Playbook: Investigating Phishing Attachments with McAfee

This blog entry continues an ongoing series of articles describing Phantom Playbooks, which the platform uses to automate and orchestrate your security operations plan. This example examines one of the playbooks included with the Phantom Platform.

Introduction

Starting with just one successful phishing email, an attacker can quickly hide, pivot, persist, and exfiltrate from our networks. Shouldn’t our defensive systems have the same level of flexibility and automation?

Martin Ohl from McAfee answered those questions and more when he submitted this playbook to the Phantom Community. The playbook allows us to leverage McAfee Advanced Threat Defense (ATD), McAfee OpenDXL, and a suite of other McAfee and non-McAfee products for a wide-ranging investigation using both on-premises and cloud services.

The use case behind this playbook involves a suspected phishing email attachment as the trigger, but the same investigation workflow could be used for any potentially malicious file found entering the network, such as a file uploaded or downloaded using HTTP(S) or FTP, a file transferred in on a USB stick, or a file on a computer that is joining the network.

Details

File Detonation

This first step is what allows us to do more than just hunt for other observations of the attachment file hash. McAfee ATD attempts to unpack the file, record any intermediate hashes as it mutates and expands, and extract any IP addresses used during execution. At the end, we get a verdict that is crucial to understanding how likely it is that the file is malicious. We use that to determine whether we should continue our investigation, because we are assuming that investigating every file attachment will lead to too many false positives.

Pivoting on Indicators

If the ATD verdict indicates a malicious attachment, we launch into a wide array of investigative actions. The IP addresses are investigated with geolocation and reputation services to enrich our understanding of how they are used. The hashes observed by ATD are used to do an internal hunt using McAfee Active Response (MAR). MAR looks for the hashes in filesystems, Windows registries, network traffic, and live processes. Any sightings are used to create informative tickets for further analysis and remediation.

OpenDXL Integration Points

The OpenDXL actions used in this playbook are highly-flexible integration points. The way those messages are received and used will vary depending on what is on the other side of the message bus. For example, if McAfee Threat Intelligence Exchange (TIE) is used to ingest the hashes and IP addresses sent out from this playbook then the TIE policy will be compared against the indicator to determine the appropriate response. Any number of other McAfee or non-McAfee systems could also be listening on the OpenDXL message bus.

mcafee_phishing_attachment_investigate.png
Playbook for Investigating Suspected Phishing Attachments with McAfee and other third-party tools

Phantom Apps Used

McAfee-logo.png
McAfee Advanced Threat Defense (ATD)

McAfee-logo.png
McAfee OpenDXL

MaxMind_logo.png
MaxMind

phantom-smtp.png
Phantom SMTP

RiskIQ-Logo.png
PassiveTotal

service-now-logo.png
ServiceNow

Playbook Workflow

This playbook was designed to be set to active mode and run automatically when a potential phishing email with an attachment is ingested with the label “Email.” Other types of file ingestions would require minor playbook changes.

  1. Detonate the file in McAfee ATD
  2. If the verdict states that the file is probably not malicious, just send an email to an administrator and finish
  3. Push any IP addresses identified in the ATD detonation to the OpenDXL message fabric
  4. Enrich the investigation with the reputation of any IP addresses found in the detonation to inform any further analysis
  5. Query MaxMind for a geolocation of any IP addresses found in the detonation to enrich the investigation
  6. Use OpenDXL to connect to MAR, hunting for the existence of the detected hashes on any endpoints within the enterprise
  7. Push any hashes that were identified by MAR to OpenDXL with the context gathered during the playbook run
  8. Open a ticket with a well-formatted message including the context gathered
  9. Send a notification email with the same formatted message used in the ticketing step

Conclusion and Next Steps

Note that this is an example playbook. As mentioned earlier, you can easily customize this playbook to cover additional use cases and tailor the workflow to your needs.

You can download this playbook from either the Phantom Community or access it via the Phantom Platform. The platform automatically synchronizes Phantom Community Playbooks to your installation, if configured. If you don’t currently use the Phantom Platform, we invite you to download the free Community Edition today.

View other articles in this Playbook series here.