{"id":702,"date":"2022-10-04T16:16:58","date_gmt":"2022-10-04T08:16:58","guid":{"rendered":"https:\/\/rp.my\/blog\/?p=702"},"modified":"2022-10-04T17:41:36","modified_gmt":"2022-10-04T09:41:36","slug":"phishing-attack-is-expensive-to-handle","status":"publish","type":"post","link":"https:\/\/rp.my\/blog\/phishing-attack-is-expensive-to-handle\/","title":{"rendered":"Phishing attack is expensive to handle"},"content":{"rendered":"<p><img fetchpriority=\"high\" decoding=\"async\" src=\"https:\/\/wnnsnn.files.wordpress.com\/2022\/07\/draw.io_5euwufr2zg.png?w=1024\" alt=\"This image has an empty alt attribute; its file name is draw.io_5euwufr2zg.png\" width=\"1023\" height=\"609\" \/><\/p>\r\n<p>The investigation phase takes the following steps.<\/p>\r\n<p>Phishing attack is expensive to handle, today I am sharing my investigation phase for phishing as presented in my recent workshop. I hope it will benefit for IR team.<\/p>\r\n\r\n\r\n<ul>\r\n<li>Log retrieval and review\r\n<ul class=\"wp-block-list\">\r\n<li>IR team received logs from security tools or the blue team from in the SOC operation team<\/li>\r\n\r\n\r\n\r\n<li>System logs help in providing important information such as IP addresses and ports from the source and destination assets<\/li>\r\n\r\n\r\n\r\n<li>It is important to identify the assets and the owner.<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<ul>\r\n<li>Identification of the tools that detect the attack\r\n<ul class=\"wp-block-list\">\r\n<li>Get familiar with your environment and available tools to help in the investigation<\/li>\r\n\r\n\r\n\r\n<li>OODA Loop should be playing a bigger role here &#8211; from the Observation and Orient<\/li>\r\n\r\n\r\n\r\n<li>Tools should facilitated the detection of the attack<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<ul>\r\n<li>Identification of the affected systems and networks\r\n<ul class=\"wp-block-list\">\r\n<li>Phishing involved social engineer whereby this is hard to detect because not everyone will work together in reporting such attack if they got infected by this type of attack<\/li>\r\n\r\n\r\n\r\n<li>Its hard to identify the compromised assets and its can quickly escalate<\/li>\r\n\r\n\r\n\r\n<li>To identify the affected systems and network are very crucial<\/li>\r\n\r\n\r\n\r\n<li>Move faster and efficient should be the right key in here<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<ul>\r\n<li>Identification of users affected attack\r\n<ul class=\"wp-block-list\">\r\n<li>Please refer the organisation cybersecurity policy related to respond time in identifying the affected user<\/li>\r\n\r\n\r\n\r\n<li>Should identify what type of malware been using during this phishing attacks<\/li>\r\n\r\n\r\n\r\n<li>Create an investigation canvas if requires<\/li>\r\n\r\n\r\n\r\n<li>This activity and information should be shared with the communication team in IR<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<ul>\r\n<li>Identification of systems at risk\r\n<ul class=\"wp-block-list\">\r\n<li>After identifying what type of attack and severity of the attack, IR team should know identify other systems that at risk<\/li>\r\n\r\n\r\n\r\n<li>Does the attacker managed to perform lateral movement?<\/li>\r\n\r\n\r\n\r\n<li>Do they have the same login and password for other machine?<\/li>\r\n\r\n\r\n\r\n<li>IR team should send notification telling to the affected users to changes new password<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<ul>\r\n<li>Identification of the business processes affected by the attack\r\n<ul class=\"wp-block-list\">\r\n<li>After identifying the systems risk, IR team should use the information to identify which part of the incident affected the business process<\/li>\r\n\r\n\r\n\r\n<li>Example: the phishing attack managed to have access in web server for the employees to submit documents, therefore the IR team should identify business process that affected.<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<ul>\r\n<li>Evidence collection\r\n<ul class=\"wp-block-list\">\r\n<li>IR teams needs to collect all such evidence to help with the analysis of the attack<\/li>\r\n\r\n\r\n\r\n<li>Prepare long term and short term recommendation if available.<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n","protected":false},"excerpt":{"rendered":"<p>The investigation phase takes the following steps. Phishing attack is expensive to handle, today I am sharing my investigation phase for phishing as presented in my recent workshop. I hope it will benefit for IR team.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[8,24,25,22],"class_list":["post-702","post","type-post","status-publish","format-standard","hentry","category-blog","tag-phishing","tag-cyber-security","tag-incidentrespond","tag-malware"],"acf":[],"_links":{"self":[{"href":"https:\/\/rp.my\/blog\/wp-json\/wp\/v2\/posts\/702","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rp.my\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rp.my\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rp.my\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rp.my\/blog\/wp-json\/wp\/v2\/comments?post=702"}],"version-history":[{"count":9,"href":"https:\/\/rp.my\/blog\/wp-json\/wp\/v2\/posts\/702\/revisions"}],"predecessor-version":[{"id":704,"href":"https:\/\/rp.my\/blog\/wp-json\/wp\/v2\/posts\/702\/revisions\/704"}],"wp:attachment":[{"href":"https:\/\/rp.my\/blog\/wp-json\/wp\/v2\/media?parent=702"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rp.my\/blog\/wp-json\/wp\/v2\/categories?post=702"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rp.my\/blog\/wp-json\/wp\/v2\/tags?post=702"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}