Phishing playbook
- Juan Tomás Alonso Nieto (Deactivated)
Introduction
The email phishing triage is one of the most commonly implemented use cases because it’s a combination of two of our significant focus areas: automation and threat detection.
To begin with:
Go to My Library > Playbooks.
Click New on the playbook page or click New Playbook from the left navigation.
Select a New Blank Playbook.
The first thing is to fetch emails; add automation 'Fetch Emails’ that gets you the emails. Search for IMAP and look for IMAP - Read Emails.
A connection has to be established to Devo SOAR. We have a Gmail account set up where I have sent many emails reported to be phishing. The connection is already set up to that Gmail account.
Enter the name of the folder (Inbox) and choose to read ALL emails and in the optional fields, enter the Filtering: Message Limit to be filtered.
With the help of automation, we are talking to Gmail connection, pulling in all the email data represented as JSON format.
What are the next typical steps that Devo SOARrecommends? Choose from the Recommendations or you can also search for the next steps to automate your data.
The next step is to Parse Emails that would be useful for phishing.
Enter the following details in the parse email form:
Parent: The node from which it is sourced from.
Email Column: Column containing email data as JSON
📘
Note
Read Emails need a connection to assist from outside. Parse Emails are modules that help you automate simple steps. For example, it parses out details such as count, attach, email from, cc, subject, message-id, and so forth.
Next, let’s look at the URLs from email and figure out if the emails are suspicious or benign using ‘Extract URLs from Email’.
Enter the following details in the extract URLs from the email form:
Parent: Parent node will be ‘parse emails’.
Email Column: Column containing email data as JSON.
The result displays all the extracted URLs from the emails.
Once we’ve extracted the URL, the next step is to talk to the webroot.
Add a step to analyze the URL using ‘Score URL using Webroot’ and parse the result that webroot senses and assign it a score. If the URL is greater than 8, then the URL is suspicious.
We have to build a connection to the webroot.
Enter the following details in the Score URL using Webroot form:
URLs: Table containing URL as a column.
URL Column: This is the URL column.
Click Next.
Add a webroot connection and click Run.
And now the result displays the filtered emails out of which most of them have URLs and scores.
We looked at the URLs on a score of it, you can do the same thing with attachments.
Add another step to filter out attachments using ‘Filter Emails with Attachments’.
Enter the following details in the Filter Emails with Attachments form:
Parent: Parent node will be Parse Emails
Attachment Count Column: Column containing the number of attachments for an email: attach_count
When the result is displayed, it shows the number of attachments. Extract the attachment and send it to the threat intelligent service.
Extract the attachment using ‘Extract First Attachment from Email’.
Enter the following details in the extract first attachment from the email form:
Parent: Parent node will be Filter Email with Attachments
Email Result Column: Column containing email data as JSON (result)
The results will be displayed with the attachment ID. Before we send the attachment, we need to calculate the MD5 of the file.
Add next step using ‘Enrich with MD5 and Sha of the File’.
Enter the following details in the form:
Parent: Parent node will be 'Extract First Attachment from Email'.
Attachment ID Column: Column containing attachment ID.
Click Next.
Add a connection for File Tools integration and click Run.
We have the MD5 and Sha results displayed.
Add a step to pass the file with webroot using ‘Webroot File Reputation Score’.
Enter the details in the Webroot File Reputation Score form:
Parent: Parent node will be Enrich with MD5 and Sha of the File.
Hash Column: Column containing hash (md5) of the file.
Click Next
Add a connection for Webroot BrightCloud integration
Now we have two branches, one that gives us the URL score, and the other provides the attachment with a score view.
Combine the URL and MD5 score into one final score: the lhub score using ‘Combine URL and MD5 Score’.
Enter the following details in the Combine URL and MD5 Score form:
MD5 Score Table: Table containing md5 score as lhub_score.
URL Score Table: Table containing URL score as url_score.
Parsed Emails: Table containing parsed emails, this table must have a column called msgid which is used to stitch attachment score and URL score together.
Now, we need to see what we can do with the data that I have.
Now, you can think of filtering out the data to get the precise number of suspicious emails.
Add ‘Stats by LHUB Score’ to see the number of suspicious or benign emails.
If the score is below 8, you can safely ignore it.
Enter the following details in the Stats by LHUB Score form:
Parent: Parent node will be Combine URL and MD5 Score.
The result shows the number of suspicious emails.
Add another step of filtering to get emails by score using ‘Filter Emails By Score’.
Enter the following details in the Filter Emails by Score form:
Parent: Parent node will be Combine URL and MD5 Score.
Score Threshold: Only return emails with a score greater than this threshold. The expected value is a number between 0-10.
The result displays a score greater than the specified threshold value.
👍
You've Successfully Completed the Steps in Playbook
These automation steps help you to analyze a bunch of emails and filters them out down to suspicious emails.
Devo SOARprovides recommendations for every step in the playbook; you can choose to select the steps from recommendations or search for the steps to automate. You can use our extensive steps catalog to find the steps and add them to the playbook to automate.
The final phishing playbook steps look like this. This is an example of fetching the phishing email steps in the playbook.