SenseOn SOC Playbook: Phishing
The following process is how managed providers of SenseOn should extend the investigation of incidents in end customer estates and contains best practice guidance for additional manual threat hunting and containment.
Process Flowchart
Identification
Identify the phishing email(s)
Joint action for customer and provider of SenseOn MDR
Identifying the phishing email that has been received to a user or users in the estate is crucial to learning more about, and gauging, the threat potential.
Identify number of affected mailboxes
Action for customer
Phishing emails are often sent to multiple users and may be received in multiple mailboxes. As part of the later eradication stage it is important to find all instances of the potential phishing email.
Analyse the email
Action for provider of SenseOn MDR
Finding and properly analysing the email that has been received can yield information about the threat including important IOCs like the sender of the email, the IP address that the email was forwarded through, any suspicious links that were contained, if there were malicious files contained in the email, whether the email was part of an attack targeting a specific user, a subset of users, or was a part of a blanketed attack.
Gathering this information will help assess the depth, and breadth, of the attack, and / or, compromise.
If the email was found to contain a malicious file, the file should be retrieved for further analysis and a hash of the file should be taken. Following this, the malware playbook should followed.
If the email was found to contain a suspicious link, the link itself should be analysed to assess the nature of the link and what the potential attackers were trying to achieve, like gathering users credentials for example. The domain of the link should also be assessed to find if the domain used has been associated with any other attacks.
Analysing the link could be done by using threat intelligence tools like: * URL Scan - A website that allows a webpage’s content to be viewed without actually visiting the site and putting yourself, or device, at risk. * VirusTotal - A threat intelligence platform that is free to use and allows security vendors to share intelligence about files and network sources / destinations.
Assessing the wider estate using hunt lab
Action for provider of SenseOn MDR
The estate can be assessed using hunt lab to find whether other users and devices have been affected by the same threat. A way to do this could be to assess DNS records or to check if the link or file name was seen in any commands that were ran on the device. Some query examples for doing this have been contained below:
Checking DNS
SELECT _time_observed,
source_hostname,
query_name
FROM network_dns
WHERE query_name in ['IOC1','IOC2']
Checking if a link has been seen in process telemetry
SELECT _time_observed, _hostname, username, command
FROM endpoint_process
WHERE lower(command) LIKE lower(‘%<place_phishing_domain_name_here>%’) --this should look something like ‘%google%’
ORDER BY _time_observed ASC
Checking if a file has been seen in process telemetry
SELECT _time_observed, _hostname, username, command
FROM endpoint_process
WHERE (lower(command) LIKE lower('%<place_filename_here>%')
OR lower(name) LIKE lower('%<place_filename_here>%')
OR lower(parent_name) LIKE lower('%<place_filename_here>%'))
ORDER BY _time_observed ASC
User correspondence
Action for customer
Following assessment of the estate as a whole, the users who have been found to have clicked links or accessed files from the malicious mail should be liaised with to better understand what actions they took and what they experienced, as this could be invaluable in assessing the impact caused by the phishing attack.
Containment
After confirming that the received email was in fact malicious, the following steps can be followed to contain the threat, however, if this sections is based on emails containing malicious links and if malicious files were found contained in emails then ‘PLB-001 Malware Playbook’ should be followed.
User account actions
Action for customer
User account that have clicked a link within a phishing email should have the following actions performed against them. Note that, even if the user states that they did not enter any credentials or take any actions outside of clicking a link the following actions should still be taken as a precaution.
User credentials should be reset in the event that credentials have been stolen by attackers.
- Any current sessions for the users should be ended, forcing users to login again with new credentials in the event that attackers have already made use of stolen credentials.
- Any two factor authentication codes that are currently valid for the user account should be revoked, and two factor authentication methods could also be reset in the event that the attackers have made changes to these settings.
Recurrence Prevention
Action for customer
In the event that other users have received the email and have not yet accessed it, the malicious domain and associated IP addresses should be blocked so that other users in the estate cannot also be phished. Two main ways to do this are at the firewall and DNS levels.
- DNS filtering can be used to stop DNS replying with answers for DNS lookups relating to any suspicious IP addresses or URLs - it is of note that this will only be effective if all devices in the estate use a locally managed DNS solution.
- Firewall rules could also be implemented to block the destination IPs associated with the malicious domain(s) so that devices attempting to connect to the domain(s) are blocked. Typically this would be done at the perimeter firewall level.
- The email address that was used to send the malicious email could also be blocked using email filtering.
Eradication
Action for customer
- Delete the email from the mailboxes it was identified in rendering it inaccessible by users, so that it cannot be mistakenly interacted with again.
- For malicious files received in emails then consult the playbook ‘PLB-001 Malware‘ in relation to Identification, containment, eradication and recovery.
Recovery
Action for customer
- Check in with users to make sure that they have not received any further similar or related emails.
- Check that users have reset credentials and reconfigured their two factor authentication methods / mechanisms.