How to Build a Phishing Playbook Part 2: Wireframing

Welcome back to our series on automating phishing investigation and response with playbooks in Smart SOAR. This is a four-part series covering preparation, wireframing, development, and testing.
Wireframing workflows is an excellent step in-between preparation and development because it lets you validate the logic of the workflow alongside other stakeholders who may be a part of the process.
This will save you time and makes building the logic of the playbook a faster, more collaborative process.
Before we start the wireframe, let's talk about playbook structure.
From our experience, there are four key stages to end-to-end playbooks: triage, enrichment, containment, and recovery.
In Smart SOAR, we use event playbooks to assess the incoming alert and set an accurate severity for it so the incident response team can allocate their time accordingly.
Rather than querying databases, reading through the results, and parsing it manually, the playbook should completely automate this stage with the end goal of displaying only the relevant information to the investigation team.
Actions taken in this stage can include resetting user passwords, deleting emails and files, blocking destination IP addresses, and more.
As this is a phishing playbook we will also use the authentication results to set a severity level for this alert as it's ingested.
For this, we will build an event playbook that checks the authentication results and updates the severity to low, medium, high, or critical.
The work done in the preparation stage makes wireframing enrichment, containment, and recovery very straightforward.
Recipient Email: With the recipient's email, we want to get additional details on them from our IAM tool, Active Directory.
Sender Email: Our goal with the sender email is to see if they are targeting any other members of our organization.
If related emails are found, we will pull in details on those emails as well.
File Hash: The file included in the email can be enriched with Recorded Future for open-source intelligence and also searched within CrowdStrike for any other devices that have downloaded the file.
Message ID: The original email and other email sent by the sender can be reported, and deleted from Office 365.
Recovery is about resetting assets that have been taken offline or blocked during the containment stage.
Wireframing each stage lets us think through the logic and run it by teammates for approval and input.
In the next part of this series, we will start building the playbook in D3 Smart SOAR, including the event playbook for triage and the incident playbook for enrichment, containment, and recovery.
Then we will proceed with testing and publish the playbook in part four.


This Cyber News was published on securityboulevard.com. Publication date: Fri, 05 Jan 2024 21:43:05 +0000


Cyber News related to How to Build a Phishing Playbook Part 2: Wireframing

How to Build a Phishing Playbook Part 2: Wireframing - Welcome back to our series on automating phishing investigation and response with playbooks in Smart SOAR. This is a four-part series covering preparation, wireframing, development, and testing. Wireframing workflows is an excellent step in-between ...
10 months ago Securityboulevard.com
How to Build a Phishing Playbook Part 1: Preparation - Automating response to phishing attacks remains one of the core use-cases of SOAR platforms. In 2022, the Anti-Phishing Working Group logged ~4.7 million phishing attacks. Since 2019, the number of phishing attacks has increased by more than 150% ...
11 months ago Securityboulevard.com
Playbooks on-prem - To address this challenge, Sekoia.io has recently released Playbooks on-prem. In this way, Playbooks on-prem may appeal to companies seeking to synchronize cloud actions with those executed on-premises. At its core, Playbooks on-prem revolve around a ...
8 months ago Blog.sekoia.io
How to create an incident response playbook - Creating and maintaining an incident response playbook can significantly improve the speed and effectiveness of your organization's incident response. To help, here's a crash course on what incident response playbooks are, why they are important, how ...
10 months ago Techtarget.com
Spear Phishing vs Phishing: What Are The Main Differences? - Almost half of them used phishing to obtain the passwords of users. Highly targeted phishing campaigns against specific individuals or types of individuals are known as spear phishing. It's important to be able to spot phishing in general. For ...
9 months ago Techrepublic.com
How to Build a SOAR Playbook: Start with the Artifacts - Security Boulevard - Artifacts are data elements relevant to your security incidents, such as device IDs, user IDs, IP addresses, file hashes, and process names. By focusing on commands that interact with your key artifacts, you streamline your playbook, making it more ...
1 month ago Securityboulevard.com
CVE-2024-26626 - In the Linux kernel, the following vulnerability has been resolved: ...
8 months ago
Flipping the BEC funnel: Phishing in the age of GenAI - For years, phishing was just a numbers game: A malicious actor would slap together an extremely generic email and fire it out to thousands of recipients in the hope that a few might take the bait. Common among these new techniques was a shift towards ...
9 months ago Helpnetsecurity.com
What SOCs Need to Know About Water Dybbuk - According to the Federal Bureau of Investigation, BEC costs victims more money than ransomware, with an estimated US$2.4 billion being lost to BEC in the US in 2021. Recently, BEC scammers have been using stolen accounts from legitimate Simple Mail ...
1 year ago Trendmicro.com
Combat Phishing Attacks With AI-Powered Threat Protection - According to statistics, 81% of organizations have seen an increase in phishing emails since 2020, with an estimated 3.4 billion emails sent every day. AI-generated phishing emails are a sophisticated and evolving cybersecurity threat. ...
9 months ago Gbhackers.com
The Future of Phishing Email Training for Employees in Cybersecurity - One common method they use is through phishing emails. To counter this changing threat, companies must give importance to providing phishing email training for employees on identifying and responding properly to phishing attempts. Standard training ...
5 months ago Hackread.com
Phishing Campaign Exploits Open Redirection Vulnerability In 'Indeed.com' - Phishing remains one of the most prevalent challenges facing organisations, with more than three billion malicious emails estimated to be sent around the world every day. Owing to the prevalence of the problem, Verizon's 2023 Data Breach ...
7 months ago Cyberdefensemagazine.com
How to Use Ansible with CML - Similar to Terraform, Ansible is a common, open-source automation tool often used in Continuous Integration/Continuous Deployment DevOps methodologies. Although overlaps exist in the capabilities of Terraform and Ansible, they are very complementary. ...
9 months ago Feedpress.me
Vade Releases 2023 Phishers' Favorites Report - PRESS RELEASE. SAN FRANCISCO, Feb. 15, 2024 /PRNewswire/ - Vade, a global leader in threat detection and response with more than 1.4 billion mailboxes protected, today announced its annual Phishers' Favorites report for 2023. Phishers' Favorites ...
8 months ago Darkreading.com
One Phish, Two Phish, Red Phish, Blue Phish - I sat down for a chat with George Skouroupathis, our phishing expert at Resonance Security. Phishing is often the first step taken by hackers in a larger scam. There are lots of different kinds of phishing attacks, but one of the most prevalent is ...
5 months ago Hackread.com
"Quishing" you a Happy Holiday Season - QR Code phishing scams - What they are and how to avoid them. Originally invented to keep track of car parts in the early 90s, QR codes have been around for decades. Quishing, or QR Code phishing, exploits smartphone users scanning the 2D barcode, ...
10 months ago Netcraft.com
Telegram is a Wide-Open Marketplace for Phishing Tools - The encrypted messaging app Telegram has become a veritable marketplace for bad actors who want to launch effective phishing campaigns on the cheap, essentially democratizing the cyberthreat, according to researchers at cybersecurity firm Guardio. ...
9 months ago Securityboulevard.com
CVE-2023-6727 - Mattermost fails to perform correct authorization checks when creating a playbook action, allowing users without access to the playbook to create playbook actions. If the playbook action created is to post a message in a channel based on specific ...
10 months ago Tenable.com
CVE-2023-6547 - Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. This can happen if the user ...
10 months ago Tenable.com
Deploy Keycloak Single Sign-On With Ansible - In this article, you'll use Ansible to simplify and automate the installation of Keycloak, a popular open-source tool to implement single sign-on for Web applications. The tutorial in this article builds on an Ansible Collection named middleware ...
10 months ago Feeds.dzone.com
USPS Delivery Phishing Scam Exploits SaaS Providers to Steal Data - A new USPS Delivery Phishing Scam has surfaced, in which scammers are exploiting Freemium Dynamic DNS and SaaS Providers to steal victims' login credentials and other data. Cybersecurity researchers at Bloster AI have uncovered a new USPS Delivery ...
11 months ago Hackread.com
5 Common Phishing Vectors and Examples - Phishing attacks can be executed through various means, such as SMS and phone calls, but the most prevalent method involves sending victims emails containing malicious attachments. Let's take a closer look at these types and examine examples of ...
5 months ago Cybersecuritynews.com
Watch out for "I can't believe he is gone" Facebook phishing posts - This phishing attack is ongoing and widely spread on Facebook through friend's hacked accounts, as the threat actors build a massive army of stolen accounts for use in further scams on the social media platform. As the posts come from your friends' ...
9 months ago Bleepingcomputer.com
Police takes down BulletProftLink large-scale phishing provider - The notorious BulletProftLink phishing-as-a-service platform that provided more than 300 phishing templates has been seized, the Royal Malaysian Police announced. The operation started in 2015 but came to researchers' radar later and became more ...
11 months ago Bleepingcomputer.com
Splunk: AI isn't making spear phishing more effective - Despite increased concerns, AI tools won't give adversaries an advantage when it comes to sending effective phishing emails, according to new research by Splunk's Surge security research team. In a blog post Thursday, Tamara Chacon, security ...
10 months ago Techtarget.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)