3.

Analyze
Verify
In conjunction with a senior member of the SOC
● Double check previous data
● Rule out False Positive

Identify IOCs
● Validate hashes
○ VirusTotal
○ Hybrid Analysis
● Validate links
○ VirusTotal
○ Hybrid Analysis
○ URLScan
● ID subject, attachments, from addr
● ID other addresses, domains, IPs
○ VirusTotal
○ Hybrid Analysis
○ Talos Intelligence
● Search Threat Intel sources
○ VirusTotal
○ Hybrid Analysis
○ Talos Intelligence
● Disk forensics on recipient's endpoint

Scan Enterprise
● Update spam filter
● Update FW, IDS, etc. rules w/ IOCs
● Search all mail folders for IOCs
● Search endpoints for IOCs w/ EDR

Update Scope
● Update lists of
○ affected recipient addresses
○ affected endpoints
○ affected enclaves
○ affected business units
Update Scope
● Update lists of
○ affected recipient addresses
○ affected endpoints
○ affected enclaves
○ affected business units

Scope Validation
Have all the machines been identified? If you find further traces of phishing or new IOCs go
back through this step.
When you are done identifying all compromised:
● Hosts
● Mailboxes
And investigated all:
● URLs
● Domains
● IP
● Ports
● Files
● Hash
Go to the next phase ‘Contain/Eradicate’

4. Contain / Eradicate
Block
● Update Spam Filters
● Update FW, Proxy, etc. rules
● Blackhole DNS
● Submit to thrid parties
○ Google Safe Browsing
○ Web Filter Vendor
○ etc.

Validate User's Actions

● Have emails been read
● Have attachments been opened
● Have links been clicked

Malware Infection?
If there was malicious attachments that were opened we need to assume the endpoint(s)
was/were infected by a malware and proceed to the Malware Playbook

Delete Emails
● Delete From Users' Inboxes
○ Spam Tool
○ Email Admin Console
○ Cloud & On-Prem
● Delete Downloaded Attachments
○ EDR, SIEM, etc. to scan enterprise

Close Monitoring
● Monitor for
○ Related incoming messages
○ Internet connections to IOC
○ New files that matches hashes identified

All Affected Endpoints Contained?

If all affected endpoints have been contained, you can go to the next phase, otherwise
continue below.

New IOC Discovered?

If there was new IOC discovered, go back to the Analyze Phase

5. Recover
Update Defenses
Determine which of the following rules needs to be removed and which needs to stay in the
following list:
● Spam Filters
● Firewall Rules
● EDR
○ ban hashes
○ ban domains
○ Containment
● Proxy Block

All Affected Endpoints Recovered?

If all affected endpoints have been contained, you can go to the next phase, otherwise
continue below.
Validate Countermeasures
Determine if legitimate elements are blocked by:
● Spam Filters
● Proxy
● Firewall
● EDR
If so, go back to Update Defenses Otherwise go to the next phase

6. Post Incident
Incident Review
● What worked
● What didn't work

Update Mode of Operations

Update the following documents as required:
● Policies
● Processes
● Procedures
● Playbooks
● Runbooks
Update Detection Rules in:
● SIEM
● Anti-Spam
● Malware Getaway
● EDR
● Other security solution

Review Defensive Posture

● Schedule review of newly introduced rules in6 months
● Are the following still applicable
○ Spam Filter Rules
○ Firewall Rules
○ Proxy Rules for C2
○ AV / EDR Custom Signatures
○ IPS Signatures

User Awareness Training

● Ensure that the user receives Phishing training
○ How to recognize Phish
○ How to report Phish
○ Danger of following links
○ Danger of opening attachments
○ Danger of complying with scammers requests