Playbook: Phishing
Investigate, remediate (contain, eradicate), and communicate in parallel!
Assign steps to individuals or teams to work concurrently, when possible; this playbook is not purely sequential. Use your best judgment.
Investigate
TODO: Expand investigation steps, including key questions and strategies, for phishing.
- Scope the attack Usually you will be notified that a potential phishing attack is underway, either by a user, customer, or partner.
- Determine total number of impacted users
- Understand user actions in response to the phishing email (e.g., did they download the attachment, visit the spoofed site, or give out any personal or business information such as credentials)
- Find the potentially related activity. Check:
- social media
- any possibly suspicious emails
- emails with links to external and unknown URLs
- non-returnable or non-deliverable emails
- any kind of notification of suspicious activity
- Analyze the message using a safe device (i.e., do not open messages on a device with access to sensitive data or credentials as the message may contain malware), determine:
TODO: Specify tools and procedure
- who received the message
- who was targeted by the message (may be different than “successful” recipients)
- email address of the sender
- subject line
- message body
- attachments (do not open attachments except according to established procedures)
- links, domains, and hostnames (do not follow links except according to established procedures)
- email metadata including message headers (see below)
- sender information from the ‘from’ field and the X-authenticated user header
- all client and mail server IP addresses
- note “quirks” or suspicious features
- Analyze links and attachments
TODO: Specify tools and procedure
- use passive collection such as nslookup and whois to find IP addresses and registration information
- find related domains using OSINT (e.g., reverse whois) on email addresses and other registration data
- submit links, attachments, and/or hashes to VirusTotal
- submit links, attachments, and/or hashes to a malware sandbox such as Cuckoo, Hybrid Analysis, Joe Sandbox, or VMray.
- Categorize the type of attack.
TODO: Customize categories and create additional playbooks for common or high-impact phishing types
- Determine the severity. Consider:
- whether public or personal safety is at risk
- whether personal data (or other sensitive data) is at risk
- any evidence of who is behind the attack
- number of affected assets
- preliminary business impact
- whether services are affected
- whether you are able to control/record critical systems
TODO: Expand investigation steps, including key questions and strategies, for phishing.
Remediate
- Plan remediation events where these steps are launched together (or in coordinated fashion), with appropriate teams ready to respond to any disruption.
- Consider the timing and tradeoffs of remediation actions: your response has consequences.
Contain
TODO: Customize containment steps, tactical and strategic, for phishing.
TODO: Specify tools and procedures for each step, below.
- Contain affected accounts
- change login credentials
- reduce access to critical services, systems, or data until investigation is complete
- reenforce multi-factor authentication (MFA)
- Block activity based on discovered indicators of compromise, e.g.:
- block malicious domains using DNS, firewalls, or proxies
- block messages with similar senders, message bodies, subjects, links, attachments, etc., using email gateway or service.
- Implement forensic hold or retain forensic copies of messages
- Purge related messages from other user inboxes, or otherwise make inaccessible
- Contain broader compromise in accordance with general IR plan
- Consider mobile device containment measures such as wiping via mobile device management (MDM). Balance against investigative/forensic impact.
- Increase detection “alert level,” with enhanced monitoring, particularly from related accounts, domains, or IP addresses.
- Consider outside security assistance to support investigation and remediation
- Confirm relevant software upgrades and anti-malware updates on assets.
Reference: Remediation Resources
TODO: Specify financial, personnel, and logistical resources to accomplish remediation
Communicate
TODO: Customize communication steps for phishing
TODO: Specify tools and procedures (including who must be involved) for each step, below, or refer to overall plan
- Escalate incident and communicate with leadership per procedure
- Document incident per procedure (and report)
- Communicate with internal and external legal counsel per procedure, including discussions of compliance, risk exposure, liability, law enforcement contact, etc.
- Communicate with users (internal)
- Communicate incident response updates per procedure
- Communicate impact of incident and incident response actions (e.g., containment: “why is the file share down?”)
- Communicate requirements: “what should users do and not do?”
- Communicate with customers
- Focus particularly on those whose data was affected
- Generate required notifications based on applicable regulations (particularly those that may consider phishing a data breach or otherwise requires notifications)
TODO: Expand notification requirements and procedures for applicable regulations
- Contact insurance provider(s)
- Discuss what resources they can make available, what tools and vendors they support and will pay for, etc.
- Comply with reporting and claims requirements to protect eligibility
- Consider notifying and involving law enforcement TODO: Link the following bullets to actual resources for your organization
- Communicate with security and IT vendors TODO: Link the following bullets to actual resources for your organization
- Notify and collaborate with managed providers per procedure
- Notify and collaborate with incident response consultants per procedure
Recover
TODO: Customize recovery steps for phishing
TODO: Specify tools and procedures for each step, below
- Launch business continuity/disaster recovery plan(s) if compromise involved business outages: e.g., consider migration to alternate operating locations, fail-over sites, backup systems.
- Reinforce training programs regarding suspected phishing attacks. Key suspicious indicators may include:
- misspellings in the message or subject
- phony-seeming sender names, including mismatches between display name and email address
- personal email addresses for official business (e.g., gmail or yahoo emails from business colleagues)
- subject lines marked “[EXTERNAL]” on emails that look internal
- malicious or suspicious links
- receiving an email or attachment they were not expecting but from someone they know (contact sender before opening it)
- reporting suspicious activity to IT or security
- Ensure that IT and security staff is up to date on recent phishing techniques.
- Determine if any controls have failed when falling victim to an attack and rectify them. Here is a good source to consider following a phishing attack.
Resources
Reference: User Actions for Suspected Phishing Attack
TODO: Customize steps for users dealing with suspected phishing
- Stay calm, take a deep breath.
- Take pictures of your screen using your smartphone showing the things you noticed: the phishing message, the link if you opened it, the sender information.
- Take notes about the problem(s) using the voice memo app on your smartphone or pen-and-paper. Every little bit helps! Document the following:
- What did you notice?
- Why did you think it was a problem?
- What were you doing at the time you detected it?
- When did it first occur, and how often since?
- Where were you when it happened, and on what network? (office/home/shop, wired/wireless, with/without VPN, etc.)
- What systems are you using? (operating system, hostname, etc.)
- What account were you using?
- What data do you typically access?
- Who else have you contacted about this incident, and what did you tell them?
- Contact the help desk using the phishing hotline or the phishing report toolbar and be as helpful as possible.
- Be patient: the response may be disruptive, but you are protecting your team and the organization! Thank you.
Reference: Help Desk Actions for Suspected Phishing Attack
TODO: Customize steps for help desk personnel dealing with suspected phishing
- Stay calm, take a deep breath.
- Open a ticket to document the incident, per procedure.
TODO: Customize template with key questions (see below) and follow-on workflow
- Ask the user to take pictures of their screen using their smartphone showing the things they noticed: the phishing message, the link if you opened it, the sender information, etc. If this is something you noticed directly, do the same yourself.
- Take notes about the problem(s) using the voice memo app on your smartphone or pen-and-paper. If this is a user report, ask detailed questions, including:
- What did you notice?
- Why did you think it was a problem?
- What were you doing at the time you detected it?
- When did it first occur, and how often since?
- What networks are involved? (office/home/shop, wired/wireless, with/without VPN, etc.)
- What systems are involved? (operating system, hostname, etc.)
- What data is involved? (paths, file types, file shares, databases, software, etc.)
- What users and accounts are involved? (active directory, SaaS, SSO, service accounts, etc.)
- What data do the involved users typically access?
- Who else have you contacted about this incident, and what did you tell them?
- Ask follow-up questions as necessary. You are an incident responder, we are counting on you.
- Get detailed contact information from the user (home, office, mobile), if applicable.
- Record all information in the ticket, including hand-written and voice notes.
- Quarantine affected users and systems.
TODO: Customize containment steps, automate as much as possible
- Contact the security team and stand by to participate in the response as directed: investigation, remediation, communication, and recovery.