Lesson Progress
0% Complete
Received notification / query from user | Automated alert from Proofpoint Threat Attack Protection system
Check whether originated IP and Hostname are already blacklisted from urlvoid.com, ipvoid.com, virustotal.com, malwr.com (for emails with attachments), urlquery.com (for emails with URLs to view the content of the website/file)
If the email has an attachment, submit attachment to Wildfire and review analysis results for obtaining further URL’s, IP’s and dropped exe files
Review of Proofpoint report
Send out spam/phishing email notification to affected users
Report links to Bluecoat, Brightcloud and Phishtank
Review of Proxy logs to see who has accessed the URL 
Review of SIEM logs (Arcsight and Splunk) to see which systems have accessed the URL 
Review of Next think logs to see which systems and users have accessed the URL and/or attachment executable
Review email sender server IP to see if there are any traffic from Jumeirah on Arcsight and Splunk
If there was an attachment to the email, add the attachment MD5 and name to Symantec Endpoint Monitoring rule in SEP Manager to see if it is present on Jumeirah workstations. If the phishing link is directed to a file which is an executable, then add this in SEP “IT Security Malicious File Block” rule and monitor events on Arcsight and Splunk

1) New Incident is reported.
2) Check the user for whom the incident has been reported.
2.1) In case the phished user ID belongs to the Unilever group CEO Mr. Paul Polman.
2.1.1) Get the phished email ID and domain blocked.
2.1.2) Check the special mailbox which is created to capture the outside emails to catch such phished
Emails.
2.1.3) alternatively ask the user to send a copy of the original email.
2.1.4) Perform malware analysis on the sample and check for the existence of any malware.
2.1.5) In case of malware check whether latest AV signatures are able to identify the malware.
2.1.5.1) if signatures are able to identify the malware then close the incident.
2.1.5.2) if signatures are unable to identify the malware then contact McAfee, provide the sample ask
For an eDAT.
2.1.6) Close the incident.
2.2) for other users, check whether the phished ID has a common domain extension like gmail.com,
hotmail.com, yahoo.com etc.
2.2.1) for common domains, get only the userID blocked.
2.2.2) for uncommon domains, get the userID and domain both blocked.
2.2.3) Perform malware analysis on the sample and check for the existence of any malware.
2.2.4) In case of malware check whether latest AV signatures are able to identify the malware.
2.2.4.1) if signatures are able to identify the malware then close the incident.
2.2.4.2) if signatures are unable to identify the malware then contact McAfee, provide the
Sample ask for an eDAT.
2.3.5) Close the incident.