This Guide will provide you with training on how to use the Incident Responder Platform. At the end of the training, you will have an understanding of how to use this platform and its functions.
The Dashboard - how to navigate the layout, carry out tasks and administer your account
How to report and analyse phishing email attacks and take action at inbox level to prevent future attacks
Help to plan the prevention of future attacks
The Incident Responder module consists of the following:
Under these headings, you will find the following sections:
Top Rules: the most triggered rules from the Playbook
Recent Investigations: which have been recently performed
Reported Emails: suspicious email ls reported by users via Phishing Reporter with analysis and results.
On the Incident Responder Dashboard, on the top row first is displayed the Phishing Reporter and the current number of users currently online who are using this.
Click on the top right corner of the Phishing Reporter box and you will be taken directly to the module:
On the top row, you will see displayed the following:
The number of users with the add-in
The number of users currently online
The number of users who are offline
The latest version of Phishing Reporter in use
Under this row on the right hand side, you have the option to display different timelines.
In the main section of the Phishing Reporter, there are two tabs:
Under the Users tab, you will see a list of the users who are using the Phishing Reporter add-in. On the right hand side, you will see three symbols:
Download: click here to export the list of users as a xlsx, csv or pdf file
Print: click here to print the list
Settings: select the data table settings here
Important note: the three symbols will remain greyed out until the Phishing Reporter add-in is installed.
Under the Settings tab, you will see the following setting options:
To help you further, please find a link on the right hand side for the Installation and Configuration Guide (opens in a new window).
Fill in the required fields:
The Add-in Name is the name you would like to give to the Add-in.
The Brand Name is the name of the company/organization/department you would to associate with the add-in
Add-in Logo: you have the option to add a logo of your choice (recommended size is 60x60 pixels).
Dialog Box Settings: customise the buttons and messages to be displayed
Warning Label: add the warning label to appear on the suspicious email
Then remember to Save Changes and there is an option to Save and Download. You can also view the Download History.
Here you are able to send a copy of reported emails as an attachment. Remember to tick the check box for the option to send a notification email for reported emails. Fill in the required fields and again remember to Save Changes and there is an option to Save and Download. You can also view the Download History.
If your organization has Proxy Settings for both internal and external communications, to allow access for Phishing Reporter to Incident Responder services (Investigation, Reporting etc.), you will have to tick the relevant Proxy Setting Check Box to enable this.
If your organization is archiving emails using an Enterprise Vault, then you are able to scan with Phishing Reporter all archived emails in the vault by selecting the check box and then enter the Enterprise Vault URL.
With this integration, you will be able to investigate archived emails on Enterprise Vault.
You then have the option to enable the Enterprise Vault - please tick the check box and enter the Enterprise vault URL. Our Phishing Reporter will then scan all emails archived here. In the vault when you start an investigation with the Incident Responder. For example, if you are looking for a particular email and this Enterprise Vault setting is ticked then all emails in the vault will be scanned and discovered if located in this area.
This feature can be integrated into an Enterprise Vault such as the Symantec Enterprise Vault which is used by many enterprise companies to archive emails and as in this case, find malicious emails among those already archived emails.
Again remember to Save Changes and there is an option to Save and Download. You can also view the Download History.
18.104.22.168 Diagnostic Tool
This tool helps you check the status of the add-in and diagnose any problems. Optional Features include the option to check and enable all disabled add-ins automatically. Please tick the check box to enable this feature. Remember to Save Changes and there is an option to Save and Download. You can also view the Download History. To learn more about Diagnostic Tool, view here.
In this section you can view and analyse the Incidents from the emails reported via Phishing Reporter. The analysis is executed within the Incident Response platform as well as other third party technologies, which provides you with the best results. You can then act and take the best, effective and quick response to the Incident Analysis’ results and make your organization, colleagues and systems safer and more secure to prevent the risk of future incidents.
To view the Investigations section, click on the Investigations Heading or in the left-hand dropdown menu on the Incident Responder dashboard.
You will then see a list of the Incidents being investigated and four buttons on the right-hand side of the section. These are for the following:
+ to start a New Investigation
Download: click here to export the list of investigations as a xlsx, csv or pdf file
Print: click here to print the list of investigations
Settings: select the data table settings here
To run a New Manual Investigation either click on the:
+ as described above
or the + Start a New Investigation button
To run an Automatic Investigation, select the Playbook module.
To start a New Investigation, fill out the following requested fields:
Investigation Name: enter the name you would like to use for the investigation
Target Users: use this filter to select the departments, groups or specific users you would like to investigate. The available filters are All Users, User Groups and Specific Users (for more information about setting up Users, User Groups and Specific Users, go to the Company Guide)
Search Criteria: define the criteria you would like to use for the New Investigation. These criteria will then be used to search for the emails you would like to investigate
Email Date Range: select the date range of emails sent in a specific timeframe
Select Sources: select the sources to be investigated
Duration: select how many days your investigation will run for
Action: select the action to be taken after the investigated email has been found
Then click on Save to start your Investigation or Cancel not to go ahead.
Important note: once your investigation is running, you will not be able to change or edit it. You can only stop the investigation and then create a new one with any changes you would like to make.
Your Investigation will now be listed as below:
Below the list of Investigations is a toolbar: scroll across to see the full range of filters:
Incident: the name of the incident under investigation
Source: the type of investigation
Status: after the investigation has run, this will displayed as expired
Date Created: the date when the investigation begins
Expiry Date: the date when the investigation ends
User Status: shows the stage of the investigation
Progress: how far the investigation has progressed
Actions: under this tab, you can view the Investigation Details or select Stop to halt the Investigation.
After selecting Details: the following Investigation Details and Results will be displayed as following:
The Status as Running or Expired
The Number of Users who could not be scanned
The Number of Total Users who were scanned
The Number of Emails scanned
Duplicate button allows to replicate the Investigation so it can be run again
Under the Investigation Details and Results, the emails discovered will be listed. You can customise this view with the filter buttons on the right hand side and the Download, Print and Settings options.
On the left hand side, the mailbox folders scanned during the Investigation are displayed. For example, if an Investigation returns a result from the sent folder of the mailbox, it will be displayed under the sent folder seen here in Investigation Details and Results. If an email is found outside of the inbox folder, it will be displayed in Other.
Under this tab, you can set up the ROI (Return on Investment): click on the Settings wheel and enter the Hourly Rate and Saved Time Per Task (Hours). Then click in Save to save your changes.
A Playbook allows you to create rules for an Automatic Investigation. To set up a Playbook, go to the Incident Responder homepage, select Playbook in the dropdown menu and then click on + Add A Rule.
To create a New Rule, fill in the requested information:
Priority: assign the status of the new rule
Tags: define tags of the new rule
Choose to make the rule Active or Non-active. Then click on Next to go to Conditions.
Here you are able to customize the filters of the New Rule setting out the Conditions. Once these have been selected, click on Next to go to the final stage Actions.
Select what Actions will be taken as a result of the New Rule:
Click on +Add Action to add more actions for the New Rule.
To create a New Integration, go to the Incident Responder homepage, select Integrations in the dropdown menu and then click on New Integration.
Then enter the following information:
API Key generated by your provider and Test Connection
Make the New Integration Active - please note that uploading the originally attached files to integrated services may lead sensitive information to be compromised.
Then click on Save.
Q: Does incident responder violate the user's privacy?
A: No, it does not. No one, including the Company Admins who manage the platform's interface cannot view the contents of any email in the inbox.
Q: Is it possible to centralise the distribution of add-in?
A: Yes, it is. Many institutions manage the add-in (install, uninstall, enable, disable) with central administration tools. For example, such as Microsoft SCCM, IBM Bigfix.
Q: Are the emails sent by users for analysis securely stored on the server?
A: The platform generates a random key which is unique for each customer then encrypts all reported emails on disk with AES 256 algorithm. See logging mechanism here.
Q: Can an Attacker hijack Outlook Add-in?
A: The platform uses “Code Signing with Microsoft Authenticode” to protect tools against the hacking attempt. For more information, please click here.
Q: Can I integrate this solution with security products I have?
A: Yes, it is possible to integrate any solution. There are many platforms such as DNS Firewall, Sandbox, exploitation tool platforms. See the integrations here. Please view your support page.
Q: How do you report the incidents analysed, investigated and responded?
A: Yes, you have the feature for an automatic investigation by which and you can detect and remove the suspicious email or any of its variants in any of your users' inboxes, and you can automatically report it.
Q: How do you analyse the emails? Which tools are used for analysis?
A: We analyse suspicious emails by Header, body and attachment using our third-party engines integrated to our interface. It is possible to add a new analysis service here.
Q: If the suspicious email analysed is found to be malicious, can we delete this email from the inboxes without any intervention?
A: Yes, you have a feature for automatic investigation. With this, you can detect and remove the suspicious email and/or any of its versions in any of your users' inboxes, which you can automatically report.
Q: What are the dependencies of the plugin? Java, Flash or something else?
A:Nothing except .net 2.5 or higher versions.
Q: Can the plugin be disabled by individual users?
A: This depends on your company policy. If the user has a right to disable it, then it can be disabled. Many organisations handle these processes by GPO.
Q: When this tool is running, it will be using a certain port. What port will it be?
A: Add-in to connect to server is through https (default port 443).
Primary use cases for Incident Responder are centered around the following:
I want an incident response system that can automate the technical analysis and investigation of suspicious, malicious emails in under a minute
I want to integrate Incident Responder with other Threat Intelligence / Sharing and Incident Response solutions already purchased
I want to make sure that the privacy of users is protected
I want the service to work on mobile as well as desktop devices
I want an interface/management console, which can manage each incident
Incident Responder satisfies the criteria of each of these use cases; please see more below:
Receiving a suspicious email is not great, but with Incident Responder you’re able to take the right steps to protect your organisation from any malicious attacks from suspected emails and resulting damaging data breaches. Use the details we know from Phishing Reporter about this discovered Incident and start a New Investigation. This will enable investigators to determine how far the executed attack from the suspicious email has so far penetrated defences by use of filters to ascertain what particular departments or individuals etc. have been affected.
Playbooks are an essential feature of Incident Responder as it automates and initiates investigations without too much oversight from the user. We suggest that you monitor how they are performing and to tweak/edit them occasionally to get the best information and results from the investigations.
Incident Analysis is then carried out on the suspicious email within the Incident Response platform as well as other third party technologies to provide the best results. Act to take the best, effective and quick response to the results and make your organization, colleagues and systems safer, more secure and resilient to prevent the risk of future incidents.
Integrations are commonplace in the information security community and Incident Responder is no different in being flexible to be used in alliance with other platforms. The New Integration feature walks users through the stages of integrating another cyber security solution. Remember to make active the new Integration as the last step to complete Threat Intelligence and Incident Response coverage.
Privacy concerns are of paramount importance in an incident response platform and Incident Responder addresses these. Both Users and Company Administrators, who manage the platform do not have access to the contents of any emails in the users’ inboxes.
The Incident Responder service can be used on both mobile as well as desktop devices.
It is human nature to lose track of what’s going on in a hectic information security environment. Incident Responder mitigates this risk with a comprehensive dashboard which provides an overview into how many users are on the Phishing Reporter platform, Reported Emails, Incidents are undergoing investigation, Top Rules, Incident Analysis and ROI.
It is recommended that you use the Reports generated from the use of the Incident Responder in conjunction with authorised third party technologies to achieve the best results. Reports can be used in line with the organisation’s own procedures and help avert potential cyber threats in the future. Threat Sharing / Threat Intelligence platforms are ideal places in which reported Incidents can be used for the wider benefit of a particular industry or sector.
Yes, it’s possible to integrate with your master (single) tenant via the graph API, then you can restrict the API integration to a distribution group in Azure AD. i.e., you can decide which user mailboxes to integrate with (it does not have to be all of them). Please follow the steps below:
You need to implement the graph API settings for Incident Responder (following our standard configuration, which includes making the API work for “all’ users - https://doc.keepnetlabs.com/technical-guide/phishing-incident-responder/api-settings/configuration-steps-for-office-365-to)
Then you need to limit access to the App from Azure AD as it relates to Exchange Online (https://docs.microsoft.com/en-us/graph/auth-limit-mailbox-access)