Plan Your Phishing Incident - Tutorials - 6.x - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR 6.x Tutorials
Product
Cortex XSOAR
Version
6.x
Creation date
2022-10-13
Last date published
2023-06-05
Category
Tutorials

Before you begin, consider the following requirements:

  1. Where do your phishing incidents originate?

    Sometimes, phishing incidents originate from another phishing tool, like PhishLabs, or from an inbox in Gmail, Microsoft O365, EWS, etc. You should consider whether you want to use impersonation rights if you need to retrieve the phishing email from the user’s email. If you do not have the original email, investigation is more problematic.

    In this example, all emails are either forwarded or attached as a file to an email, which is sent to an organization's designated phishing email inbox. We want to fetch all phishing emails, whether they are forwarded or attached into Cortex XSOAR, using EWS O365. We want to use impersonation rights to get the original email from a user’s inbox. Although not essential, we also want to use Active Directory to obtain users’ details.

  2. What information do you want to see in an incident as part of an investigation?

    You likely want to see the source email, destination email, email headers, body, email HTML, email text, attachment hash/extension, etc.

    The phishing incident layout comes out of the box with the fields that are necessary to investigate a phishing incident. These sections and fields are fully customizable.

  3. What is your current incident response process?

    You may want to check IP addresses for location, act according to the country to increase severity, block IPs, manually investigate further, and close incidents. You may also want to search and delete malicious emails, check for clicked URLs, and block a domain or an email address.

    You can use and customize out-of-the-box playbooks, or create your own playbook for a phishing investigation and response.

  4. Which enrichment feeds do you use?

    Usually, you want to extract email headers from the original email, subject, body, and extract relevant IOCs, etc. In this example, we enrich all extracted IOCs via VirusTotal.

  5. Which detonation systems do you use?

    Based on the verdict of the IOC, you should use static/dynamic file analysis tools or sandbox integrations to determine the maliciousness of file attachments. You can run this automatically in the playbook or manually. In this example, we detonate malicious files using Palo Alto Networks Wildfire.

  6. Are there any manual steps that need to be taken?

    Consider which manual steps need to be taken. These steps can be added to a playbook.

    For example, consider the following:

    • At what stage do you want an analyst to investigate?

    • Do you want to confirm before deleting an email from another user’s account?

    • Will you notify an analyst to investigate if there is an unexpected error?

    In this example, we want the analyst to investigate to see if the incident was malicious after indicators were extracted from the email and a file attachment was detonated.

  7. Are there end-user interactive steps?

    Do you need to ask the end user questions via email, Slack or any other communication channels? Do you need management approval by email? Do you need to get another analyst? These steps can be added to a playbook such as error checking, escalation, etc.

  8. Are there any steps to be taken after closing an incident?

    After closing an incident, do you need to send a notification to a third-party service such as Jira or ServiceNow, or verify that all tasks are done?

    In this example, when closing an incident we want to update automatically the owner of the incident, so if it is reopened this user receives notification.

  9. Do you need to restrict incident investigations?

    Do you want to restrict incident actions and investigations according to roles? Do you want to give read-only access to certain roles at certain times? For example, when an incident is in triage, you may want all Tier-2 analysts to have read-only access.

    In this example, we want an option for read-only access for certain roles.

  10. Do you want to find and manage Phishing Campaign incidents?

    A phishing campaign is a collection of phishing incidents that originate from the same attacker, or as part of the same organized attack launched against multiple users. In a phishing campaign many emails are sent which contain similar text. You may want to find active incidents with a similar subject line and sender, close duplicate incidents, etc. The Detect & Manage Phishing Campaigns playbook in the Phishing Campaign content pack finds duplicate incidents and creates an incident to investigate the phishing campaign.

After you have finished the planning stage, you can proceed to install the necessary content packs to manage phishing incidents in Cortex XSOAR.