Welcome back to our series on automating phishing investigation and response with playbooks in Smart SOAR. This is a four-part series covering preparation, wireframing, development, and testing.
Wireframing workflows is an excellent step in-between preparation and development because it lets you validate the logic of the workflow alongside other stakeholders who may be a part of the process.
This will save you time and makes building the logic of the playbook a faster, more collaborative process.
Before we start the wireframe, let's talk about playbook structure.
From our experience, there are four key stages to end-to-end playbooks: triage, enrichment, containment, and recovery.
In Smart SOAR, we use event playbooks to assess the incoming alert and set an accurate severity for it so the incident response team can allocate their time accordingly.
Rather than querying databases, reading through the results, and parsing it manually, the playbook should completely automate this stage with the end goal of displaying only the relevant information to the investigation team.
Actions taken in this stage can include resetting user passwords, deleting emails and files, blocking destination IP addresses, and more.
As this is a phishing playbook we will also use the authentication results to set a severity level for this alert as it's ingested.
For this, we will build an event playbook that checks the authentication results and updates the severity to low, medium, high, or critical.
The work done in the preparation stage makes wireframing enrichment, containment, and recovery very straightforward.
Recipient Email: With the recipient's email, we want to get additional details on them from our IAM tool, Active Directory.
Sender Email: Our goal with the sender email is to see if they are targeting any other members of our organization.
If related emails are found, we will pull in details on those emails as well.
File Hash: The file included in the email can be enriched with Recorded Future for open-source intelligence and also searched within CrowdStrike for any other devices that have downloaded the file.
Message ID: The original email and other email sent by the sender can be reported, and deleted from Office 365.
Recovery is about resetting assets that have been taken offline or blocked during the containment stage.
Wireframing each stage lets us think through the logic and run it by teammates for approval and input.
In the next part of this series, we will start building the playbook in D3 Smart SOAR, including the event playbook for triage and the incident playbook for enrichment, containment, and recovery.
Then we will proceed with testing and publish the playbook in part four.
This Cyber News was published on securityboulevard.com. Publication date: Fri, 05 Jan 2024 21:43:05 +0000