R3 Rapid Response Runbook for Spear Phishing

According to Verizon’s Data Breach Investigations report 2017, social engineering was a factor in 43% of breaches, with Phishing accounting for 93% of social attacks.

DFlabs has worked closely with our customers to draft and deploy Phishing specific runbooks. In this article, we take a look at an example R3 Phishing runbook below.

The Premise
Our premise is that an incident appears to be a Spear Phishing attempt has been forwarded to the SOC. The SOC team must qualify the incident and determine what needs to be done to mitigate the attack.

We begin our investigation with an incident observable, a fully qualified domain name (FQDN).

We will correlate the FQDN with several external threat intelligence services to assess whether this is truly an ongoing Phishing attempt or a benign false positive. We have used VirusTotal and Cisco Umbrella in this example, but other threat intelligence and malware services could be used instead.

We have 3 different potential outcomes and associated decision paths:

R3 Rapid Response Runbook for Spear Phishing 7

The R3 Runbook

1. The FQDN is automatically extracted from the incident alert and then sent to Cisco Umbrella Investigate for a classification.

R3 Rapid Response Runbook for Spear Phishing 1


2. Depending on the outcome – whether Cisco Umbrella Investigate classifies the FQDN as benign or malicious – we can take one of two different paths.

R3 Rapid Response Runbook for Spear Phishing 2


3. The FQDN will be rechecked with VirusTotal to verify the result. We do this whether the first classification was malicious or benign. At this point we do not know whether one of the two services is returning a false positive or a false negative, so we do a double check.

R3 Rapid Response Runbook for Spear Phishing 3


4. IF both external 3rd party queries confirm that the FQDN is malicious, we have a high degree of certainty that this is a harmful Phishing attempt and can step through automatically to containment. In our example, we automatically block the domain on a web gateway.

R3 Rapid Response Runbook for Spear Phishing 4


5. Alternatively, if only one of the two queries returns a malicious classification, we need to hand the runbook off to a security analyst to conduct a manual investigation. At this point, we cannot determine in an automated manner where the misclassification resides. It could be that one of the services has stale data, or doesn’t include the FQDN in its database. With the ambiguous result, we lack the degree of confidence in the detection to trust executing fully automated containment.

R3 Rapid Response Runbook for Spear Phishing 5


6. If both VirusTotal and Cisco Umbrella Investigate return a non-malicious classification, no further action will be necessary at this point. We will notify the relevant users that the incident has been resolved as a false positive and can close the case for now.

R3 Rapid Response Runbook for Spear Phishing 6


This R3 Phishing Runbook demonstrates the flexibility and efficiency of automating incident response . Incident Qualification is automated as much as is feasible but keeps a human in the loop when cognitive skills are required. It only automates containment when the degree of confidence is sufficient. It eliminates false positives without requiring human intervention.

Could the DNC Hack Have Been Prevented?

This past summer, many cyber security experts expressed their concerns that certain Russian groups were involved in the hacking attack on the U.S. Democratic National Committee’s (DNC) computer network, leaking 20,000 emails from various Democratic Party officials. The DNC hack made the headlines around the globe, and for good reason.

No matter who the perpetrator was, one thing is clear: the hack of the DNC servers inflicted serious harm to both the Democratic Party as an institution, as well as many of its members, mainly related to the public image of the party and of various individuals.

However, it could have had further, more wide-ranging implications, including an impact on the upcoming U.S. presidential election, which is why it is very important to understand what could have been done to prevent it, and what kind of response and management process for the incident should have been chosen.

Was the Hack Avoidable?

Even though it’s difficult to confidently say whether the DNC hack could have been avoided, without knowing the confidential specifics of the incident, there are a lot of things that could have been done that would have probably protected the DNC’s computer server much better.

The consensus among leading analysts familiar with this incidents is that the DNC hack was most likely conducted through spear phishing, which is one of the most common methods for initiating a cyber attack.

With that in mind, one of the easiest ways to avoid falling victim to such a fraud is to train people within your organization on how to recognize and react to such threats. People should be familiarized with the spear phishing technique and how it works, making them more aware of the difference between legitimate emails and links and malicious ones, with the latter being the basis of all phishing scams.

What’s the Appropriate Response to These Types of Incidents?

Sometimes, no matter how well every person within an organization is trained and educated on cyber security threats, attacks on a company or an institution server or network occurs, and that is when you need to be able to react as fast and as efficiently as possible to prevent the loss of confidential information, and avoid a major blow to your organization’s reputation, and consequently, your bottom line.

To that end, having a cyber incident response plan in place is key to bringing cyber incidents under control and minimizing or completely avoiding the potential consequences of a breach.

According to statistics from a recent AT&T report, 62% of organizations admitted to being breached in 2015, but only 34% of organizations polled had an incident response plan. These statistics inevitably point to the need for increasing awareness of the fact that every organization is highly vulnerable to cyberattacks, and the necessity of devising a plan and having the right tools that would help them mitigate the impact of any breach and go about their business as soon as possible.