Incident Response Plan
Posted by: Orhan Sari Category: Incident Responder, outlook plugin Post Date: December 26, 2018


Cybercriminals know ways to trick their targets to get information out of them. They mostly employ Phishing and spear phishing techniques that are intended to make through your organization’s defences by using a fake email to deceive your employees into disclosing sensitive information like usernames, passwords and other credentials. Human error or behaviour cause almost 90% of cyber attacks. Because it is human nature that makes people so vulnerable- they tend to trust people or have a fear of getting into trouble, which are all methods that social engineers use to create confidence to obtain sensitive information.[1]  The loss from phishing attacks can be a disaster, with many incidents costing millions, harming the brand name and damaging relations with clients. Therefore, it is important to have an incident response technology in place to fight against these threats on inbox level. Incident Response Plan

The impact of even the smallest data breach on any system cannot be underestimated. The UK government’s Cyber Security Breaches Survey 2017 found that the average cost of a cybersecurity breach is £19,600 for large businesses and £1,570 for small to medium-sized businesses.

Cyber Security Breaches Survey 2017

Cyber Security Breaches Survey 2017

Since email attacks happen at the end user level, breach or incident response is often too late. It is very critical to protect your users’ inboxes. Incident Response Plan

According to a report published by Ponemon Institute LLC, 2018 Cost of a Data Breach Study: Global Overview,  there is a “relationship between how quickly an organization can identify and contain data breach incidents and the financial consequences.

  • The mean time to identify (MTTI) was 197 day
  • The mean time to contain (MTTC) was 69 days
  • Companies that contained a breach in less than 30 days saved over $1 million vs. those that took more than 30 days to resolve”
Days to identify and contain the data breach over the past year

Days to identify and contain the data breach over the past year

According to the report, “the faster a data breach can be identified and contained, the lower the costs. For the fourth year, our study reports on the relationship between how quickly an organization can identify and contain data breach incidents and financial consequences. For our consolidated sample of 477 companies, the mean time to identify (MTTI) was 197 days, and the mean time to contain (MTTC) was 69 days. Both the time to identify and the time to contain were highest for malicious and criminal attacks and much lower for data breaches caused by human error. Companies that identified a breach in less than 100 days saved more than $1 million as compared to those that took more than 100 days. Similarly, companies that contained a breach in less than 30 days saved over $1 million as compared to those that took more than 30 days to resolve”  [2] Incident Response Plan

The above statistics show that intervening to a data breach in a timely manner is vital for companies. However, on a global scale, the mean time respond to these attacks takes as long as 69 days. So, we cannot expect the SOC team or the CISO to contain data breaches in a short period of time. Even an hour is more than enough for a malicious email to spread and compromise the important part of the users’ inboxes.

Days to identify and contain the data breach by country or regional sample

Days to identify and contain the data breach by country or regional sample

The figure reports the MTTI and MTTC for each country or regional sample. As can be seen, Brazil has the highest days to contain and the Middle East has the highest days to identify. In contrast, Germany has both the lowest days to identify and South Africa reports the shortest time to contain and the second shortest time to identify a data breach.

How to Detect, Identify and Contain/Remove Phishing Attacks in Minutes

Keepnet Labs Incident Responder (IR) Technology protects businesses on inbox level.  This incident response technology analyses, removes or contains a suspicious email on the inbox level. In addition to its own engines, Keepnet also analyses with the engines of different technologies it is integrated. In this way, it enables an institution to acquire the technologies that it doesn’t have.  Incident Response Plan

What does trigger an incident investigation?

Keepnet Labs’ Incident Responder is one helpful tool that does this by installing a user-friendly plugin that lets end-users instantly report a suspicious email to the Keepnet Incident Response Platform ( IRP). The alert can be sent with only one click. This way, the incident response time is reduced from minutes to seconds.

An incident investigation can be triggered in different ways:

  1. A user reports a suspicious email with a single click using phishing reporter add-in installed in Outlook and sends it automatically to the analysis. If the results are malicious, an incident response operation is started on the inboxes of the other users.
  2. A SOC team member initiates a manual investigation and triggers an incident response operation. He/she can investigate the suspicious email in the users’ inboxes in minutes. Once he/she detected the suspicious email, he/she can delete/remove or contain it by sending a warning message to all users.
  3. An investigation and incident response can be started according to the data coming from the indicator of compromise (IOC ). For example, the feeds taken from popular phishing websites like phishthank, openphish and IBMXforce, it triggers an automatic investigation and prevents dangerous phishing threats."<yoastmark

How does analysis mechanism work?

With its existing analysis engines as well as its integrated 3rd party analysis services, Keepnet
addresses an email component in  three ways and performs detailed analysis according to the
following steps: Incident Response Plan

  • Header
    • Spam control with integrated antispam services
    • Anomaly detection: It identifies evasion techniques performed to circumvent security measures and also blocks the emails outside of the RFC rules and standards
    • Typosquatting: Itidentifiesfake sender and prevents use for fraud
  • Body
    • URL reputation control
    • Malicious content detection
    • Detecting suspicious content with artificial intelligence.
    • Domain Squatting
  • Attachment
    • Known malware control with Antivirus services
    • Detection of unknown malware with AntiMalware Sandbox technology
    • Detection 0-day file format exploits with Anti Exploit technology

The Current Technologies Used For Analysis

Technology Description
URL Reputation It checks through multiple blacklist engines and online reputation tools to facilitate the detection of fraudulent and malicious websites. This integration helps you identify websites involved in malware incidents, fraudulent activities and phishing websites.
Sandbox Sandboxing offers another way for antimalware software to detect malware. A sandbox is an isolated computing environment developed to run unknown applications and prevent them from affecting the underlying system. Antimalware programs that use sandboxing run suspicious or previously unknown programs in a sandbox and monitor the results. If the malware demonstrates malicious behaviour, the antimalware will terminate it.
File Reputation It protects against zero-day and targeted file-based threats by:

• Obtaining the reputation of known files.

• Analysing the behaviour of certain files that are not yet known to the reputation service.

• Continuously evaluating emerging threats as new information becomes available

Antivirus Engines It is a software module that is purpose-built to find and remove malicious code.
Investigative Engines The services that allow you to do an in-depth incident investigation.
Forensic Engines It includes various forensics methods regarding in-depth forensic analysis.
DNS Firewall DNS Firewall works by employing DNS Response Policy Zones (RPZs) and actionable threat intelligence to prevent data exfiltration.

How does response mechanism work? Incident Response Plan

Incident Investigation Workflow

Incident Investigation Workflow

According to the investigation results, a response is performed in two ways:

     1.User Inbox Level: It investigates the incident in users’ inbox and takes action;

    • Delete email from Inbox
    • Send Warning to User
  1. Generate Attack Signatures: To detect and prevent the malicious activities that are anticipated in your network, you should pass the necessary rules to Antispam, IPS, SIEM, DLP, Sandboxing etc. products. This issue, which requires severe expertise and consumes hours, is resolved in Keepnet’s interface with one click that it allows you to orchestrate your security solutions.

                  Example Scenarios for Active Response

                  To help you take precautions if the email you analyse is suspicious;



Snort Rule

Generate Snort rules that you can use these rules with best-known IPS (intrusion prevention system) to block malicious activity.

Yara Rule

Yara is a tool designed to help malware researchers identify and classify malware samples. It’s been called the pattern-matching Swiss Army knife for security researchers (and everyone else). Many of cyber threat prevention tools or services compatible with Yara rules.

3.Call API: You can use APIs to integrate with various products.  For example, you can call the help desk, trigger the network access control and automatically take the risky user off the network.

Reverse Engineering Support

We provide expert support via our professional phishing and malware analysis team and with the power of other SOC companies around the world that we cooperate. In various SLA time, you have an opportunity to get an in-depth analysis of phishing emails and malware from a specialised team. Incident Response Plan

We offer sophisticated malicious software analysis support with SOC teams based EU, US and MEA are.

Want to try Keepnet's Incident Responder for free?

Click the button and start your free trial today

Phishing Incident Analysis and Incident Response Self-Assessment Questionnaire Incident Response Plan

  1. What kind of tools do you offer to your users to report a suspicious email?
  2. How long does it take to analyse a suspicious email with its links and attachments?
  3. Are you convinced about quality of your email analysis?
  4. How do you prevent a malicious email that crosses all security measures and gets into the inbox
    before a user opens, clicks, or runs the link in it?
  5. How do you know which users in your organization have phishing email in their inbox?
  6. How long does it take you to find outwhich users have a suspicious email in their inbox?
  7. How long does it take to delete a suspicious email from users’ inbox?
  8. How long does it take to block a spear phishing on active security devices?
  9. Which services do you use to block the next generation threats?
  10. Do you have expert support for analysing and blocking advanced attack vectors like zero-day?





Share this post