0A9F E785 1857 50AD 05CA A188 A708 1DB6 7F35 2F2A
Phishing Playbook
The Phishing Playbook is a formal operational guide that defines how an organization detects, analyzes, responds to, contains, and recovers from phishing incidents.
Introduction
Overview
In the event of a cybersecurity incident, it is important that any organisation can respond, mobilise, and execute an appropriate level of response to limit the impact of a cybersecurity attack or breach. Although all cybersecurity incidents are different in their nature and technologies used, it is possible to group common cybersecurity incident types and methodologies together. This is to provide an appropriate and timely response depending on the cybersecurity incident type. Incident specific playbooks provide incident managers and stakeholders with a consistent approach to follow when remediating a cybersecurity incident.
A cybersecurity incident response playbook is a set of pre-defined steps and procedures that outline how to respond to a specific type of cybersecurity incident. For each playbook, the steps and procedures are structured according to the National Institute of Standards and Technology (NIST) Incident Response Lifecycle. The plan outlined in this playbook is developed to assist the constituency of the South African National Research and Education Network (SA NREN) in responding to Phishing attacks. Phishing is the act of attempting to acquire personally identifiable information (PII) such as usernames, passwords, or credit card details by masquerading as a trustworthy entity in an electronic communication.
Purpose
The purpose of the SANReN CSIRT Phishing Playbook is to provide guidance regarding the appropriate and timely response to a Phishing cybersecurity incident or attack.
Scope
This document has been designed for the sole use of the SA NREN constituency.
Review Cycle
This document is to be reviewed for continued relevancy by the SANReN CSIRT team at least once every 12 months; following any major cybersecurity incidents or as access to new information becomes available.
Preparation
Outlining the recommended steps required to prepare the constituent to respond to a Phishing attack in a timely and effective manner.
| Activity | Description | Action(s) |
| Maintain documentation | Implement, maintain, and review cybersecurity incident procedures. Maintain and regularly update technical documentation. Establish policies and procedures. Define the roles and responsibilities. | Create a Cyber Incident Response Plan covering Phishing attacks. Document network topology. Develop password and e-mail security policies. Establish a procedure to report Phishing attacks. |
| Identify assets | Maintain an understanding of the constituent’s environment: Keep a list of all company-owned domains. Maintain a list of all company-owned assets. | Maintain an asset inventory and list of end-use devices. |
| Review available information | Review cybersecurity incidents and the outputs. Review threats to the constituent, risks & vulnerabilities. Analyse common Phishing attacks. | View SANReN CSIRT weekly articles. Review SANReN CSIRT Alerts & Advisories. |
| Maintain tools and technologies | Deployment of appropriate tools and technologies to detect Phishing attacks. | Deploy anti-phishing, anti-malware, and/or anti-spam solutions. |
| Training | Educate employees regarding Phishing attacks through awareness campaigns and training. | Internal and external training sessions. |
Detection and Analysis
Providing the recommended steps to follow to enable detection of the phishing attack and conduct the investigation of the collected data to determine the scope and impact of the phishing attack.
Detect
| Activity | Description | Action(s) |
| Identification of Phishing e-mail | Internal notifications, such as As reported by deployed technological tools. As reported by employees. Emails that are non-returnable or non-deliverable. External notifications, such as As reported by external parties of suspicious or fraudulent activity related to emails. As reported by Internet Service Providers. As reported by other well-regarded 3rd parties. | Report and escalate according to existing Cyber Incident Response Plan or established policies and procedures. Inform the SANReN CSIRT team to alert other beneficiaries. Inform the legal department (it attack has potential legal ramifications). |
| Perform data collection | Collate initial incident data, such as Email address of the sender. Intended recipient. Subject line Securely download attachment(s) – password-protected Identification of suspicious links. | Secure a copy of the e-mail and attachment(s). Collect reports of deployed security tools/technologies: Anti-virus & endpoint detection and response (EDR) reports. Security information and event management (SIEM) reports. Error logs from mail servers. |
| Categorize the type of attack | Identify the type of phishing email received: Spear phishing: targeting a specific individual. Whaling: targeting executives. Business email compromise: defraud the company. Categorising the phishing email will assist with the scoping of the attack. | Identity recipient(s) of the phishing email. |
Analyse
| Activity | Description | Action(s) |
| Analyse the message | Analyse the email header, such as The email address of the sender. The email address of the X-authenticated user. Mail server IP address. Analyse the message content for embedded URLs or suspicious links. | Establish an isolated but controlled environment for analysis. Submit identified URLs for further analysis using an isolated environment: VirusTotal Urlscan.io Contact the SANReN CSIRT team if further assistance is required. |
| Analyse and attachment(s) | Download and analyse the files attached to the email. Determine the potential impact of malicious attachment(s) – initiate further investigation (e.g., malware). | Download and analyse attachment(s) in the isolated environment. Submit files for further analysis in the isolated environment: VirusTotal Joe Sandbox Contact the SANReN CSIRT team if further assistance is required. |
| Determine scope and impact | Determine the number of impacted users by Identifying users that received the phishing email. Identifying users that downloaded and opened the attachment(s) if present. Identifying users that visited embedded URLs. Identifying users that supplied personal or business information. | Internal communication – establish a reporting line. Review Firewall log files (if available) Network device logs (if available) |
| Determine the severity | Consider the following: whether personal data (or other sensitive data) is at risk. number of affected assets. preliminary business impact. whether services are affected. | Consult the internal security team, legal department, and/or the SANReN CSIRT team. |
| Reporting | Continuous reporting as the investigation progresses to ensure all relevant parties are up to date. | Establish appropriate communication methods (e.g., email or website – internal or external) Inform employees. |
Containment, Eradication and Recovery
Outlining the necessary steps to isolate the Phishing attack and subsequent threats, eliminate and remove the effects of the Phishing attack, and recover to resume normal operations.
Containment
| Activity | Description | Action(s) |
| Contain affected endpoints | Identify and quarantine affected systems and endpoints. | Remove endpoints from the network. Isolate endpoints from the production network. |
| Contain affected accounts | Identify compromised accounts or at-risk credentials. | Reduce access to critical systems or data until the investigation has been completed. |
| Block malicious activity | Block activity based on identified indicators of compromise. | Block malicious domains and IP addresses. Update firewall rules and proxies. Block messages with similar headers, subjects, links and/or attachments. |
Eradication
| Activity | Description | Action(s) |
| Removal of the threat | Change or delete compromised accounts. Purge related messages from inboxes. Delete downloaded attachments. Remove malware infection – if present. | Conduct password reset for affected accounts. Delete phishing emails via admin consoles or using a spam filter. Use EDR or SIEM to detect and remove downloaded attachments. Update signatures and conduct an anti-virus scan. |
Recovery
| Activity | Description | Action(s) |
| Return systems and endpoints | Recover systems based on business impact analysis and business criticality. Re-integrate previously compromised systems and endpoints. Restore suspended services. | Conduct a restoration of affected systems from a trusted backup. Re-install any standalone system from a clean OS backup before updating with a trusted data backup. |
| Update defenses | Conduct a vulnerability scan of all systems. Establish and improve monitoring for suspicious behaviour. Improve the security of user accounts. | Implement necessary patches. Update anti-virus and anti-malware solutions. Enforce multi-factor authentication (MFA). |
Post Incident Activity
Recommended steps to conduct after the Phishing attack has been investigated and resolved to ensure lessons are learned and improvements are put into place.
| Activity | Description | Action(s) |
| Lessons learned | Process the incident, review strategies and revisit preparations for potential future incidents. | Hold a “lessons learned” meeting. Questions to be discussed: How well did staff and management perform in dealing with the incident? Were the documented procedures followed? Were they adequate? What information was needed sooner? Were any steps or actions taken that might have inhibited the recovery? |
| Incident reporting | Draft the post-incident report. | Share with the SANReN CSIRT team. |
| User awareness training | Educate employees: How to recognise a Phishing email. How to report a Phishing email. The risk of following links embedded in emails. The risk associated with opening attachments. | Internal communication (e-mail) or announcement on website. |
Checklist
| Action | Completed | |
| Detection and Analysis | Detection and Analysis | Detection and Analysis |
| 1. | Determine whether an incident has occurred – employees received and interacted with a Phishing email. | |
| 2. | Identify the type of phishing email received. | |
| 3. | Perform data collection – analyse message and attachment(s). | |
| 4. | Prioritize phishing emails based on the relevant factors (functional impact, information impact, recoverability effort, scope, severity, etc.). | |
| 5. | Report the phishing incident to the appropriate internal personnel and external organizations – SANReN CSIRT and TENET. | |
| Containment, Eradication and Recovery | Containment, Eradication and Recovery | Containment, Eradication and Recovery |
| 6. | Contain the phishing attack – disable affected accounts, quarantine and isolate affected systems and endpoints – if malware is suspected. | |
| 7. | Eradicate the phishing attack – reset affected accounts, and purge phishing email from the environment. | |
| 8. | Recover from the phishing attack – return to normal operations and update defenses. | |
| Post-Incident Activity | Post-Incident Activity | Post-Incident Activity |
| 9. | Conduct a “Lessons Learned” meeting | |
| 10. | Create a post incident report – share with the relevant parties. |
Contact Us: |
CSIRT: |
|
Heloise: |
|
Kgwadi: |
|
Zoya: |
|
Anele: |
