This playbook describes how to use the Stories Workbench to investigate stories for attacks that use phishing websites.
This playbook outlines a systematic approach for SOC engineers to investigate potential security incidents related to websites used for phishing attacks. It provides a framework for gathering initial information, analyzing network traffic, and drawing conclusions about the nature of the threat.
Use the Details widget in the story to gather basic information about the potential threat. Review the Description of the story and other data to decide if further investigation is required. In addition, the Similar Stories section shows other stories that share similar indicators and observables.
Click Generate AI Summary for a natural language story description that provides rich context and helps you quickly assess the story.
Use the Source widget to review data about the device that is impacted by this attack.
You can also use the Indications Catalog for more information (such as the Indication ID), and focus the investigation based on your query.
The Attack Distribution graph can help to understand the nature of the traffic, periodic attacks which resembles bot behavior, a one-time occurrence, or other characteristics.
For phishing attacks, the traffic distribution will usually consist of a low amount of flows, or a one-time occurrence, with a graph that looks similar to this:
To properly investigate a potential phishing attack, it's important to first identify at what stage the attack was detected. Cato's Security services detect phishing attacks at the following different stages:
-
Block Access - Cato identifies the browsing destination as a phishing site and blocks access to the site
-
Block Credentials Submission - When a user accesses a phishing site and the site is rendered in the browser, Cato can block the user from entering credentials
-
Post-Compromise Detection - The Suspicious Activity Monitoring (SAM) service can identify when a user submits credentials in risky sites, and creates events that alert the admin to the potential breach
Use the Target Actions widget to see the events that relate to the story and find information to determine at what stage the phishing attempt was detected, and if it was blocked. The Threat Name field can indicate at what point the attack was detected.
This is an example of an event showing an IPS block of credential submission on a phishing site:
After determining the stage at which the potential attack was detected, follow the investigation steps described below for detection at that stage.
This section describes an approach for verifying that the blocked website is a phishing site. This part of the investigation focuses mainly on the target.
The Targets section lets you examine the identified targets to learn more about their potential intent and the likelihood that the target is malicious:
-
Assess Cato's malicious score
-
Examine Cato's popularity
-
Consider associated Cato categories
-
Review the number of threat intelligence feeds linked to the target
An especially important indicator for phishing attacks is the Creation Date of the domain. If the date is recent, it is more likely that the site is malicious.
Using Target Links to Search External Sources
By now, you should have a solid grasp of the activity captured in this story, the Target Links help you conduct an external search on reputable sources for historical context and signs of malicious behavior. Correlate this data to identify connections with other entities and possible links to known threat actors, campaigns, or techniques.
Use the Attack Related Flows section to examine unprocessed data flows related to the story.
Analyze supplementary data points from these flows, including URLs, user-agents, file names, and other relevant attributes, and compare them to the findings from the previous investigation step to reveal potential correlations.
For most cases of blocked access to a phishing site, the correct classification for the story is Browsing to a Phishing Site.
-
Verify with the victim whether the attack was a spear phishing attempt and was specifically targeted at them (using a private name, private information, etc.).
If not, ensure that no other employees were victims of the same phishing campaign.
-
If the source of the phishing attempt is email-based and known to the user, mitigate the attack by using your organizational email platform to report and block the source address.
-
If the source of the phishing attempt is unknown, perform a full Endpoint Protection scan (Anti-Virus, EPP, EDR, etc.) and remove any unknown programs and browser extensions from the infected machine.
This section describes an approach for verifying there was an attempt to submit credentials to a phishing website. This part of the investigation focuses mainly on the detected target and URL.
The Targets section lets you examine the identified targets to learn more about their potential intent and the likelihood that the target is malicious:
-
Assess Cato's malicious score
-
Examine Cato's popularity
-
Consider associated Cato categories
-
Review the number of threat intelligence feeds linked to the target
An especially important indicator for phishing attacks is the Creation Date of the domain. If the date is recent, it is more likely that the site is malicious.
Using Target Links to Search External Sources
By now, you should have a solid grasp of the activity captured in this story, the Target Links help you conduct an external search on reputable sources for historical context and signs of malicious behavior. Correlate this data to identify connections with other entities and possible links to known threat actors, campaigns, or techniques.
Identifying the Referrer
In phishing attacks, the target first communicated with is often not the malicious site itself, but a referrer site, meaning a site that contains the link to the malicious site. The referrer site appears in the Attack Related Flows section in the Referrer column.
Checking the Referrer with Domain Lookup
After identifying a referrer, you can use Domain Lookup to research the domain. Low Popularity and a high Malicious Score indicate a malicious domain.
Use the Attack Related Flows section to examine unprocessed data flows related to the story.
Analyze supplementary data points from these flows, including URLs, user-agents, file names, and other relevant attributes, and compare them to the findings from the previous investigation step to reveal potential correlations.
When investigating a URL, it is important to check whether it contains any sensitive data (note that in many cases the URLs are encoded and need to be decoded to access all the data it contains). We also recommend checking external tools for similar URL patterns to gain further insight into the detected traffic.
Note: When performing an investigation, we recommend that you don't access suspicious phishing related sites.
For most cases of blocked credentials submission to a phishing site, the correct classification for the story is Credentials Submission Attempt.
-
If sensitive data is leaked, change the password to the relevant services and consider initiating a hard log-off from all services.
-
Make sure that no malicious files are downloaded and executed.
-
Verify with the victim whether the attack was a spear phishing attempt and was specifically targeted at them (using a private name, private information, etc.).
If not, ensure that no other employees were victims of the same phishing campaign.
-
If the source of the phishing attempt is email-based and known to the user, mitigate the attack by using your organizational email platform to report and block the source address.
-
If the source of the phishing attempt is unknown, perform a full Endpoint Protection scan (Anti-Virus, EPP, EDR, etc.) and remove any unknown programs and browser extensions from the infected machine.
This section describes an approach for verifying there was submission of credentials to a phishing website. This part of the investigation focuses mainly on the detected target and referrer (a site that contains the link to the malicious site).
The Targets section lets you examine the identified targets to learn more about their potential intent and the likelihood that the target is malicious:
-
Assess Cato's malicious score
-
Examine Cato's popularity
-
Consider associated Cato categories
-
Review the number of threat intelligence feeds linked to the target
An especially important indicator for phishing attacks is the Creation Date of the domain. If the date is recent, it is more likely that the site is malicious.
Using Target Links to Search External Sources
By now, you should have a solid grasp of the activity captured in this story, the Target Links help you conduct an external search on reputable sources for historical context and signs of malicious behavior. Correlate this data to identify connections with other entities and possible links to known threat actors, campaigns, or techniques.
Identifying the Referrer
In phishing attacks, the target first communicated with is often not the malicious site itself, but a referrer site, meaning a site that contains the link to the malicious site. The referrer site appears in the Attack Related Flows section in the Referrer column.
Checking the Referrer with Domain Lookup
After identifying a referrer, you can use Domain Lookup to research the domain. Low Popularity and a high Malicious Score indicate a malicious domain.
Use the Attack Related Flows section to examine unprocessed data flows related to the story.
Analyze supplementary data points from these flows, including URLs, user-agents, file names, and other relevant attributes, and compare them to the findings from the previous investigation step to reveal potential correlations.
When investigating a URL, it is important to check whether it contains any sensitive data (note that in many cases the URLs are encoded and need to be decoded to access all the data it contains). We also recommend checking external tools for similar URL patterns to gain further insight into the detected traffic.
Note: When performing an investigation, we recommend that you don't access suspicious phishing related sites.
For most cases of post-compromise detection of credentials submission to a phishing site, the correct classification for the story is Credentials Submission.
-
If sensitive data is leaked, change the password to the relevant services and consider initiating a hard log-off from all services.
-
Make sure that no malicious files are downloaded and executed.
-
Verify with the victim whether the attack was a spear phishing attempt and was specifically targeted at them (using a private name, private information, etc.).
If not, ensure that no other employees were victims of the same phishing campaign.
-
If the source of the phishing attempt is email-based and known to the user, mitigate the attack by using your organizational email platform to report and block the source address.
-
If the source of the phishing attempt is unknown, perform a full Endpoint Protection scan (Anti-Virus, EPP, EDR, etc.) and remove any unknown programs and browser extensions from the infected machine.
-
If the identified traffic wasn't blocked, create an Internet Firewall rule to block the target.
0 comments
Please sign in to leave a comment.