[[TOC]]
This Playbook covers
Expand/Colapse
- Create and maintain a list of
- all domains owned by Company.
- This can prevent you from taking actions against our own domains
- all people of can register domains
- all domains owned by Company.
- Create email template
- to notify all employees of ongoing phishing campaing against the organization
- to contact hosting companies for domain take down
- to inform 3rd party to take actions against phishing on there infra (Microsoft, Fedex, Apple, etc.)
- Ensure that:
- Mail anti-malware/anti-spam/anti-phish solutions are in place.
- Users know how to report phish
- Detection exists for office documents spawning processes
- PowerShell
- CMD
- WMI
- MSHTA
- Etc.
- Perform Firedrill to ensure all aspects of the Playbook are working
- After publication
- At least once a year
- Test/Validate:
- Customer's Cards
- Internal Contact and Escalation Paths
- Review threat intelligence for
- threats to the organisation,
- brands and the sector,
- common patterns
- newly developing risks and vulnerabilities
- Ensure appropriate access to any necessary documentation and information, including out-of-hours access, for the following
- IR Playbgns to highlight information security risks faced by employees, including:
- Phishing attacks and malicious emails;
- Ransomware;
- Reporting a suspected cyber incident.
Please referer to Tool1 Documentation
Please referer to Tool2 Documentation
- A list of assets and owner should exists and be available for the following
- Customers Assets
- Owners
- Contacts
- Pre authorized actions
- Company Assets
- Onwers
- Contacts
- Administrators
- Pre autorized actions
- Customers Assets
- Type of assets inventory needed
- Endpoints
- Servers
- Network Equipements
- Security Appliances
- Network Ranges
- Public
- Private
- VPN / Out of Band
- Employees
- Partners
- Clients
Expand/Colapse
Expand/Colapse
Expand/Colapse
Alerts are be generated by differents systems owned by the SOC team. The main sources for alerts are
- ITSM Tickets
- SIEM
- Anti-Virus / EDR
- Reports
- DNS
- Web Proxy
- Errors from mail servers
Notifications are comming from external sources usually via email, Teams or phone. The main sources for notifications are
- Users (internal)
- Recipents of emails (external)
- Third Parties
- ISP
- Mail Providers
Expand/Colapse
- Credential Theft
- Malware Delivery
- Criminal Activites
- Blackmail / Ransom
- Financial Losses
- Lost of conctrat
- Contract not renewed
- Lower bid to our clients
- Fines
- Regulation
This section describe the information that should be collected and documented about the incident
There is a lot of ressources to help you with that phase here
Expand/Colapse
Domains
- Reputation
- Registrar
- Owner
- IP
- Multistage / Redirect
- Technologies of the site
- WordPress
- Joomla
- Custom Page (credential phish)
IP
- Reputation
- Owner
- Geo Localisation
- Other domains on that IP
Expand/Colapse
Determine type of
Expand/Colapse
Determine
- Impact
- Of
- Financial
- Data loss
- Scope (Nb of people)
Expand/Colapse
Expand/Colapse
Expand/Colapse
In conjonction with a senior member of the SOC
- Double check previous datsa
- Rule out False Positive
Expand/Colapse
- Validate hashes
- Validate links
- ID other addresses, domains, IPs
- Search Threat Intel sources
- Disk forensics on recipient's endpoint
Expand/Colapse
- Update FW, IDS, etc. rules w/ IOCs
- Search endpoints for IOCs w/ EDR
Expand/Colapse
- Update lists of
- affected endpoints
- affected Company Entities
- affected clients
Expand/Colapse
Have all the machines been identified? If you find futher traces of phishing or new IOCs go back through this step.
When you are done identifying all compromised:
- Hosts
And investigated all:
- URLs
- Domains
- IP
- Ports
- Files
- Hash
Go to the next phase <Contain/Eradicate>
Expand/Colapse
Expand/Colapse
Expand/Colapse
- Update FW, Proxy, etc. rules
- Blackhole DNS
- Submit to Partners
- AV/EDR Vendor
- Web Filter Vendor
- etc.
Expand/Colapse
Expand/Colapse
If there was malicious attachments that were openned we need to assume the endpoint(s) was/were infected by a malware.
Please continue to the Malware Playbook
Expand/Colapse
- Monitor for
- Related incoming messages
- Internet connections to IOC
- New files that matches hashes identified
Expand/Colapse
If all affected endpoints have been contained, you can go to the next phase, otherwise continue bellow.
Expand/Colapse
If there was new IOC discovered, go back to the Analyze Phase
Expand/Colapse
Expand/Colapse
Expand/Colapse
Determine which of the following rules needs to be removed and which needs to stay in the following list:
- Firewall Rules
- EDR
- ban hashes
- ban domains
- Containment
- Proxy Block
Expand/Colapse
If all affected endpoints have been contained, you can go to the next phase, otherwise continue bellow.
Expand/Colapse
Determine if legitimate elements are blocked by:
- Proxy
- Firewall
- EDR
If so, go back to Update Defenses Otherwise go to the next phase
Expand/Colapse
Expand/Colapse
Expand/Colapse
- What worked
- What didn't work
Expand/Colapse
Update the following documents as requiered:
- Policies
- Processes
- Procedures
- Playbooks
- Runbooks
Update Detetion Rules in:
- SIEM
- Anti-Spam
- Malware Gataway
- EDR
- Other security solution
Expand/Colapse
- Schedule review of newly introduced rules in6 months
- Are the following still applicatble
- Firewall Rules
- Proxy Rules for C2
- AV / EDR custom Signatures
- IPS Signatures
Expand/Colapse
This Playbook was built using the following references:
https://www.dfir.training/index.php?option=com_jreviews&format=ajax&url=media/download&m=14tt1&1600804844570
https://www.gov.scot/publications/cyber-resilience-incident-management/
https://github.com/certsocietegenerale/IRM/tree/master/EN
https://www.incidentresponse.com/playbooks/
https://ayehu.com/cyber-security-incident-response-automation/top-5-cyber-security-incident-response-playbooks/
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf