Table of Contents

Glossary ......................................................................................................................................................................................................... 3
Incident Response Playbook – Phishing ........................................................................................................................................................... 4
Identification ................................................................................................................................................................................................................ 4
Containment .............................................................................................................................................................................................................. 16
Eradication ................................................................................................................................................................................................................. 19
Recovery .................................................................................................................................................................................................................... 22
Lessons Learned ......................................................................................................................................................................................................... 24
Glossary

Phishing - Phishing is a cybercrime in which a target or targets are contacted by email, telephone, or text message by someone posing as a
legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details,
and passwords. The information is then used to access important accounts and can result in identity theft and financial loss.

Spear Phishing - Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization, or business.
Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user’s computer.

Smishing - Smishing, or SMS phishing, is the act of committing text message fraud to try to lure victims into revealing account information or
installing malware. Like phishing, cybercriminals use smishing, the fraudulent attempt to steal credit card details or other sensitive information,
by disguising as a trustworthy organization or reputable person in a text message.

Vishing - Vishing is a cybersecurity attack where a malicious entity contacts the victim over the phone and tries to gain their trust through social
engineering practices to elicit confidential data, extract funds, or harm the individual in any other way. This article explains the meaning of
voice-based phishing or vishing, common methods, and helpful prevention tactics.

Email Headers - The email header is a code snippet in an HTML email, that contains information about the sender, recipient, email’s route to get
to the inbox and various authentication details. The email header always precedes the email body.

IoC - Indicator of compromise or IOC is a forensic term that refers to the evidence on a device that points out to a security breach. The data of
IOC is gathered after a suspicious incident, security event or unexpected callouts from the network. Moreover, it is a common practice to check
IOC data on a regular basis to detect unusual activities and vulnerabilities.

IPS/IDS - Intrusion detection is the process of monitoring your network traffic and analyzing it for signs of possible intrusions, such as exploit
attempts and incidents that may be imminent threats to your network. For its part, intrusion prevention is the process of performing intrusion
detection and then stopping the detected incidents, typically done by dropping packets or terminating sessions. These security measures are
available as intrusion detection systems (IDS) and intrusion prevention systems (IPS), which are part of network security measures taken to
detect and stop potential incidents and are included functionality within next-generation firewalls (NGFW).
Incident Response Playbook – Phishing
Identification

Task Name Task Description Expected Assignee Task Action(s)

Validate Phishing is the fraudulent attempt to obtain sensitive
Phishing information such as usernames, passwords, and
Incident credit card details, by disguising oneself as a
trustworthy entity in an email or phone text
message.
Varying forms of phishing attacks exist:
- Spear phishing is targeted at an individual or
specific group, typically with access to
sensitive information or the ability to
transfer funds. Information is gathered by
cybercriminals about the intended target
and leveraged to personalize the attack,
creating a sense of familiarity and make the
malicious email seem trustworthy. Spear-
phishing emails typically appear to come
from someone the target knows, such as a
co-worker at their company or another
business partner.
- Whaling is a spear-phishing attack that
specifically targets senior executives at an
organization.
Outcome
A security Core CIRT 1. Reviewed reported email as suspected phish. This
event is Member required reviewing the emails for the following
confirmed as indicators:
a phishing
attack • Strange names and email addresses
• Links to external and unknown URLs
Organization • Words that depict urgency or importance such as
is notified of “Urgent”, “Mandatory”, “Critical”, “Restricted”,
targeted “Confirm Immediately” or “Review Now”.
phishing • Spelling and grammatical mistakes
campaign • Generic greetings
• Requests for personal or financial information
• Attachments including fake invoices, fake fax
documents, fake voice messages
2. Once confirmed as phishing attempt, sent
corporate wide message to warn employees of any
general widely used phishing campaign or targeted
campaigns against organization.
3. If the email is verified as legitimate, marked the
event as a false positive and resolved the event.

- Smishing uses text messages to try and persuade

victims into revealing account information or
installing malware.

Over the years phishing emails have become more

sophisticated by using graphics and language that
appear to be from legitimate entities. Usually, a
 sense of urgency is included in the message to
request an individual to act quickly.

Employees should be educated on reporting any

suspected phishing attempts and not click on any
links found in suspicious emails or phone texts. Once
the email or text is identified as a phishing attack,
speed of investigation to discern whether any
corporate wide attack has been successful is vital
since many successful malware and ransomware
attacks start with a successful phish.

While many phishing campaigns are generic, the

spear phishing and whaling attempts are more
critical to contain and eradicate as they are
specifically targeting the organization. It is always
useful to remind employees to be vigilant of ongoing
phishing campaigns. However, if the organization is
experiencing a targeted organizational phishing
attack, corporate wide messaging should be created
in a timely manner to warn the rest of the company
of the specific targeted campaign(s).

Confirm Phishing attacks are typically utilized to steal The purpose 1. Analyzed email headers. This comprised of the
Phishing credentials, install malware and/or spyware or of the following actions:
Purpose initiate ransomware attacks. The emails may contain phishing email
URLs leading to a malicious website replicating is determined - If using Outlook, opened the email in a separate
legitimate web resources, tricking victims into window in Outlook and navigate to 'File' -> Properties'
downloading malicious files or providing employee The source of to view the properties of the email. Relevant email
username/password credentials. It is critical to the phishing headers will be displayed in the dialog window under
identify the source of the phishing attack and to attack is the section called 'Internet headers'. Selected all text
determine what the end goal of the phishing established from the 'Internet headers' section and paste it into a
campaign is so that effective containment and notepad document to analyze.
eradication steps can be performed. IOCs are
identified Other email clients will have similar capabilities for
The phishing emails headers contain valuable capturing email headers.
information that help determine the source of the
attack. Some areas to investigate include: The following fields were analyzed:
 o Identify that the 'From' email address
matches the display name. The from address
may look legitimate at first glance, but a
closer look in the email headers may reveal
that the email address associated with the
display name is actually coming from
someone else.
o Make sure the 'Reply-To' header matches the
source. This is typically hidden from the
recipient when receiving the message and is
often overlooked when responding to the
message. If the reply-to address does not
match the sender or the site that they claim
to be representing, there is a good chance
that it is forged.
o Find where the 'Return-Path' goes. This
identifies where the message originated
from. While it is possible to forge the Return-
path in a message header, it is not done with
great frequency.
Other techniques used to determine phishing
campaign goals include checking hashes against
known phishing emails, checking malicious links
against known databases and researching IP
addresses and domain names linked with the
phishing campaign. The steps taken to identify the
end goal of the campaign will also typically help
identify the source of the campaign.
Phishing campaigns keep evolving. Some added
insights to specific campaigns can be found in these
pointers:- Seaborgium:
https://www.microsoft.com/security/blog/2022/08/
15/disrupting-seaborgiums-ongoing-phishing-
operations/
• The 'received' headers to find the source of
the phishing email. Each email server will add
its own 'received' header to the email. This
header will contain information about the
server where the email originated and its path
through the different email servers. The most
interesting of these headers is the first
'received' header, that usually contains an IP
or a DNS name from where the email
originated
• X-apparently to: This field is useful when the
email is sent to more than one recipient, such
as BCC or a mailing list. This field contains an
address to TO field, but in the case of BCC, the
X-Apparently to field is different. This field
discloses the address of the recipient despite
the email being sent as either CC, BCC, or via a
mailing list
• 'From' or 'x-sender' header that contains
information about the email account used to
send the phishing email. If the email
originates from the organization's internal
email account, further analysis is required to
identify the origin
• The mail server's IP address: This will contain
the actual TCP/IP address of the email server
from where the phishing email was sent.
2. Identified all URLs in the phishing email by opening
the email and performing a manual review:
• Saved the phishing email as a 'msg' in the
corresponding incident folder or local
temporary folder
• Opened the email in Notepad and search for
the part where the email headers are
displayed in cleartext. Directly underneath the
email headers, there will be a section
containing base64 encoded data

- https://www.darkreading.com/application-
security/researchers-identify-threat-actor-behind-
recent-phishing-attack-targeting-pypi-users
Gathering as much evidence as possible during the
incident identification stage is crucial for future
forensic activities, accurate record-keeping, and
ongoing triage activities. The more information about
the threat actor, Indicators of Compromise, attack
vectors and the malware used the team collects, the
more efficient and concise all subsequent
containment and eradication steps will be.
Initiate CIRT As more information about the incident is known, the
Team core CIRT team will meet and define which
Meeting and organizational SMEs need to be included to respond
Execute to the incident. The SMEs will be chosen based upon
Escalation affected systems and applications they have direct
Procedures operational responsibility for. The SMEs could
include, for example, cloud operations, customer
support, internal IT and/or development leads
depending on which systems have been impacted.
• Decoded the base64 data online using or a
similar resource and paste the decoded values
into a new text file.
2. Identified all URLs in the phishing email by opening
the email and performing a manual review:
• Resolved the DNS name into an IP address
using tools such as ‘nslookup’ or ‘dig’.
• Used IP reputation feeds to gain more
information on the associated IP address(es).
This information could include blacklists,
geographic location, whois information, etc.
3. Used a sandboxed testing machine that is not
connected to the organization's network to retrieve
the contents of the phishing URL. After retrieving the
contents, identify the purpose of the URL (phishing
employees, web application replication, malicious
download, web exploit, etc.)
Note: This action requires subject matter expertise
and should only have been performed if there is
absolute certainty that it
is being performed in an isolated environment.
4. Preserved all forensic evidence by using the Upload
Artifact feature of this Task.
First Core CIRT CIRT 1. Initiated first meeting of the organizational core
meeting is Leader CIRT
held with
invited SMEs 2. Notified CIRT team members using the contacts and
role assignments on the My Team page and made
sure ORNA roles are assigned so they are aware of the
Out-of-band tasks allocated for them.
communicatio
n channels are 3. Verified the Incident Severity determined during
set up and the Incident record creation process as promptly and
periodic accurately as possible. The severity may change as
 During the meeting, an initial assessment is made to check-ins are
determine what type of communication channel scheduled
needs to be set up and what the periodic meeting
cadence should be. Often, the meeting cadence Privileged
should be coordinated with the customer support Communicatio
severity level expectations so that timely updates can ns is
be given to both internal and external parties. established
with legal
Whether in-person communication, virtual counsel
communications or a combination is utilized, careful
attention is needed to ensure that discussions are
kept confidential since CIRT meetings will discuss
extremely sensitive information necessary to make
rapid decisions during high-risk situations.
For any digital communications, it is best to assume
complete compromise and utilize out-of-band
communications mechanisms, i.e., one that is not
part of normal business communications. This
secured digital communication channel needs to be
utilized for sharing all incident-related information
between the CIRT members and organizational
executives who require timely and detailed updates.
Incident response escalation procedures are
activated once some preliminary assessments are
made. Typical escalation procedures would first
include informing the corporate general council to
create legal privilege. The procedures would also
include information on which organizational leaders
should be notified and which Subject Matter Experts
(SMEs) will need to be included in this incident
response depending on which assets were affected.
Initiate If the phishing attack has been successful and Additional
Added subsequently created a malware or ransomware incident
Playbooks attack or employee username/password credentials response
have been compromised, the relevant incident playbooks are
initiated.
more details are uncovered and it will need to be
updated when the situation changes.
4. Invited additional SMEs to be included in CIRT
update meetings
5. Set up a secured meeting room (either physical
and/or virtual)
6. Scheduled follow-up meetings according to a
defined cadence
7. Worked closely with Legal Counsel to retain client-
attorney privilege over the information pertaining to
the incident and ensure compliance with applicable
laws and regulations.
8. Created an initial incident assessment to share with
organizational leaders. This assessment notification
will contain a summary of what has occurred; date &
time of incident; scope of compromise; data involved;
actions taken so far and next steps recipients can
expect to see.
9. Established a log of items covered to keep track of
when meetings occurred, who was present, high level
discussion notes and follow-up actions.
CIRT 1. Initiated added incident response playbooks if the
Leader phishing campaign was discovered to successfully
create a malware attack, ransomware attack or get
access to employees’ username/password credentials.
 response playbook needs to be initiated.
Determine Phishing attacks are common security events and
Scope of many email tools exist to filter out phishing messages
Attack based on common phishing message characteristics.
Employees should be made aware that reporting all
phishing messages is necessary so that tools can be
updated as needed and filters adjusted for new
campaigns.
Employee reporting of phishing attacks can also help
ascertain whether the attack is targeted specifically
to the organization in which case the scope of the
attack needs to be determined. Many targeted
phishing campaigns will try a number of variations to
succeed.
The scope of general phishing attacks is hard to
ascertain, and constant vigilance is needed.
However, targeted organizational attacks usually
have the same message characteristics and with
organizational wide employee notification and
reviews of email servers the affected employees
should be able to be identified.
All affected Core CIRT 1. Reviewed all detection channels for indicators of
employees of Member recent phishing emails:
targeted • Non-deliverable emails
organizational • Reports from internal users about suspicious
phishing emails
attack are • Reports from external users and clients about
identified suspicious emails
• Notifications from the email provider
• Notifications from 3rd parties, law
enforcement or ISP of suspicious activity.
2. Reviewed replies from corporate wide message
that was sent during ‘Validate Phishing Incident’ to
warn employees of any general widely used phishing
campaign or targeted campaigns against organization.
3. Analyzed all corporate emails that included the
following steps:
- Reviewed the email logs of the email gateway server
and filtered for logs associated with the sender's
email, malicious URLs or attachments from the last
three days or since the timestamp of the email receipt
provided by the user.
- Exported the email list and documented it as
evidence. Note: this list should only contain emails
sent to users from the Internet (i.e., external sources).
- Reviewed the exported email list to identify the
offending/suspicious email as follows:
• Looked for links that do not point to the same
URLs displayed on the screen (i.e., URL
masking: http://www.google.com)
• Checked the email domain in the "From:" field
corresponds to the topic of the email (e.g.,
 LinkedIn connection requests will not
originate from bob@fancypurses.com)
• Looked for a suspicious email subject line that
was reported by the user.

3. Updated antivirus (AV) signatures with the newly

found hash/hashes and scanned the environment for
these hashes to identify all other infected hosts.

4. Determined how many employees visited a

malicious URL or downloaded the attachment by
checking network logs for the specified URL or file
name.

5. Preserved all forensic evidence by using the Upload

Artifact feature of this Task.

Assess Assess the impact to prioritize actions. Understand CIRT 1. Assessed impact to business or mission.
Impact Operational Leader • How critical is the data to the
The impacts should be assessed for the following: Impact to business/mission?
- Any operational business impact that would Organization • How much money is lost or at risk?
affect the organization being able to • How many (and which) projects are degraded
function. This creates a financial impact to Understand or at risk?
the business. An assessment would need to Financial
be carried out as to how much money is at Impact to 2. Assessed regulatory impact.
risk and what business functions would face Organization
delays. 3. Assessed reputational damage.
- Any regulatory impact due to unavailability Understand • What type of data or service was
of systems or data. Reputational inaccessible?
- Any reputational impact concerns with Impact to • Was the attack avoidable?
customer trust due unavailability of services Organization
or data and how the attack was instantiated.

Confirm When an incident occurs, it is critically important to Incident type Core CIRT 1. Determined whether the reported email is
Incident Type correctly identify its type: collect as much relevant is confirmed Member legitimate or a phishing one. Use the following
- Phishing and reliable information as possible. This includes criteria:
verifying the Indicators of Compromise (IoCs), • Confirmed whether the recipient expected to
vulnerability or weakness that was exploited, and, if receive the email
 possible, the exact malware or a threat actor behind
the attack.
Phishing emails are often used to deliver malware,
establish a foothold into an organization's
environment, or collect sensitive information.
Monitor detection channels for indicators of
compromise, such as an employee report, antivirus
alert, IDS/IPS alerts or unusual network or file
behavior. Finally, try to accurately determine and
confirm which assets are affected.
Monitor Multiple ways exist to detect a phishing email, even if
Detection it was not reported by an employee. Monitoring
Channels multiple detection channels increases the chances of
identifying a phishing email early, allowing CIRT
members to respond efficiently and enforce
containment measures early on, minimizing the
potential impact.
All affected • Verified whether the sender's email address or
assets are URLs from the email have been flagged as
identified phishing by cyber threat hunting tools (e.g.,
AlienVault, Recorded Future).
• Checked the email for signs of phishing attempts
(check for poor grammar, recipient greeting,
masked URLs, masked sender’s email,
threatening language, etc.)
2. If the email is verified as legitimate, mark the
incident as false positive. No further action is needed.
3. If the email is determined to be a phishing email,
proceeded with the tasks outlined in the appropriate
Playbook.
4. Preserved all forensic evidence by using the Upload
Artifact feature of this Task.
Consider whether data loss or data breach has
occurred and if so refer to data breach playbook.
Phishing Core CIRT 1. Monitored detection channels, such as customer
email(s) Member and staff channels and social media for indicators of
is(are) compromise:
identified • Spoofed emails
• Emails with links to external and unknown
Detection URLs
channel is • Non-deliverable emails
documented • Reports from internal users about suspicious
emails
• Reports from external users and clients about
suspicious emails
• Notifications from the email provider
• Notifications from 3rd parties, law
enforcement or ISP of suspicious activity.

Analyze Email Phishing emails contain headers with valuable
Headers information that help determine the source of the
attack and sometimes allow to prevent future
attempts.
Note: The physical location of the email server does
not necessarily imply that the attacker is at or near
that geographical location as well.
2. Preserved all forensic evidence by using the Upload
Artifact feature of this Task.
The source of Core CIRT 1. Opened the email in a separate window in Outlook
the phishing member and navigate to 'File' -> Properties' to view the
attack is properties of the email. Relevant email headers will
established be displayed in the dialog window under the section
called 'Internet headers'. Select all text from the
'Internet headers' section and paste it into a notepad
document to analyze.
2. The following information from the headers should
be further analyzed:
• The 'received' headers to find the source of
the phishing email. Each email server will add
its own 'received' header to the email. This
header will contain information about the
server where the email originated and its path
through the different email servers. The most
interesting of these headers is the first
'received' header, that usually contains an IP
or a DNS name from where the email
originated
• X-apparently to: This field is useful when the
email is sent to more than one recipient, such
as BCC or a mailing list. This field contains an
address to TO field, but in the case of BCC, the
X-Apparently to field is different. This field
discloses the address of the recipient despite
the email being sent as either CC, BCC, or via a
mailing list
• 'From' or 'x-sender' header that contains
information about the email account used to
send the phishing email. If the email
originates from the organization's internal
email account, further analysis is required to
identify the origin
 • The mail server's IP address: This will contain
the actual TCP/IP address of the email server
from where the phishing email was sent.

3. Preserved all forensic evidence by using the Upload

Artifact feature of this Task.

Inform CIRT When an incident occurs, it is critically important to CIRT Members CIRT 1. Verified the Incident Severity determined during
Members accurately triage it: in other words, collect as much are notified Leader the Incident record creation process as promptly and
and Perform relevant and reliable information as possible. This and engaged accurately as possible. Once the Severity was
Triage includes verifying the Incident Severity, its Type, the in Response confirmed, made sure to keep updating it accordingly
vulnerability, or weakness that was exploited, and, if activities when the situation changed.
possible, the exact malware or a threat actor behind 2. Notified CIRT team members using the contacts and
the attack. role assignments on the My Team page. Invited all
Incident relevant CIRT team members into the war room,
Equally important is the escalation and notification Severity and whether physical or virtual. Made sure their ORNA
speed. All relevant CIRT members must be notified Type are Roles were assigned so they were aware of the tasks
and briefed as soon as possible to start an established allocated for them.
investigation and short-term containment and confirmed
procedures. Consider the need to contact third parties 3. Considered retaining a PCI Forensic Investigator
as well, such as your IT Services provider, your insurer, (PFI) if a cardholder data breach was suspected.
or external forensic investigators where required.
4. Tried to determine the root cause of the Incident
(e.g., an unpatched vulnerability, excessive account
privileges) and mitigate it, if possible.

5. Tried to establish the malware family or a particular

threat actor responsible for the attack using available
Indicators of Compromise.

Invoke Data When a cyber incident is suspected or confirmed, it is The type of Legal 1. Worked with the Communications Leader on the
Breach important that the Legal Counsel proceeds swiftly breach and Counsel verbiage of applicable internal and external
Notification from the very first moments of the initial affected data communications. Consulted the Templates section of
Protocols identification to the initial stages of the post-breach are ORNA for reference.
investigation. Understanding the type of the incident established
and the kind of data affected by a possible breach and confirmed 2. If a data breach is confirmed regarding Personal
will dictate which notification protocols need to be Identifiable Information (PII), Protected Health
invoked to ensure continuous compliance with Information (PHI), or financial information, notified
 applicable regulations, laws and contractual Appropriate the appropriate regulatory agencies and affected
obligations. data breach individuals as prescribed by relevant laws, regulations
notification and contractual obligations.
Once the type of information that was affected or protocols are
breached is confirmed, the Legal Counsel should be invoked 3. Advised the CIRT members on proper
able to consider the relevant legal requirements. If communication methods within and outside the War
the facts indicate that there is no cause for external Room to ensure continuous client-attorney privilege
notifications - for example, there is no Real Risk Of where possible.
Significant Harm (RROSH), or there is no evidence
that the data was exfiltrated or read in an
unauthorized manner - then the Legal Counsel can
proceed directly to collaborating with the post-
breach investigation.

If the affected data only involved a small number of

individuals and did not trigger any legal
requirements, then the Counsel may choose to notify
the affected individuals directly. If the facts indicate a
serious breach that triggers mandatory notifications,
however, it’s important to provide both the affected
individuals and all relevant regulatory agencies with
information about the incident as quickly as possible
using the appropriate channels typically outlined in
the regulatory framework in question.

Analyze Email Phishing emails may contain URLs leading to a The purpose Core CIRT 1. Identified all URLs in the phishing email by opening
Content and malicious website replicating legitimate web of the Member the email and performing a manual review:
URLs resources, tricking victims into downloading phishing email • Saved the phishing email as a 'msg' in the
malicious files or providing, and therefore harvesting, is determined corresponding incident folder or local
valid employee credentials. temporary folder
Indicators of • Opened the email in Notepad and search for
Compromise the part where the email headers are
are identified displayed in cleartext. Directly underneath the
and recorded email headers, there will be a section
containing base64 encoded data
• Decoded the base64 data online using or a
similar resource and paste the decoded values
into a new text file.

Perform Gathering as much evidence as possible during the
Additional incident identification stage is crucial for future
Investigation forensic activities, accurate record-keeping, and
- Phishing ongoing triage activities. The more information about
the threat actor, Indicators of Compromise, attack
vectors and the malware used the team collects, the
more efficient and concise all subsequent
containment and eradication steps will be.
2. Searched for any text starting with 'HTTP' and
analyze the URL:
• Resolved the DNS name into an IP using or a
similar resource
• Used IP analyzing tools, such as to gain more
information. This information could include
blacklists, geographic location, whois
information, etc.
3. Used a sandboxed testing machine that is not
connected to the organization's network to retrieve
the contents of the phishing URL. After retrieving the
contents, identify the purpose of the URL (phishing
employees, web application replication, malicious
download, web exploit, etc.)
Note: You can get a sandbox environment from or a
similar resource.
4. Preserved all forensic evidence by using the Upload
Artifact feature of this Task.
Indicators of Core CIRT 1. Reviewed the email logs of your email gateway
Compromise Member server and filter for logs associated with the sender's
are collected email, malicious URLs, or attachments from the last
three days or since the timestamp of the email receipt
provided by the user.
2. Exported the email list out and document it as
evidence. Note: this list should only contain emails
sent to users from the Internet (i.e., external sources).
3. Once you have the emails in a zip file, iterate
through them to identify the offender/suspicious
email as follows:
• Looked for links that do not point to the same
URLs displayed on the screen (i.e., URL
masking: http://www.google.com)
 • Checked the email domain in the "From:" field
corresponds to the topic of the email (e.g.,
LinkedIn connection requests will not
originate from bob@fancypurses.com)

• Looked for a suspicious email subject line that

was reported by the user.

4. Preserved all forensic evidence by using the Upload

Artifact feature of this Task.

Containment

Task Name Task Description Expected Assignee Task Action(s)

Outcome
Request a A malicious domain takedown is a process of Malicious CIRT 1. Decided whether to request a takedown from a
Malicious disabling a domain name from being active. While domain Leader hosting company or registrar or to use a domain
Domain an organization can go thru the process of takedown takedown service.
Takedown requesting a takedown itself from a domain request is
registrar, national CERT or hosting company, the submitted 2. Sent a domain takedown request. If the decision
difficulty of knowing exactly what evidence to was made to handle internal to organization, the
present in varying global jurisdictions has created an The hosting company or registrar of the malicious domain
industry around domain takedown services malicious is contacted. If the decision was made to use an
domain is external
These services exist to handle the domain takedown taken down service, the service was contacted.
requests since there has to be sufficient proof that a (if possible)
domain is being used for criminal purposes and The evidence necessary for a domain takedown to be
should be shut down. These services will help effective will vary across jurisdictions and the
prepare all the necessary documentation and will evidence required will need to be collected as part of
send the request for takedown to the relevant this task.
local/regional authority (CERT, registrar, etc.) that
has the necessary legal rights to shut down the • Contacted the hosting company of the
domain. website via phone and email (generally there
 is an
Requesting to take down the malicious domain or '[abuse@hostingcompany.com](mailto:abuse
webpage will not only protect your employees, but @hostingcompany.com)' or a similar
other potential victims as well. dedicated inbox)
• Made a time-stamped screenshot of the main
phishing web page and all associated sub-
pages
• Contacted the email hosting company to take
down the fraudulent account(s) and
redirected pages (if any).

2. In case where a legitimate business web resource

has been hacked and/or hijacked to unwillingly
conduct the attack:
• Contacted the business
• Notified them of the issue
• Asked them to take actions in order to
remove it.

Where possible, it is also worth asking the business

owner to provide a zipped copy of the phishing
website's codebase for further analysis. Analyzing this
code can lead to finding out as to how the phished
data was processed, and provide more information
for the investigation (e.g., any email addresses or
references to entities in the code).

3. Preserved all forensic evidence by using the Upload

Artifact feature of this Task.

Disconnect Phishing emails are often used to deploy malware on All affected Core CIRT 1. Preserved forensic evidence, such as system
Affected the victim's machine. Disconnecting all affected workstations member images, before restarted, shut down, or modified
Workstations machines from the corporate network will help have been configurations of the affected systems and assets.
from the prevent the malware from spreading across the disconnected Attached the applicable evidence (such as log files or
Network network. screenshots) to this task using the Upload Artifact
feature.

Block Malicious Malicious artifacts related to phishing emails can be
Artifacts in a form of a URL, attachment, sender's email,
domain name, or IP address. Blocking malicious
artifacts helps contain the spread of the phishing
emails and minimizes the impact. The information
collected during the Identification stage should be
used for this task.
2. Quarantined the affected systems and
disconnected them from the network where possible
or applied access controls to isolate them from the
rest of the environment and other networks.
3. Disconnected shared drives, if applicable.
4. In CMD or PowerShell ran the following command
to temporarily delete a mapped network drive: net
use [Mapped Drive Letter] /delete.
5. Immediately stopped OneDrive for Business Sync
or disconnected the drive mapped to SharePoint
libraries.
6. Preserved all forensic evidence by using the Upload
Artifact feature of this Task.
All malicious Core CIRT 1. Blacklisted the sender domain, IP address and
artifacts are Member marked the email as spam (this will prevent
blocked additional users from being phished while the
containment procedures are underway).
2. Created a DNS sinkhole for the malicious domain.
A DNS sinkhole is a technique that can be used to
disable a phishing website without taking any action
against the hosting company or registrar. The DNS
records for the phishing website are modified to
redirect visitors to a different website. This can be
used to take down the site without disrupting the
operation of the hosting company or registrar.
3. Blocked the IP addresses and DNS names
associated with the phishing emails using network
firewall and DNS firewall rules.
4. Preserved all forensic evidence by using the Upload
Artifact feature of this Task
Lock Affected In some cases, an attacker will use phishing emails All affected Core CIRT 1. If a user clicked on a malicious URL and/or
Accounts and to steal the victim's credentials, gain access to their accounts are Member provided their credentials or other sensitive
Force account(s) and subsequently move laterally across locked information, temporarily locked this user’s account,
Password the network. It is crucial to lock all affected accounts and performed a password reset.
Resets and force password resets to prevent the adversary All account
from accessing any sensitive information. passwords 2. Preserved all forensic evidence by using the Upload
are reset Artifact feature of this Task.
In cases where malware is delivered as an
attachment, locking down affected users' accounts
and resetting their passwords prevents the malware
from using those accounts to spread across the
network.

Ensure All Phishing emails are often used to deliver malware or All software Core CIRT 1. Confirmed that antivirus (AV) was up to date and
Software is Up provide the attacker with access to an organization's is updated to Member enabled on all systems.
to Date network. Once within the network, an attacker can the latest
scan it for vulnerabilities and exploit them to version 2. Confirmed patches were deployed on all systems
escalate privileges and establish persistence. (prioritizing targeted systems, software, operating
All security systems, etc.)
Ensuring that all software is up-to-date, and all patches are
security patches are installed will minimize the applied 3. Preserved all forensic evidence by using the Upload
attack surface and significantly slow down or Artifact feature of this Task.
discourage the adversary.

Eradication

Task Name Task Description Expected Assignee Task Action(s)

Outcome
Identify and Once the affected systems have been fully rebuilt, Vulnerabilities Core 1. Ran a vulnerability scan on the entire network
Mitigate it is important to identify any vulnerabilities that are identified CIRT and the surrounding infrastructure using
Vulnerabilities may be present on the systems, preventing similar and mitigated Member specialized vulnerability scanning tools, such as:
attacks from happening in the future. - Nessus free trial (7 days, up to 32 IPs):
- Qualys free trial (30 days, unlimited IPs):
- OpenVAS open-source scanner:
 2. Implemented all relevant mitigation
recommendations provided by the vulnerability
scanning tools.

3. Preserved forensic evidence of any discovered

vulnerabilities using the Artifact Upload feature of
this Task.

4. Preserved all forensic evidence by using the

Upload Artifact feature of this Task.
Remove Once all phishing emails and their corresponding All phishing Core 1. In Exchange/Office 365, added the admin user
Phishing Emails IoCs are identified, it is important to remove those emails are CIRT (that will be deleting the emails) to the Discovery
emails from all users' mailboxes and all cloud or on- removed from Member Management role group. Administrators are not
premise servers. Additionally, all downloaded all users' assigned this role by default.
attachments should be removed. These steps will mailboxes
prevent anyone from interacting with the malicious 2. Deleted the relevant emails:
content. All downloaded - Ran the PowerShell command:
attachments New-ComplianceSearchAction -SearchName
are deleted "Remove Phishing Message" -Purge -PurgeType
SoftDelete
All phishing
emails are 3. Configured the organizational email anti-spam
deleted from software to block similar types of attachments,
cloud and keywords, domains or senders. Popular anti-spam
on-premise software options include:
servers
- SpamTitan
- ZeroSpam

4. Created and ran a Compliance Search to find the

email you want to remove:
- Opened the Exchange Management Shell

- Ran the following PowerShell command: New-

ComplianceSearch -Name "Remove Phishing
Message" -ExchangeLocation all -
ContentMatchQuery 'subject:"Subject of malicious
email"'
 - Ran the following PowerShell command: Start-
ComplianceSearch -Identity "Remove Phishing
Message"

5. Preserved all forensic evidence by using the

Upload Artifact feature of this Task.

Update Email As phishing campaigns continue to increase in Updated SPAM IT 1. Configured email anti-spam software to block
SPAM Filter sophistication, the SPAM filters will also need to be filter rules similar types of attachments, keywords, domains,
Rules reviewed and updated on a periodic basis. This is or senders.
especially critical after handling a

successful phishing attack incident to ensure that a

recurrence from a similar event will not occur.

Remove If the phishing attack resulted in malware being Malware is Core 1. In case a ransomware was installed, followed
Malware from downloaded, the CIRT must ensure that the removed from CIRT the steps and procedures described in the
Affected malware is properly removed from all affected affected Member Ransomware playbook.
Systems systems to prevent further infection and return to systems
the Business As Usual (BAU) state in a fast and 2. If other malware was installed as a result of a
efficient manner. malicious attachment download or a malicious
website visit, followed the steps to remove the
malware from all affected systems based on its
type.

3. If impacted endpoints included smartphones,

executed the "Remote Wipe" command, so that
any sensitive data residing on those smartphones
cannot be accessed by malicious actors. Instructed
employees to return smartphones and issue new
ones, with updated usernames and passwords.

4. Preserved all forensic evidence by using the

Upload Artifact feature of this Task.

Rebuild Affected In some cases, the impacted hosts can still display Affected hosts Core 1. Considered rebuilding the host from scratch in
Hosts odd behavior even after the eradication steps were are rebuilt CIRT the following situations:
performed. In such cases, it might be necessary to Member
 rebuild the host (as opposed to applying patches from the - Administrator level access was obtained by the
and fixes) to eliminate the possibility of undetected ground-up attacker
malware still being present. - A Remote Administration Trojan (RAT) was
Affected hosts detected
do not display - The nature of and the extent of the infection or
unusual unauthorized access was not clear
behavior - There were signs that applied patches and fixes
are not sufficient/successful (malware scans
report infections, host is unstable or shows signs
of malware after patches and fixes have been
applied, etc.)

2. Recovered data on local hard disks using an

external hard drive and scanned the data for signs
of malware before restoring it.

3. Preserved all forensic evidence by using the

Upload Artifact feature of this Task.

Recovery

Task Name Task Description Expected Assignee Task Action(s)

Outcome
Normalize During the Containment and Eradication stages, All networks, Core CIRT 1. Preserved all forensic evidence by using the
Affected certain network communication and/or file-sharing protocols and Member Upload Artifact feature of this Task.
Networks protocols may have been disabled to prevent the user accounts
ransomware from spreading further into the are restored 2. Restored any services that were suspended
network. Once the systems are restored, make during the Containment and Eradication stages.
sure to restore all previously disabled network
protocols and/or suspended user accounts. 3. Restored any user accounts that were
suspended during the Containment and
Eradication stages.
Confirm That Once the containment and recovery measures All systems are CIRT 1. Preserved all forensic evidence by using the
Systems are have been taken, it is important to verify that all displaying Leader Upload Artifact feature of this Task.
Functioning systems are functioning normally, without normal
Normally displaying any signs of malware, data corruption or expected
other issues. behavior

No traces of
malware or
data corruption
are present

Enabled The use of Sender Policy Framework (SPF), Ascertained IT 1. Reviewed whether SPF, DKIM and DMARC are
Additional Email DomainKeys Identified Mail (DKIM) and Domain- whether SPF, deployed.
Security based Message Authentication, Reporting and DKIM, DMARC
Measures Conformance (DMARC) can help protect against is deployed. 2. If not yet deployed, enabled SPF, DKIM and
email phishing attacks and should be considered if DMARC. This would consist of the following
they are not already implemented. Enabled SPF, steps:
DKIM, DMARC
SPF is used to restrict who can send emails from if not yet - Configured an SPF DNS Record. This is a
your domain. SPF can prevent domain spoofing deployed. text record that contains information
and it enables your mail server to determine when about which IP addresses are allowed to
a message came from the domain that it uses. send emails from a specific domain.
- Configured a DKIM DNS record.
DKIM ensures that the content of your emails - Configured the DMARC policy and
remains trusted and hasn’t been tampered with or reporting.
compromised. DMARC ties SPF and DKIM together
with a consistent set of policies and links the
sender’s domain name with what is listed in
the From: header.

Some added information on deploying these

methods can be found at
https://snov.io/blog/how-to-set-up-spf-dkim-
dmarc/

Reviewed Many phishing attacks target gaining access to All employees IT 1. Reviewed whether employees are required to
Corporate employee username/password credentials. are utilizing a use a password manager.
Requiring the use of a password manager will help
Authentication alleviate some issues where users reuse passwords password 2. Created a plan to review and deploy a
Practices on multiple sites. Many good password managers manager password manager if one is not already used by
exist including 1Password, Lastpass and Dashlane. corporate employees.
Multi-factor
It is also important to enable multi-factor authentication 3. Reviewed all service and device access to
authentication where the compromise of a is used for all determine where multi-factor authentication is
password will not result in successful unauthorized device and not utilized.
device access attempts. However, care must be service access.
taken to review the pros and cons of the multiple 2 4. Created a plan to deploy multi-factor
factor authentication (2FA) mechanisms available. authentication where not yet deployed.
Businesses can also choose from a variety of two-
factor authentication providers, including
OneLogin, Yubico and Okta, which offer 2FA as a
service that can be plugged into existing
applications and services.

Lessons Learned

Task Name Task Description Expected Assignee Task Action(s)

Outcome
Generate Preparing an incident report is an important (and The Incident CIRT 1. Once the Incident was marked as Resolved,
Incident often mandatory) part of the cyber incident response Report is Leader used the Reports tab to generate and view the
Report process. This report will be used to perform business generated report.
impact analysis, comply with the applicable laws and
regulations, update relevant stakeholders (e.g., Legal 2. Reviewed the report for accuracy and address
counsel, insurance provider, law enforcement, board any errors/issues with the team member(s)
of directors, etc.) and for other business functions. responsible for the task in question.

Once the incident is declared to be resolved by the 3. Ensured all relevant artifacts were included for
CIRT Leader, an Incident Report can be generated each task.
from the Reports tab.
4. Downloaded or exported the report and
shared it with the appropriate stakeholders
alongside its unique secure access password
(available in the Reports tab).
 5. Ensured that the Incident report and all related
evidence were retained in accordance with legal
and regulatory requirements.

Fulfill External Once the incident is resolved and the investigation is The Incident Legal 1. Obtained the full Incident Report from the CIRT
and Internal complete, an organization may be required to deliver Report (or its Counsel Leader and review it for accuracy.
Reporting the incident report (or its appropriate sections) to appropriate
Obligations the regulatory agencies, affected companies or sections) is 2. Identified all applicable legal and regulatory
individuals, law enforcement or other stakeholders shared with requirements related to cyber incident reporting.
based on the applicable laws and regulations. the applicable
parties 3. Delivered the Incident report to the
appropriate legal and/or regulatory agencies and
Applicable the affected individuals, in accordance with the
regulatory and applicable legal and regulatory requirements.
legal
obligations are
fulfilled
Host the The goal of the Lessons Learned session is to learn The Lessons CIRT 1. Prepared a presentation for the Lessons
Lessons from the incident, identify any policy, process or Learned Leader Learned meeting, containing the following
Learned procedure gaps that were revealed during the session is information:
Session handling of the incident, and to create initiatives to conducted
improve the organizations’ security posture. • When the incident was first detected and
Gaps and areas by whom (or what)
The Lessons Learned session should be held as soon for • The scope of the incident
as possible, ideally within 2 weeks after the incident improvement • Identification, Containment, Eradication
was resolved. The meeting should include all CIRT are identified and Recovery steps that were taken
members and should be kept in an executive • Areas where CIRT members were
summary format. It is important for attendees to list Initiatives are effective
all notable facts without placing blame on any created to • Gaps in the incident response process
individual or group since the sharing of information operationalize along with improvement opportunities
and ideas is critical to improve the security posture identified • Steps taken at this time to prevent similar
and the effectiveness of future incident response improvements incidents.
activities.
2. Hosted the Lessons Learned session and
ensured all CIRT members attend and actively
participate in the session.
 3. Established an open dialogue which discussed
the following topics:

• How well did the staff and management

handle the incident?
• Were the documented procedures
followed properly?
• Were the procedures adequate and
effective?
• Did any steps or actions hold back the
recovery process?
• What needs to be done differently when
a similar incident occurs?
• Were 3rd parties (e.g., Third Party IT) and
invited SMEs responsive and
cooperative?
• What modifications are necessary in
existing security policies, processes, and
procedures to prevent similar incidents
from happening in the future?
• What targeted training may be required
to create more security awareness?
• Which additional tools and resources are
needed to decrease response time,
improve detection capabilities, and help
analyze and mitigate ransomware
incidents in the future?

4. Documented all identified areas for

improvement and prepared a list of agreed upon
action items.

5. Distributed the action items list among

relevant CIRT members and ensured that the
improvement steps are implemented.

Perform Whether the incident resulted from a phishing The employee CIRT 1. Prepared educational materials for the
Employee campaign, configuration error or from an exploited awareness Leader employee awareness training, with emphasis on
Security vulnerability, it is always a good idea to conduct an training is the recent incident and the steps employees can
Awareness employee awareness training session after any conducted take to help the organization avoid similar
Training incident is resolved. incidents in the future.
A roadmap for
While the session should not be focused exclusively table- top 2. Tracked employee attendance using a Learning
on the recent phishing incident, the mechanisms exercises is Management System (LMS)
used to enable phishing attacks can be called out. developed
The training can emphasize the risks and based on 3. Where applicable, worked with a 3rd party to
consequences of cyber incidents, encourage a lessons learnt prepare and conduct the employee security
security minded culture, and reinforce how awareness training.
employees can report security related issues and
concerns. 4. Used the outcomes from the Lessons Learned
part of the Incident Management Process to
develop a table-top exercise plan with relevant
scenarios and participants to practice any new
processes developed post incident.