-
-
Notifications
You must be signed in to change notification settings - Fork 116
/
RP_0001_phishing_email.yml
67 lines (67 loc) · 2.8 KB
/
RP_0001_phishing_email.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
title: RP_0001_phishing_email
id: RP0001
description: Response playbook for Phishing Email case
author: '@atc_project'
creation_date: 2019/01/31
severity: M
tlp: AMBER
pap: WHITE
tags:
- attack.initial_access
- attack.t1566.001
- attack.t1566.002
- phishing
linked_rp:
- RP_0002_generic_post_exploitation
preparation:
- RA_1001_practice
- RA_1002_take_trainings
- RA_1004_make_personnel_report_suspicious_activity
- RA_1003_raise_personnel_awareness
- RA_1101_access_external_network_flow_logs
- RA_1104_access_external_http_logs
- RA_1106_access_external_dns_logs
- RA_1111_get_ability_to_block_external_ip_address
- RA_1113_get_ability_to_block_external_domain
- RA_1115_get_ability_to_block_external_url
- RA_1201_get_ability_to_list_users_opened_email_message
- RA_1202_get_ability_to_list_email_message_receivers
- RA_1203_get_ability_to_block_email_domain
- RA_1204_get_ability_to_block_email_sender
- RA_1205_get_ability_to_delete_email_message
- RA_1206_get_ability_to_quarantine_email_message
identification:
- RA_2003_put_compromised_accounts_on_monitoring
- RA_2113_list_hosts_communicated_with_external_domain
- RA_2114_list_hosts_communicated_with_external_ip
- RA_2115_list_hosts_communicated_with_external_url
- RA_2201_list_users_opened_email_message
- RA_2202_collect_email_message
- RA_2203_list_email_message_receivers
- RA_2204_make_sure_email_message_is_phishing
- RA_2205_extract_observables_from_email_message
containment:
- RA_3101_block_external_ip_address
- RA_3103_block_external_domain
- RA_3105_block_external_url
- RA_3201_block_domain_on_email
- RA_3202_block_sender_on_email
- RA_3203_quarantine_email_message
eradication:
- RA_4001_report_incident_to_external_companies
- RA_4201_delete_email_message
recovery:
- RA_5101_unblock_blocked_ip
- RA_5102_unblock_blocked_domain
- RA_5103_unblock_blocked_url
- RA_5201_unblock_domain_on_email
- RA_5202_unblock_sender_on_email
- RA_5203_restore_quarantined_email_message
lessons_learned:
- RA_6001_develop_incident_report
- RA_6002_conduct_lessons_learned_exercise
workflow: |
1. Execute Response Actions step by step. Some of them directly connected, which means you will not be able to move forward not finishing the previous step. Some of them are redundant, as those that are related to the blocking a threat using network filtering systems (containment stage)
2. Start executing containment and eradication stages concurrently with next identification steps, as soon as you will receive information about malicious hosts
3. If phishing led to code execution or remote access to victim host, immediately start executing Generic Post Exploitation Incident Response Playbook
4. Save all timestamps of implemented actions in Incident Report draft on the fly, it will save a lot of time