Automating response to phishing attacks remains one of the core use-cases of SOAR platforms.
In 2022, the Anti-Phishing Working Group logged ~4.7 million phishing attacks.
Since 2019, the number of phishing attacks has increased by more than 150% yearly.
Phishing is also a common delivery method for more destructive attacks.
In a survey conducted by Osterman Research, it was found that IT and Security teams take an average of 27.5 minutes to handle a single phishing email and the estimated cost of discovering and mitigating a single phishing email is $31.32.
In this 'How to Build a Playbook' series, we'll be focusing on Office 365.
We'll be using supportive tools including CrowdStrike Falcon, Recorded Future, Active Directory, and Checkpoint Firewall.
The combination of these tools will deliver a complete, end-to-end incident response workflow that will eliminate manual triage and data-gathering, help the investigation team make more accurate decisions, and automate containment and recovery when the analyst determines how to proceed with an incident.
When starting to build a new playbook, it's important to identify the available integration commands to narrow down the list of possible commands you'll use.
For this phishing playbook, we'll be using Office 365 to ingest suspicious emails, CrowdStrike, Active Directory, and Checkpoint Firewall for enrichment and incident response, and Recorded Future for open source intelligence.
In D3 Smart SOAR, there are over 100 commands across the five integrations, so we need to narrow down the list further to make our possible playbook design clearer.
List the artifacts that the playbook needs to process2.
Identify which integration commands can process those artifacts.
For this step, it's helpful to secure raw data of a sample alert and use it to identify which artifacts the playbook will need to process.
For phishing playbooks, we can make another assumption as well: the recipient's email can be put into Active Directory to get their username.
Let's make sure our playbook can handle usernames and device IDs as well.
Once the list is narrowed, we'll categorize each command into one of three groups: enrichment, containment, and recovery.
Now that we have an organized list of integration commands we are ready to start designing our playbook.
In the next part in this series, we will wireframe the workflow and select which commands we want to run when.
This will prepare us for part three where we actually build the playbook and run sample data through it.
This Cyber News was published on securityboulevard.com. Publication date: Sat, 02 Dec 2023 03:13:05 +0000