Skip to main content

General Documents

Enrich and Onboard Proofpoint Email Attack Alerts to CFTR

Abstract

Download PDF

Category: Data Enrichment and Threat Intelligence, Network Security, Email Gateway, Endpoint

Cyware Products Used:

  • Respond

  • Orchestrate

Third-Party Integrations Used:

  • Proofpoint TAP: Proofpoint TAP email protection solution helps organizations stay ahead of attackers by detecting, analyzing, and blocking advanced threats before they reach your inbox.

  • SIEM: Any preferred SIEM solution to push the email attack alerts created by the Proofpoint TAP tool to Orchestrate.

  • Crowdstrike Falcon: To enrich malicious hashes from the email threat.

  • Recorded Future: To enrich malicious IPs, URLs, and hashes from the email threat.

  • Microsoft Defender EDR: To perform internal enrichment of identified malicious IPs and fetch the information of any activity detected towards the URL/IP address.

Problem Statement

In addition to common email threats like phishing and malware attacks, business email compromise (BEC) attacks have posed a new threat to organizations. Hence, organizations need a strong email protection strategy to detect threats faster and protect against hard-to-detect malware-less threats, such as impostor email, before they sneak through the email protection layer. In addition to the detection methods, organizations must also have a strong response plan to quickly investigate the threats and respond to them effectively.

Solution

Organizations need a solution that automatically detects, enriches, and onboards the email threats to the threat response platform. This enables analysts to quickly investigate the threat using the threat data fusion capabilities and take necessary actions to defend against similar threats in the future.

Enrich_and_Onboard_Proofpoint_Email_Attack_Alerts_to_CFTR.svg
How do we solve the problem?
  1. Retrieve Detections: The playbook starts by retrieving the latest targeted email threat alerts from your SIEM. The alert contains important information such as alert contents, metadata, and email recipients.

  2. Create Respond Incident: The playbook creates a new incident in Respond and updates the alert details along with the alert ID. If an incident already exists for the alert, then the details are updated to the existing Respond incident.

  3. Update the Proofpoint Alert: The playbook updates the status of the Proofpoint alert by adding the Sent for Investigation label. This helps users to know that the alert is already forwarded to Respond for analyst investigation and action.

  4. Indicator Enrichment: The contents of the alert such as IP, URL, and hash are extracted for enrichment. After performing the enrichment, the details are updated to the Respond incident.

    1. IP Enrichment: The identified IPs are sent to the Recorded Future tool for enrichment. You can also use a preferred IP enrichment tool.

    2. URL Enrichment: The identified URLs are sent to the Recorded Future tool for enrichment. You can also use a preferred URL enrichment tool.

    3. Hash Enrichment: The identified hashes are sent to the Recorded Future tool for enrichment. You can also use a preferred hash enrichment tool.

  5. Check for Impacted Users: The recipient's details of the email threat are extracted and sent to the configuration management database such as Active Directory or Office 365 to get more details about the user.4. VIP User: If the impacted user is a VIP user, the Respond incident priority is updated to Critical.

  6. Ready for Investigation: The enrichment and user details are updated to the Respond incident and assigned to analysts for manual investigation. Analysts can create and assign corrective actions to block the threat.

Optional Configuration

You can also configure response actions to automatically reset the credentials of the impacted user from the CMDB database such as Active Directory.

Benefits
Automate Repetitive Tasks

By automating manual tasks such as detection, enrichment, and onboarding the threats, security teams can allow their analysts to focus on high-value investigations.

Respond to Email Threats Quickly

The solution automatically collates all the relevant information in one place for easier and faster access and helps users prioritize the incidents, thereby assisting security teams in assessing and responding faster to similar incidents.

Reduce Alert Fatigue

The solution identifies duplicate alerts and automatically updates the details to a single Respond incident, thereby reducing false positives that plague security teams and waste precious hours.