Steps for Phishing Incident Response
Step 1: A suspicious email is detected by an email protection tool or manually reported to D3 by a user.
Step 2: D3 parses out the elements of the email and assesses risk. Attachments are sent to a sandbox, external IPs and URLs are checked against threat intelligence sources, and email authenticity is determined.
Step 3: If the attachment is found to be malicious, D3 finds hosts that have been affected by the files and quarantines them. A ticket is also created to re-image the hosts.
Step 4: If the external IP or URL is found to be high-risk, D3 blocks them on the network and firewall.
Step 5: D3 then blocks the phishing email, removes it, and finds any users who received the same email. If there is a larger phishing campaign, D3 will send an email to notify users of the threat.
Benefits of a Phishing Response Automation
✔ Investigate Every Attempt
By automating the majority of the process, D3 users have the time to properly investigate every suspected phishing incident.
✔ Block Malicious Files and URLs
If an attached file or linked URL is checked against a threat intelligence sources or sandbox and found to be malicious, you can use D3 to orchestrate blocking it on your network and firewall, saving time and preventing further damage.
✔ Find the Extent of the Damage
When one phishing email is detected, D3 can search across corporate inboxes, endpoints, and user accounts to find who else was targeted, what computers downloaded the attached files, and whose credentials may have been compromised.
✔ Group Incidents for Efficient Response
Phishing emails are often sent to hundreds of people at once, so it doesn’t make sense to respond to each email as a separate incident. With D3, all related phishing events are grouped together in a single incident to eliminate redundant work and give investigators all the information they need.