Scribd Logo
Upload

Welcome to Scribd!

  • Phishing Playbook

    Uploaded by

    Amit Alkobi
    6 views2 pages
    The document provides guidance on investigating phishing incidents reported through a SIEM alert or by a user. It describes collecting details about the email, sender, and links/attachments. It also recommends using open-source tools to gather intelligence on suspicious elements and check file hashes. If deemed phishing, the incident should be escalated to the customer and Level 2 analyst, and potentially the threat team, with recommendations to block the sender and scan affected devices.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document provides guidance on investigating phishing incidents reported through a SIEM alert or by a user. It describes collecting details about the email, sender, and links/attachments. It also recommends using open-source tools to gather intelligence on suspicious elements and check file hashes. If deemed phishing, the incident should be escalated to the customer and Level 2 analyst, and potentially the threat team, with recommendations to block the sender and scan affected devices.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    6 views2 pages

    Phishing Playbook

    Uploaded by

    Amit Alkobi
    The document provides guidance on investigating phishing incidents reported through a SIEM alert or by a user. It describes collecting details about the email, sender, and links/attachments. It also recommends using open-source tools to gather intelligence on suspicious elements and check file hashes. If deemed phishing, the incident should be escalated to the customer and Level 2 analyst, and potentially the threat team, with recommendations to block the sender and scan affected devices.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 2

    Phishing Playbook

    How was the alert received?

    • SIEM Alert - Collecting all necessary information from the SIEM events.
    • User / Customer - Ask the user to send the suspicious email as an attached file mail.

    In case of SIEM Alert - check the following event details:

    • Alert Name
    • Event Time
    • Sender IP
    • Sender Email Address
    • Recipient Email Address
    • Subject
    • Attachment name and file type
    • How many recipients got this mail?
    • Action (Blocked/Delivered/Spam)
    • Vendor

    In case of User reported - check the following event details:

    • Event Time
    • Sender IP
    • Sender Email Address
    • Recipient Email Address
    • How many recipients got this mail?
    • What is the Subject?
    • Does the mail contain an attachment?
    • Does the content contain any links?
    • Does the content look general or dedicated to a specific person?
    • Action (Blocked/Delivered/Spam)
    • Check the message header
    External Data Gathering:
    Collecting all necessary information from external open-source intelligence.
    Collect information about the sender email address, domain & IP from open-source
    intelligence tools:
    • whois.domaintools.com
    • cymon.io
    • otx.alienvault.com
    • abuseipdb.com
    • urlscan.io
    In case of attachment, please check the file hash in the following resources:
    • virustotal.com
    • hybrid-analysis.com
    • joesandbox.com
    In case of suspicious links on content:
    • Check the suspicious link on www.browserling.com
    • Document your findings.
    Domain Checking:
    • Who is the owner?
    • Does the domain in a blacklist?
    • Does the mail was hacked?

    Escalation:

    Escalate process to L2 & the client.

    If the email contains a phishing link and/or malicious attachment which was not remediated by O365,
    please escalate to the customer and recommend the following:

    • Block or blacklist the specific sender and/or the domain from the O365 admin console
    • Delete the email permanently from the mailbox
    • Check with the customer if the malicious file is downloaded to the computer
    o If the file is downloaded to the computer, recommend customer to delete the file
    and run an anti-virus scan

    To L2 Analyst:

    • If the domain reputation is malicious


    • and the detection rate is high, then
    • Escalate to Threat team include the info below:
    o Source domain or sender address, detection action, Destination recipient address
    o If Off-hour use roster list.

    You might also like