#PHISHING Cyber Security IncidentRespond malware


This image has an empty alt attribute; its file name is draw.io_5euwufr2zg.png

The investigation phase takes the following steps.

Phishing attack is expensive to handle, today I am sharing my investigation phase for phishing as presented in my recent workshop. I hope it will benefit for IR team.

  • Log retrieval and review
    • IR team received logs from security tools or the blue team from in the SOC operation team
    • System logs help in providing important information such as IP addresses and ports from the source and destination assets
    • It is important to identify the assets and the owner.
  • Identification of the tools that detect the attack
    • Get familiar with your environment and available tools to help in the investigation
    • OODA Loop should be playing a bigger role here - from the Observation and Orient
    • Tools should facilitated the detection of the attack
  • Identification of the affected systems and networks
    • Phishing involved social engineer whereby this is hard to detect because not everyone will work together in reporting such attack if they got infected by this type of attack
    • Its hard to identify the compromised assets and its can quickly escalate
    • To identify the affected systems and network are very crucial
    • Move faster and efficient should be the right key in here
  • Identification of users affected attack
    • Please refer the organisation cybersecurity policy related to respond time in identifying the affected user
    • Should identify what type of malware been using during this phishing attacks
    • Create an investigation canvas if requires
    • This activity and information should be shared with the communication team in IR
  • Identification of systems at risk
    • After identifying what type of attack and severity of the attack, IR team should know identify other systems that at risk
    • Does the attacker managed to perform lateral movement?
    • Do they have the same login and password for other machine?
    • IR team should send notification telling to the affected users to changes new password
  • Identification of the business processes affected by the attack
    • After identifying the systems risk, IR team should use the information to identify which part of the incident affected the business process
    • Example: the phishing attack managed to have access in web server for the employees to submit documents, therefore the IR team should identify business process that affected.
  • Evidence collection
    • IR teams needs to collect all such evidence to help with the analysis of the attack
    • Prepare long term and short term recommendation if available.