Playbook Series: Phishing: Automate and Orchestrate Your Investigation and Response

Security Splunk

Phishing emails are not a new type of threat to most security professionals, but dealing with the growing volume and potential impact of them require an innovative solution. Today’s entry to our Playbook Series focuses on automating your Incident Response (IR) workflow for this common threat.

The Phantom platform includes a sample playbook for phishing that can help you triage, investigate, and respond to phishing email threats. By using the Phantom platform, you can customize the playbook to automatically triage every inbound suspicious email in seconds. Moreover, by integrating the platform with your file analysis platform (i.e. sandbox) and threat intelligence services, you can analyze files and retrieve threat intelligence on the URLs, DNS domains, and IPs relating to a particular suspicious email. Finally, you can define logic sequences that, based on the investigation results, will take actions on your behalf to mitigate the threat or escalate the incident up to you for supervisory action.

A visual representation of the phishing playbook as viewed using the Phantom 2.0 platform.

As shown in the above diagram, the Phantom platform ingests a suspicious email from your investigation queue (commonly an email mailbox on your mail server) and triggers the Phishing playbook, automating 15 triage, investigation, and remediation steps:

The benefits of automating your phishing IR workflow are numerous:

Interested in seeing how Phantom playbooks can help your organization? Get the free Phantom Community Edition.

----------------------------------------------------
Thanks!
Chris Simmons

Related Articles

Kaseya, Sera. What REvil Shall Encrypt, Shall Encrypt
Security
19 Minute Read

Kaseya, Sera. What REvil Shall Encrypt, Shall Encrypt

Kaseya VSA, remote monitoring management (RMM) software heavily used by managed service providers (MSP), was compromised by REvil, and is being used to distribute ransomware to its on-premises customers. Find out more on how to detect REvil in your environment.
EO, EO, It’s Off to Work We Go! (Protecting Against the Threat of Ransomware with Splunk)
Security
10 Minute Read

EO, EO, It’s Off to Work We Go! (Protecting Against the Threat of Ransomware with Splunk)

We read the 'What We Urge You To Do To Protect Against The Threat of Ransomware' memo and Executive Order (EO14028) in-depth, and this blog is designed to provide you with the information and takeaways to start acting immediately.
Staff Picks for Splunk Security Reading March 2022
Security
2 Minute Read

Staff Picks for Splunk Security Reading March 2022

Check out our Splunk security experts' curated list of presentations, white papers, and customer case studies that we feel are worth a read in the month of March.