Read on Twitter
#Blueteam #IR #Phishing
Phishing remains the most commonly used initial vector by attackers. Understanding what is involved with investigating phishing related events is important. In this thread, I will touch on the most important questions a SOC analyst should ask themselves.
Phishing remains the most commonly used initial vector by attackers. Understanding what is involved with investigating phishing related events is important. In this thread, I will touch on the most important questions a SOC analyst should ask themselves.
What is the scope?
Establish the scope first. Leverage your tools to gather a list of intended recipients. Looking for connections between users can be helpful to identify if the attack may be targeted. This list can change if the campaign is active.
Establish the scope first. Leverage your tools to gather a list of intended recipients. Looking for connections between users can be helpful to identify if the attack may be targeted. This list can change if the campaign is active.
Is the threat active?
Visit the phishing site with a VM, or use a URL scanning tool to see if the page is still active. This context is important to gauge how quickly mitigative actions are required. Interact with the page, see what happens if you enter credentials.
Visit the phishing site with a VM, or use a URL scanning tool to see if the page is still active. This context is important to gauge how quickly mitigative actions are required. Interact with the page, see what happens if you enter credentials.
What is the impact?
Is there evidence of users submitting credentials? Do you have the visibility to see if this occurred? (proxy) Can you determine if the site was accessed by the user? Understanding the impact can lead to invoking IR if there is evidence of negative impact.
Is there evidence of users submitting credentials? Do you have the visibility to see if this occurred? (proxy) Can you determine if the site was accessed by the user? Understanding the impact can lead to invoking IR if there is evidence of negative impact.
Mitigative Actions?
Ok so now you have some idea of what is going on, excellent. Now let's talk about what could be done.
Pull emails from user inboxes
Block Associated URLs (do not forget redirects)
Block email senders
Password resets (may require user interaction)
Ok so now you have some idea of what is going on, excellent. Now let's talk about what could be done.
Pull emails from user inboxes
Block Associated URLs (do not forget redirects)
Block email senders
Password resets (may require user interaction)
Let's expand the actions:
Be aware of the blocks you are making. Understand the potential business impact of blocking email accounts and/or domains. Check email logs to look for communication from these domains in the last year. Ensure the decisions are made to benefit your org.
Be aware of the blocks you are making. Understand the potential business impact of blocking email accounts and/or domains. Check email logs to look for communication from these domains in the last year. Ensure the decisions are made to benefit your org.
The human element:
Reach out to users. Talk to them! They are the frontlines and can be essential to remediation. THANK USERS that reported emails! Do not use a script to respond. Make it personable. A SOC needs users that WANT to communicate with them.
Reach out to users. Talk to them! They are the frontlines and can be essential to remediation. THANK USERS that reported emails! Do not use a script to respond. Make it personable. A SOC needs users that WANT to communicate with them.
Now we have taken action and have talked to associated users. Now what?
Document the event.
Compare to other events
Look for trends.
Determine if your detection capabilities could be improved as a result.
Document the event.
Compare to other events
Look for trends.
Determine if your detection capabilities could be improved as a result.
Depending on the impact, hold a Lessons Learned meeting. These events are essential and could be used as training exercises for SOC analysts regardless of experience.
I always learn something from a phishing investigation.
I always learn something from a phishing investigation.
Last point:
Analysts investigate differently and that is the beauty of our roles. What I included is how my mind responds to a phishing event and there could be additional actions I left out in this thread.
Everything is derived from the questions you ask yourself.
Analysts investigate differently and that is the beauty of our roles. What I included is how my mind responds to a phishing event and there could be additional actions I left out in this thread.
Everything is derived from the questions you ask yourself.
