Playbook: Escalate Whaling and Other Attacks Targeting Executives

Today’s post continues an ongoing series describing Phantom Playbooks; which the platform uses to automate and orchestrate your security operations plan. This example examines one of the playbooks included with the Phantom Platform.

Whaling is a specific kind of spear phishing attack that targets your organization’s high-profile business executives, top leaders, and other roles that have access to highly-sensitive information. The goal of this type of attack is to deceive a high-value target into divulging confidential company information. The attacker will usually attempt to obtain passwords, which they can then use to gain access to more confidential information and execute an even larger attack campaign.

We’ve covered the topic of security event overload many times here on the Phantom Blog. To help you with event triage and focus on the most important risks first, you should have a playbook like the one described here to rapidly identify and escalate attacks on your highest-value targets.

This playbook is triggered automatically when an alert from a SIEM or other detection system is received by the Phantom Platform. It’s a triage type of playbook, meaning that it automatically escalates an event’s severity and sensitivity labels based upon the details of the alert ingested into the Phantom Platform. This ensures that the event rises to the top of your queue and can be acted upon more quickly.

alert_escalation_for_attacked_executives.png

The playbook performs the following security actions:

  • First, it extracts the username associated with the ingested event
  • Next, it queries your authentication directory (i.e. LDAP) to determine which groups the user belongs to
  • If the username belongs to the Executive group, the event is escalated by changing its severity to High and changes the event’s TLP rating to Red on the Phantom Platform.

Note that this is an example playbook. You might customize this playbook to include other user groups or perform other security actions that would act to contain the attack. You can also adapt the playbook to match the Phantom Apps and Assets that your organization uses. The playbook should ultimately model your Standard Operating Procedures (SOPs) for this type of threat.

You can get this playbook from either the Phantom Community or directly from the Phantom Platform. If you don’t currently use the Phantom Platform, we invite you download the free Community Edition today.

View other articles in this Playbook series here.