Reactive: Immediate Response Process Flashcards
Immediate Response Process
Immediate response is the steps the investigating analyst should take once they have identified a phishing email, from detection through to concluding their investigation report. These steps will work to triage the attack, and take measures to address the risk generated by malicious emails being successfully delivered to employee mailboxes. The steps are:
Retrieve an original copy of the phishing email
Gather artifacts from the phishing email
Inform the recipients that received the email
Investigate malicious artifacts to collect indicators of compromise that can be blocked to protect the organization
Take defensive measures
Complete the investigation report, documenting all of the above steps
1) Retrieve an Original of the Suspicious Email:
An original version of the email can be obtained via a number of methods, such as; through security technology on the email gateway or the gateway itself, pulling the email directly from the email solution, such as Microsoft Exchange servers, or having an employee forward the email to a security-owned mailbox.
2) Gather Artifacts From the Original Email:
We have already covered the artifacts we need to collect, and why they’re important. These are used later in the investigation process to perform artifact analysis and take defensive measures.
3) Inform Email Recipients:
A crucial part of the immediate response to a phishing attack is to notify any individuals that have received the email. This helps to reduce the chance of them opening and interacting with the email.
Typically organizations will have an email template that they can send to recipients once they have been identified. The investigating analyst would check on the email gateway to see which mailboxes the phishing email has been delivered to, and then add the recipients into BCC of the email template, and include the following details:
The date and time the email was sent (allows the recipients to find the email easier by looking at the times of emails that they have received)
The subject line of the malicious email (allows the recipients to find the email easier by looking at the subject lines of emails that they have received)
Clear instructions on what to do with the email (this will depend on how the organization deals with phishing emails. This could either be instructing the recipients to delete the email or forward it to a security-owned mailbox)
Contact details for if the recipient is unsure what to do (typically a security-owned mailbox, so the user can get support from the security team)
4) Artifact Analysis and Investigation:
We have already covered how to investigate email, web, and file-based artifacts to collect more information and determine how malicious they are. Tools that should be used include enterprise-grade sandboxing, URL2PNG, VirusTotal, IPVoid, WannaBrowser, a virtual machine, and more.
5) Take Defensive Measures:
Defensive measures are the actions taken by the security team to reduce the risk generated by the phishing attack. This potentially includes blocking email, web, and file-based artifacts. If a malicious email includes a URL that takes the user to a credential harvester, blocking this URL on a web proxy would prevent employees from connecting to the webpage, completely mitigating the risk of them entering their credentials. We will cover blocking email, web, and file-based artifacts in the next three lessons.
6) Complete Investigation Report:
We will cover this in detail in a later section. Your investigation report will include notes about all of the steps you have completed during the immediate response process. This provides an audit trail to show that the email was identified, investigated, and defensive measures were taken to protect the organization from this attack.