malware, anti-spam, and anti-phishing solutions for email protection System has the capability to detect malicious processes spawned by office documents. Create and maintain a list of all domains owned by Company |
| Prepare to Respond | Practise and familiarise with procedures for responding to cyber incidents, encompassing both technical and business roles and responsibilities, escalating to major incident management if required Examine recent cyber incidents and their outcomes Evaluate threat intelligence for potential threats to the organisation, its brands, and the industry, including prevalent trends and newly emerging risks and vulnerabilities Define threat and risk indicators and alerting patterns on the SIEM |
| Inform Employees | Security awareness program Mandatory security training for employee engaging with confidential data & systems Conduct fire drills to verify the functionality of the security playbook and ensure all aspects of the plan are working as intended |
| Templates | Create templates to inform all employees of an ongoing phishing campaign against the organisation, to reach out to hosting companies to request a domain take down, and to notify third-party providers to take action against phishing on their infrastructure. |
Detection Phase
In the detection phase, there are two main objectives: firstly, to conduct a preliminary investigation of the Phishing attack, and secondly, to make a formal report of the attack to the appropriate team as a cyber incident.
| Alerts | Alerts are generated by various systems, with the primary sources being Tickets, SIEM, Anti-Virus/EDR, Reports, DNS, Web Proxy, and error messages from email servers. |
| Detect and report incident | Actively observe both automated and manual detection channels, as well as customer, staff, and social media channels, for signs of data breaches or compromises, including, but not limited to: Spoofed Emails Emails containing links to unfamiliar or external URLs Non-deliverable or undeliverable emails Internal user reports of questionable emails Customer reports regarding suspicious activity Alerts from Mimecast Inform the Service Desk about the cyber incident. If a ticket has not been created yet, create one with information included Report to the Incident Response team |
| Data Collection | Gather initial incident data, including at a minimum: The type of cyber incidentThe method of reporting the incidentThe number of users who received the phishing emailThe cause of the incidentThe initial number of impacted assets across the organisationAdditional reports regarding affected assets, including antivirus logs, system event logs, and network monitoring logs Secure Artifacts Sending Email AddressSubject LineRecipient Email AddressesSending Server IP & Reverse DNSReply-To AddressDate & TimeAttachment NameSHA256 Hash ValueFull URLsRoot Domain Identify phishing email Identify relevant information contained within the emails, such as the identity of the sender and recipient, the date and time of the message, the content of the message, and any attachments or links contained within the message |
| Categorize | Classify the cyber incident based on available information related to the phishing attack and incident types Phishing Spear Phishing WhalingSpamETC |
| Triage | Determine the impact of the incident in terms of financial data loss The scope of the impact involves the number of people who received the email, opened its attachments, clicked on its links, and submitted any information. |
Analyse Phase
The analysis phase encompasses four key objectives: firstly, to analyse the cyber incident thoroughly to determine the extent of the attack. Secondly, to identify and report any potentially compromised data and the potential impact of such a breach, Thirdly, to determine if a full forensic investigation is necessary and fourthly, to develop a remediation plan that takes into account the scope and details of the cyber incident.
| Identify the IOCs | Steps to identify the IOCs includes validating the hashes of files, links, and attachments, identifying the subject and other domains and IPs, checking threat intelligence sources, performing disk forensics on the recipient’s endpoint, and determining if the information is trustworthy |
| Scan the entire system | Includes updating the spam filter to prevent malicious emails from reaching the inbox, updating the firewall, IDS, and other security rules with the latest IOCs to detect and block malicious traffic, searching all mail folders for IOCs to detect any malicious emails that may have been missed, and using EDR tools to search endpoints for IOCs and identify any malicious activity that may be present on the system |
| Update the scope of the incident | Update the following lists to track the scope of a security incident and ensure that all necessary parties are informed and involved in the response process Affected:Recipient addressesEndpointsBusiness units |
| Validation | Have all the machines involved in the security incident been identified? If any further traces of phishing or new IOCs are discovered, it is necessary to go back through this step to ensure that all affected machines have been identified. |
Remediation Phase
The remediation phase aims to accomplish two main objectives: firstly, to contain the effects of the malware on the affected systems, and secondly, to eliminate the malware from the network by implementing agreed-upon mitigation measures.
| Contrainment | To reduce any further malicious activity, one should prevent Phishing activity, quarantine affected systems, and remove them from the network. Access controls should also be applied to isolate them from production networks |
| Segregate and block | Prevent communication with command and control servers, websites, and exploited applications by blocking access to any identified applications |
| Validate | Check if the emails have been read, the attachments have been opened, and the links have been clicked If malicious attachments were opened, it is necessary to assume that the endpoint was infected with malware, and the user should proceed to the Malware Playbook. |
| Eradication | Remove the emails from users’ inboxes, use the spam tool or the email admin console, available on both cloud and on-premises environments. Downloaded attachments should also be deleted, and enterprise-wide scanning can be conducted using EDR, SIEM, or other similar tools. |
| Monitor | Monitor for incoming messages related to the incident, internet connections to IOCs, and new files that match the identified hashes. |
Post Incident Phase
During the post-incident activities phase, there are three primary objectives: firstly, to generate a comprehensive incident report that includes all relevant incident details and activities; secondly, to complete the lessons identified and problem management process to improve incident response capabilities; and thirdly, to disseminate appropriate internal and external communications regarding the incident.
| Incident report | Create a post-incident report that covers the essential elements listed below: Comprehensive information about the cyber event that was detected and resolved throughout the network, such as the duration, type, and location of the event, as well as its impact on usersDetails about the actions taken by appropriate groups, service providers, and business stakeholders to restore regular business operations |
| Policy & procedures update | Update the detection rules for various security solutions, including SIEM, Anti-Spam, Malware Gateway, EDR, and other similar security solutions Ensure that the following documents are updated as needed: policies, processes, procedures, playbooks, and runbooks |
| Incident Review | Suggestions for ways to enhance people, processes, or technology throughout the organisation in order to avoid a similar cyber incident from happening again, as part of a formal lessons learned process |
| User awareness training | Provide the user with phishing training, which covers how to identify phishing attempts, report them, and avoid the dangers of following links, opening attachments, and complying with scammers’ requests |
Flowmap
Persecure : my learning archive 