demisto · slavikm · Aug 2, 2016 · Aug 2, 2016
diff --git a/Playbooks/playbook-Phishing.yml b/Playbooks/playbook-Phishing.yml
@@ -0,0 +1,361 @@
+id: playbook2
+version: 1
+name: Phishing Playbook - Manual
+description: Master playbook for phishing incidents. This playbook is a manual playbook.
+tasks:
+- id: "1"
+  taskid: f61f3880-e5f6-4a41-8af8-3349e3ebffff
+  type: title
+  task:
+    id: f61f3880-e5f6-4a41-8af8-3349e3ebffff
+    version: 4
+    name: Engage
+    istitletask: true
+    issystemtask: true
+- id: "2"
+  taskid: d69a6289-b692-404c-8f90-d37d72aa265c
+  type: regular
+  task:
+    id: d69a6289-b692-404c-8f90-d37d72aa265c
+    version: 3
+    name: Notify management chain
+    description: 'Notify appropriate people inside the organization. '
+    issystemtask: true
+- id: "3"
+  taskid: 21cb9178-78a0-4610-801f-3bc5f808e4a2
+  type: regular
+  task:
+    id: 21cb9178-78a0-4610-801f-3bc5f808e4a2
+    version: 3
+    name: Initial triage
+    description: 1. Make sure that there is relevant information in the incident -
+      system name, end user name and initial severity as reported.
+    issystemtask: true
+- id: "4"
+  taskid: b7f2e51f-a39f-4cba-881d-e7efbef2553e
+  type: title
+  task:
+    id: b7f2e51f-a39f-4cba-881d-e7efbef2553e
+    version: 1
+    name: 'Investigation Step 1: Initial Inspection'
+    istitletask: true
+    issystemtask: true
+    clonedfrom: ea731eb3-f592-42f3-892a-6a7d48c42e4d
+- id: "5"
+  taskid: 30e833d0-8336-4ecd-8a36-a997ac1bb100
+  type: regular
+  task:
+    id: 30e833d0-8336-4ecd-8a36-a997ac1bb100
+    version: 1
+    name: Inspect the email body for malicious URLs
+    description: Check the email body attached to the incident and see if it has malicious
+      URLs in it using threat feeds
+    issystemtask: true
+- id: "6"
+  taskid: 0aba5f0e-c71f-4a1f-8f7a-993f727e3825
+  type: regular
+  task:
+    id: 0aba5f0e-c71f-4a1f-8f7a-993f727e3825
+    version: 1
+    name: Inspect the email attachments
+    description: Check the attachments with threat services to see if any of them
+      is known bad
+    issystemtask: true
+- id: "7"
+  taskid: fa90abdd-2ec1-490b-8a9e-2acc6f2f721d
+  type: regular
+  task:
+    id: fa90abdd-2ec1-490b-8a9e-2acc6f2f721d
+    version: 1
+    name: Is the sender name or email address identified as bad by threat feeds?
+    description: Check the sender email and name against threat feed sources.
+    issystemtask: true
+- id: "8"
+  taskid: d9fad845-7f5b-4c79-8835-2e8358c84e04
+  type: regular
+  task:
+    id: d9fad845-7f5b-4c79-8835-2e8358c84e04
+    version: 1
+    name: Check if the hostname is being misrepresented?
+    description: |-
+      Check if domain of sender or any hostname in the URLs inside the email body are misrepresented. See if the URL text versus the hostname shown are different by comparing the link with the text. Also carefully inspected the URLs for spelling spoofing which
+       is typically a sign of phishing email.
+    issystemtask: true
+- id: "9"
+  taskid: 5d36d65b-d63f-40b7-8167-2a341e9bed62
+  type: condition
+  task:
+    id: 5d36d65b-d63f-40b7-8167-2a341e9bed62
+    version: 1
+    name: Is this a real phishing email?
+    description: Based on the steps above, is this really a phishing email?
+    issystemtask: true
+    clonedfrom: ef2034e6-1228-49a1-885a-01dce99cc963
+  condition:
+    "no":
+    - id: "10"
+      taskid: b37377be-5c13-41f5-8635-69ea34571af7
+      type: regular
+      task:
+        id: b37377be-5c13-41f5-8635-69ea34571af7
+        version: 1
+        name: Close the investigation as false positive
+        description: Close the investigation as false positive and reply to the user
+          sending the email that it is not malicious.
+        issystemtask: true
+    "yes":
+    - id: "11"
+      taskid: e76cfd73-35f3-4065-8e59-c37e365cd06c
+      type: regular
+      task:
+        id: e76cfd73-35f3-4065-8e59-c37e365cd06c
+        version: 2
+        name: Assess severity
+        description: 'Based on the end user affected, and other information assess
+          and change the severity if needed. '
+        issystemtask: true
+    - id: "12"
+      taskid: 5445acdd-df36-403e-8635-a0cbc3bd3f04
+      type: regular
+      task:
+        id: 5445acdd-df36-403e-8635-a0cbc3bd3f04
+        version: 2
+        name: Assign and involve appropriate personnel
+        description: 'Invite the relevant users for investigation - malware expert
+          and network experts if needed. '
+        issystemtask: true
+- id: "13"
+  taskid: eb2b0d5a-cc72-4640-8116-85750701ae1d
+  type: title
+  task:
+    id: eb2b0d5a-cc72-4640-8116-85750701ae1d
+    version: 1
+    name: 'Investigation Step 2: Deeper Analysis'
+    istitletask: true
+    issystemtask: true
+- id: "14"
+  taskid: 92ae3779-12c5-4a24-827e-56e413088b80
+  type: regular
+  task:
+    id: 92ae3779-12c5-4a24-827e-56e413088b80
+    version: 1
+    name: Get all the URLs from the email
+    issystemtask: true
+- id: "15"
+  taskid: 13e0228e-ad6a-4148-8aa6-55e8143a4620
+  type: regular
+  task:
+    id: 13e0228e-ad6a-4148-8aa6-55e8143a4620
+    version: 1
+    name: Get all the hostnames inside the email
+    issystemtask: true
+- id: "16"
+  taskid: 05855c19-9221-478d-8c83-4145aa2cff16
+  type: regular
+  task:
+    id: 05855c19-9221-478d-8c83-4145aa2cff16
+    version: 1
+    name: Fetch all the files from the URL
+    description: 'Use curl or similar tool to download all the files from the URLs
+      in the email. '
+    issystemtask: true
+- id: "17"
+  taskid: 010895a1-9f86-4106-8e56-8f6889d5e228
+  type: condition
+  task:
+    id: 010895a1-9f86-4106-8e56-8f6889d5e228
+    version: 1
+    name: Are the files download malicious - hash inspection?
+    description: Check the files MD5 and SHA1 against the threat feed databases.
+    issystemtask: true
+  condition:
+    "no":
+    - id: "18"
+      taskid: 2580b31a-6c04-45b1-8752-959f66084ae3
+      type: condition
+      task:
+        id: 2580b31a-6c04-45b1-8752-959f66084ae3
+        version: 1
+        name: Are the files download malicious - static and dynamic analysis?
+        description: Check the files in a sandbox solution to see if they are malicious.
+        issystemtask: true
+      condition:
+        "no":
+        - id: "20"
+          taskid: 24063b39-4c30-4ef2-8e7c-36081b45faaa
+          type: condition
+          task:
+            id: 24063b39-4c30-4ef2-8e7c-36081b45faaa
+            version: 1
+            name: Is any URL malicious based on sandbox inspection?
+            description: 'Use Cuckoo or similar sandbox solutions for fetching the
+              content of the URL for deeper analysis. '
+            issystemtask: true
+          condition:
+            "no": []
+            "yes":
+            - id: "21"
+              taskid: 9c572188-54b5-4d56-8e62-95ee93e3a157
+              type: regular
+              task:
+                id: 9c572188-54b5-4d56-8e62-95ee93e3a157
+                version: 1
+                name: Consider this email as phishing and move to "Response Section"
+                issystemtask: true
+        "yes":
+        - id: "19"
+          taskid: email_phishing
+          type: regular
+          task:
+            id: email_phishing
+            version: 1
+            name: Consider this email as phishing and move to "Response Section"
+            issystemtask: true
+    "yes":
+    - id: "22"
+      taskid: ff551c65-6d74-460d-8e4d-4a5a84517e9b
+      type: regular
+      task:
+        id: ff551c65-6d74-460d-8e4d-4a5a84517e9b
+        version: 1
+        name: Consider this email as phishing and move to "Response Section"
+        issystemtask: true
+- id: "23"
+  taskid: 3b29ac0a-190d-46bf-80cf-dbc1197d2f80
+  type: title
+  task:
+    id: 3b29ac0a-190d-46bf-80cf-dbc1197d2f80
+    version: 1
+    name: 'Investigation Step 3: Is it a Campaign?'
+    istitletask: true
+    issystemtask: true
+- id: "24"
+  taskid: 78cc334d-fe36-4cb0-8e63-dbb571077edc
+  type: condition
+  task:
+    id: 78cc334d-fe36-4cb0-8e63-dbb571077edc
+    version: 1
+    name: Did we have a similar phishing email earlier?
+    description: Search past phishing investigations for subject sender, email content
+      and URLs.
+    issystemtask: true
+  condition:
+    "no": []
+    "yes":
+    - id: "25"
+      taskid: ec15c113-29a0-4ab5-85fc-3fc1fbe85a70
+      type: regular
+      task:
+        id: ec15c113-29a0-4ab5-85fc-3fc1fbe85a70
+        version: 1
+        name: Mark this as a campaign rather than isolated incident.
+        issystemtask: true
+    - id: "26"
+      taskid: e3710c0f-861d-4a9a-8e89-3488f572d74e
+      type: regular
+      task:
+        id: e3710c0f-861d-4a9a-8e89-3488f572d74e
+        version: 1
+        name: Link old and new incidents to this master incident.
+        description: Future emails with similar subject should be associated with
+          this incident
+        issystemtask: true
+- id: "27"
+  taskid: 0386fa2c-a246-4dd9-8592-976b630148fc
+  type: title
+  task:
+    id: 0386fa2c-a246-4dd9-8592-976b630148fc
+    version: 1
+    name: Respond
+    istitletask: true
+    issystemtask: true
+- id: "28"
+  taskid: faf506e6-c1bd-49ee-8348-bdb258984785
+  type: regular
+  task:
+    id: faf506e6-c1bd-49ee-8348-bdb258984785
+    version: 1
+    name: Notify internal PR team if this is a campaign
+    description: 'If we identified multiple emails with similar content, subject and
+      identified this as a campaign, we need to notify our users. Send an email to
+      internal communications team with the details - like sender, content etc. '
+    issystemtask: true
+- id: "29"
+  taskid: a0b42339-fa44-4215-8fdd-8dc900011dd8
+  type: regular
+  task:
+    id: a0b42339-fa44-4215-8fdd-8dc900011dd8
+    version: 1
+    name: Block email on the server
+    description: |-
+      Identify the appropriate headers from the initial email beyond subject
+       and sender email to make sure we can effectively block this on server. This
+       task needs analysis of header to make sure we do not block other emails and
+       still be effective in blocking.
+    issystemtask: true
+- id: "30"
+  taskid: e93a15aa-1c5d-46ff-813c-b1f6eed114f3
+  type: regular
+  task:
+    id: e93a15aa-1c5d-46ff-813c-b1f6eed114f3
+    version: 1
+    name: Notify IT to update SPAM filters
+    description: 'Give IT the phishing email so that they can train the SPAM filter
+      with this email to avoid future attacks. '
+    issystemtask: true
+- id: "31"
+  taskid: f487ba1c-d67b-40f2-8cf8-85f646b0d768
+  type: regular
+  task:
+    id: f487ba1c-d67b-40f2-8cf8-85f646b0d768
+    version: 1
+    name: Notify email security vendor
+    description: |-
+      Forward all the details to your security vendor for email security
+       solution. This will help them with the future updates.
+    issystemtask: true
+- id: "32"
+  taskid: 1b6d8f94-452c-43b2-8606-da89d3f738c8
+  type: regular
+  task:
+    id: 1b6d8f94-452c-43b2-8606-da89d3f738c8
+    version: 1
+    name: Remove email from inboxes
+    description: 'Work with IT to completely delete similar emails from all user inboxes.
+      Search through the SMTP logs to find all the recipients and delete the emails. '
+    issystemtask: true
+- id: "33"
+  taskid: c47f9b5a-cba2-4b2c-89ca-0c1003e9c295
+  type: regular
+  task:
+    id: c47f9b5a-cba2-4b2c-89ca-0c1003e9c295
+    version: 1
+    name: Blackholing phishing domain on Domain Controller
+    description: |-
+      Work with IT to black hole the phishing domains (this particular
+       and related ones from other emails and incidents that were marked duplicate).
+       This should be blocked on the domain controller by resolving to 127.0.0.1
+    issystemtask: true
+- id: "34"
+  taskid: b3e805e2-2566-4f28-884d-dcc8a8fe3573
+  type: regular
+  task:
+    id: b3e805e2-2566-4f28-884d-dcc8a8fe3573
+    version: 1
+    name: Blocking download URL
+    description: |2-
+       1. Try to identify a pattern in the URL. For example if the URL is: http://hackedwebsite.com/dl.php?campaign=ra&id=12731342834923919
+       2. Create a reasonable regex like: ^.+/dl.php?.*campaign=ra.$
+       3. Contact the proxy team to block URLs based on the pattern
+    issystemtask: true
+- id: "35"
+  taskid: ffa62d59-1b44-4305-8324-3cc29f4585ff
+  type: regular
+  task:
+    id: ffa62d59-1b44-4305-8324-3cc29f4585ff
+    version: 1
+    name: Report malware sample to AV vendors
+    description: Report all the files that were downloaded from URL to AV vendor and
+      virustotal like services.
+    issystemtask: true
+system: true