Professional Documents
Culture Documents
Phishing
Issue: 1.0
Issue Date: September 12, 2017
Copyright © 2017 Independent Electricity System Operator. Some Rights Reserved.
The following work is licensed under the Creative Commons Attribution 4.0 International
License.
The IESO as licensor cannot revoke these freedoms as long as you follow the following license
terms:
Attribution — You must give appropriate credit, provide a link to the license, and indicate if
changes were made. You may do so in any reasonable manner, but not in any way that suggests
the licensor endorses you or your use.
Contents
1. Introduction ................................................................................................................................... 3
1.1 Purpose of the Phishing Playbook ................................................................................. 3
1.2 Scope................................................................................................................................... 3
1.3 Assumptions and Limitations ........................................................................................ 3
2. Phishing Playbook ....................................................................................................................... 4
2.1 Phishing Definition .......................................................................................................... 4
2.2 Process Summary ............................................................................................................. 4
2.3 Phishing Playbook Procedures ....................................................................................... 6
2.3.1 Identification Stage .................................................................................................... 6
2.3.2 Triage Stage................................................................................................................. 9
2.3.3 Investigation Stage ................................................................................................... 10
2.3.4 Remediation Stage ................................................................................................... 13
2.3.5 Post-Incident Stage .................................................................................................. 15
List of Figures
List of Tables
Phishing has become a serious concern for organizations in all industries. Threat actors often
leverage phishing tactics to entice victims into providing valuable information such as
credentials in an effort to gain an initial foothold into the environment.
The procedures in this playbook will assist the Security Operations team in responding to
Phishing related alerts. The response procedures will include validating Phishing emails,
understanding the impact, and determining the best containment approach for the incumbent
threat. The remediation process ends with resolving any potential impact and implementing
preventative controls to protect systems.
1.2 Scope
The scope of this document includes any phishing related events or alerts that are either
identified during daily security operations, or is otherwise escalated to the Security Operations
team. Security Operations owns this procedure and is responsible for maintenance activities,
including reviews and revisions.
2. Phishing Playbook
The workflow below depicts the five stages of the phishing Incident Response (IR) process.
Throughout the workflow, a specific level of the security organization as per the diagram above
and the table below, will handle each phase of the incident and be responsible for the actions
therein.
The Identification stage deals with the identification and initial scoping of a security alert.
Sample Template
Note: Numbers below may vary as services are upgraded.
VirusTotal: <#> / 54
<VirusTotal URL>
URLVoid: <#> / 26
<URLVoid url>
IPVoid: <#> / 40
<IPVoid url>
PhishTank Result:
<PhishTank URL>
8. Escalate
The L1 escalates the investigation to the L2 – Incident Analyst.
2.3.2 Triage Stage
The Triage stage deals with verifying if the security alert is an incident, the severity of the
incident, and additional analysis.
The Investigation stage deals with investigating the security incident in detail, ensuring all
information is documented. Additionally, the investigator will have fully scoped the incident by
the end of this stage.
Option 2:
- Open the URL in your browser and prepend the phrase “view-
source:” to the URL. This will retrieve the files to your browser
but it will present the source code to you, and will not execute the
code or render the page.
- Copy and paste the contents section into http://jsbeautifier.org/
and click “Beautify JavaScript or HTML”.
- Copy the “beautified data” into a text editor (e.g., Notepad++) for
analysis.
- Search for the FORM object. Typically, a search for <form will
identify this quickly. Ensure you are looking at the form that has
the method=”post” and is the main submission form, not a search
bar or some other form on the page.
- Read the action parameter and determine the URL where the form
is being posted.
- Record this URL in the investigation.
Option 3:
- Start Wireshark and commence a Packet capture (disable
Promiscuous Mode).
- Access the Phishing URL in a web browser with JavaScript
enabled.
- Fill in the Phishing page form with false data and submit the form.
- Close the page and stop the packet capture.
- Apply a filter in Wireshark for http.request.uri contains “phishing
domain”
o The quotation marks are important and the content within
them should be the actual domain from the investigation
and not the words phishing domain
o This identifies the initial request made by the user when
loading the phishing form page
- Click on the line item, note the packet number, and clear the filter.
- Review the following lines of traffic to understand where the
request was submitted.
- Apply a filter in Wireshark for http.request.method == POST
o This identifies the POST request made by the user when
submitting the form.
- Alternatively:
o Click File
o Click Export Objects (near the bottom)
o Select HTTP
o Once the packets have been processed, a dialog box will
appear labelled “Wireshark: HTTP object list”
o Review the list for a quick summary view of the HTTP
transactions that occurred during the packet capture
o Identify the traffic that immediately follows the access to
the phishing domain
The Remediation stage deals with containment and remediating steps for mitigating and
eradicating the incident.
The Post-Incident stage includes a final review of the investigation record by the L2 – Incident
Specialist, ensuring nothing was overlooked. Once completed, the record is closed.
5. Improve/Update
Determine if there were area(s) for improvement or if updates are needed:
i. Update documentation (e.g., use cases, playbooks, SOPs)
ii. Create new SIEM Alerts/IOCs as needed
iii. Review Technical & Policy Controls - Review additional
technology changes, countermeasures, additional controls, or
policy changes
– End of Document –