Playbook
| Revised Date | Comment |
|---|---|
| 26.10.2024 | Page added |
Info
This page serves as a template for manual playbooks. Please modify as sees fit.
Template starts below the line
| Title | Phishing email |
|---|---|
| ID | PB-000001 |
| Description | Response playbook for Phishing Email case |
| Author | [Author Name] |
| Creation Date | [Date] |
| Last Updated | [Date of last update] |
| Severity | Medium |
| TLP | AMBER |
| PAP | WHITE |
| ATT&CK Tactic | TA0001: Initial Access |
| ATT&CK Technique | T1566.001: Spearphishing Attachment , T1566.002: Spearphishing Link |
| Tags | phishing, phishing response, email threats, incident management |
Purpose
To provide a structured response to phishing incidents, ensuring swift action and proper documentation.
Overview
This playbook outlines the steps to take when a phishing incident is identified.
Steps
Tip
For this Playbook to be useful, you should for each step include links to relevant Standard Operating Procedures (SOPs). Examples are provided by the end of every sub-step here (“Link to SOP”), but please change these to suit your organizational setup.
1. Identification
- Confirm if the reported email is indeed a phishing attempt. Link to SOP .
- Verify the sender’s address and any suspicious links. Link to SOP .
2. Containment
- Notify the affected user not to click on any links or provide personal information. Link to SOP .
- Block the sender’s email address in the email security gateway. Link to SOP .
3. Analysis
- Analyze the phishing email for indicators of compromise (IOCs). Link to SOP .
- Identify any potentially impacted accounts or systems. Link to SOP .
4. Eradication
- Remove the phishing email from all affected users’ inboxes. Link to SOP .
- Reset passwords for any accounts that may have been compromised. Link to SOP .
5. User Education
- Conduct a training session for all employees on recognizing phishing attempts. Link to SOP .
- Share examples of the phishing email with the team. Link to SOP .
6. Reporting
- Document the incident in the incident management system. Link to SOP .
- Report the phishing attempt to relevant authorities (e.g., anti-phishing organizations). Link to SOP .
7. Review
- Conduct a post-incident review to evaluate the response process. Link to SOP .
- Update training materials and security awareness programs based on lessons learned. Link to SOP .