IncMan Use Case: Phishing Attempt

This use case will demonstrate how to utilize IncMan’s integrations and R3 Rapid Response Runbooks to quickly alert the security team to a potential phishing attempt, triage any attachments, and take action to delete malicious attachments and reset the affected user’s password.

Goals

  • Automatically receive potentially malicious email and extract attachments
  • Evaluate the attachment and search for other instances of that attachment across the enterprise
  • Gather user information for the affected user and system information for the affected host, including running processes
  • Reset the victim’s password and send notification of the recent change to the account user

Integrations Used

  • Exchange EWS
  • Recorded Future
  • Custom Scripts
  • Email Notification
  • Microsoft Active Directory

Implementation

Creating an R3 Rapid Response Runbook

The first step necessary to create an R3 Runbook is to outline how the organization will want to handle potential phishing emails. Understanding the processes and procedures for handling this type of event will help lay the foundation for automating the response.
Before responding to any type of event an investigator must research aspects of the activity observed. This research is done through Enrichment tasks. These tasks will be based on the assumption that the incoming email contains the following information at a minimum:

  • Recipient’s email address
  • Email attachment

 

phishing use case _1

 

Information Gathering & Enrichment

Before we can respond to a suspicious email we must first gather information regarding the email and its sender to determine how it should be handled. Our R3 Runbook will begin by searching the EWS instance for additional emails received from the sender and verify the existence of any attachments in the emails located.

 

phishing use case_2

 

Once we have queried for attachments our runbook will come to its first conditional argument. If there are attachments present, the R3 Runbook will check the attachment’s MD5 hash against two separate file reputation services. If either of those reputation services reports a risk score above a 50, our runbook will begin to take further containment and notification actions.

 

phishing use case _3

 

Containment & Notification

If the risk score has been confirmed to be above 50, the runbook will simultaneously delete the malicious attachments and query Active Directory for the affected user’s information. Armed with the affected user’s Active Directory information, our runbook will execute a custom script to generate a new random password for this user account. This newly created password will be set for our affected user account, we will force the user to reset their password upon next login, and a notification will be sent to the user containing these new login credentials.

 

phishing use case _4

 

Utilizing the R3 Rapid Response Runbook

Once the new R3 Runbook is created, IncMan must be told how and when to automate the use of this Runbook. This is achieved by creating an Incident Template, which will be used any time an incident is generated for a newly discovered vulnerability. Through this incident template, critical pieces of information such as Type, Summary, Category can be automatically applied to the newly created incident.
In addition to incident information, the Incident Template also allows R3 Runbooks to be automatically assigned and executed each time the incident template is used. Assigning the previous R3 Runbook to the Vulnerability Management Incident Template will cause the R3 Runbook to be automatically run for each matching incident.

Finally, conditions must be set to indicate when IncMan should utilize the Exchange EWS Phishing Incident Template. In this use case, the Phishing Incident Template will be used to create an incident each time a potentially malicious email communication is forwarded from an organization’s user.

Solution in Action

When an email message is received from an organization’s user, IncMan will automatically generate a new incident based on the Exchange EWS Phishing Incident Template.

 

phishing use case _5

 

Without requiring any action on the part of an analyst, the Exchange EWS Phishing Runbook is initiated, executing the Information Gathering and Enrichment, Containment, and finally the Notification sections automatically. The following screenshots show some of the information which may be available to the security analyst as a result of the execution of these two sections.

 

phishing use case _6

 

 

 

phishing use case _7

 

 

phishing use case _8

 

 

phishing use case _9

 

 

phishing use case _10

 

 

phishing use case _11

 

 

 

Summary

This use case frees up security teams from having to triage potentially malicious email communications submitted by their users and allows for their time to be better spent on tasks which require human intervention.

The automated portions of this R3 Runbook can be executed in less than 60 seconds, orders of magnitude less than it would take an analyst to manually query all of these information sources. By automating responses to these malicious communications, it ensures our attackers would have less time to dwell in our environments and cuts them off at the pass preventing any lateral movement and further destruction or damage.