Running head: PLAYBOOK 1

https://www.demisto.com/phishing-incident-response-playbook/

Playbooks-Mitigation of Phishing Campaigns

Name

Institutional Affiliation

Date of Submission
 PLAYBOOK 2

Playbooks-Mitigation of Phishing Campaigns

Introduction

As depended on the computer technology increases, the cyber-attacks or cyber incidents

also increase. However, comprehension as well as protection of the computer systems from these

potential crippling threats is slowly becoming challenging and difficult also. In this regard

therefore, every organization is on the run to try to protect against any possible attack for

instance, adware.

This paper focuses at establishing a playbook regarding a particular identified cyber

security incident. A playbook is important because it helps in identifying, containing, eradicating

as well as recovering from cyber security incidents (Szymanski, 2009). Therefore, the article is

going to talk about “Phishing Incident Response Playbook” focusing on a fictional company

which we will name it Royal Acacia company.

In this regard, this virtual company handles basically, credit card, Apple Pay, as well as

Bitcoin payments. Additionally, this organization operates a large data warehouse and therefore

gathers very sensitive customers’ data. Therefore, customer as well as credit card data seem to be

the most valuable assets for the company. It has been identified that the greatest threat to the

most valuable data of the organization is the data theft enabled by social engineering (e-mail

based social engineering attempts.)

Objective Statement

This Playbook is meant to provide instructions for handling end-user reported phishing

campaigns against Royal Acacia employees. The goal is the prevention of the introduction of

backdoors into the company infrastructure, which may lead to data theft.
 PLAYBOOK 3

The process will therefore help in lowering the success rate of the phishing campaign though

blocking of the emails as well as backdooring attempts (Szymanski, 2009).

Scope and Applicability

Phishing emails against Royal Acacia employees

Details of the malware

Phishing refers to a type of social engineering attack which is typically used in stealing

the user data such as the login credentials, credit card numbers et cetera. Usually, Phishing

happens when the attacker, masquerading or pretend to be a trusted entity hence, duping the

victim into opening an email. After that, the victim is then deceived so that they can click a

malicious link and this result in the installation of malware, freezing of the system, disclosure of

delicate data (Mitra, 2019). Since the virtual company handles basically, credit card, Apple Pay,

sensitive customer data as well as Bitcoin payments, with phishing emails, all this crucial

information is likely to be stolen, distorted, destroyed and disclosed. The article therefore tries to

onboard a process for mitigating this phishing campaigns.

The exploited vulnerability and its attack vector

The most attack vector in this case is Email-Phishing. While the exploited vulnerability

of this incident is the Credit card data and the sensitive customer data Since the virtual company

handles basically, credit card, Apple Pay, sensitive customer data as well as Bitcoin payments

(Mitra, 2019).
 PLAYBOOK 4

Two risks of this malware

The two major risk of this Phishing emails include:

 Stolen of customers Credit Card details which the attackers can use to withdraw money

from the account or to make an online transaction using the victim’s money.

 Stolen of other sensitive information

Step-by-step instructions on how to resolve the malware attack

 Since the incident will have already been confirmed to be a Phishing email, the first

step may start with alerting the employees of the company by warning the end-users of

the emerging threat and this is done by:

 Taking the pre-approved email template from \dc1irttemplatesphishing

 Filling the template with necessary details

 Sending the template to the company’s internal PR while at the same time informing the

PR team about the incident so that they can be ready.

 Blocking the Emails on the SMTP Server

This is done by:

 Contacting the company’s IT requesting them to block all incoming emails based on a

particular identified pattern.

 PLAYBOOK 5

 Flagging “Bad” Emails

 This is achieved by Sending the original email to organization’s IT so that they can be

able to feed it to the company’s Bayesian SPAM filter.

 Removing Emails from User Inboxes

 This is then followed by Checking the SMTP logs to see if similar email has been

delivered to other users.

 This is then followed by Engaging the IT to help in removing similar emails from the

affected employee mailboxes. and this done by:

 Going to https://splunk.royalacacia.com

 Searching for the subject line from the original phish

 Searching for the sender email address from the original phish

 Exporting the affected recipients into a CSV file

 Contacting the IT so that they can help in removing the phishes from the affected

mailboxes (Mitra, 2019).

 PLAYBOOK 6

References

Mitra, A. (2019). Phishing: Detection, analysis and prevention.

Szymanski, S. (2009). undefined. Princeton University Press.