Use Case 6 - Phishing Intelligence
Use Case 6 - Phishing Intelligence
Nota importada desde Inbox durante consolidacion bulk.
Use Case 6 - Phishing Intelligence
Resumen
This use case covers phishing intelligence operations for detection and response to impersonation campaigns, Business Email Compromise (BEC), and targeted fraud directed at the logistics sector. It leverages phishing feeds and email gateway telemetry to identify, analyze, and mitigate phishing threats. Domain keywords from use-case-00-keywords-repository and impersonation alerts from use-case-01-intelligence-platform-alerts serve as foundational inputs.
Status: This use case has minimal body content in the original and requires further development.
Objetivo
Detect, analyze, and respond to phishing campaigns targeting the organization, including brand impersonation, BEC attacks, and sector-specific fraud schemes, to reduce successful social engineering attacks and protect employees, customers, and brand reputation.
Entradas (Inputs)
- Domain and brand keyword lists (from use-case-00-keywords-repository)
- Impersonation detection alerts (from use-case-01-intelligence-platform-alerts)
- Phishing feed data (URLs, domains, sender IPs)
- Email gateway logs and quarantine data
- User-reported phishing emails
- Infostealer credential data (from use-case-04-infostealer-monitoring)
Proceso / Flujo de Trabajo
- Phishing Feed Ingestion: Aggregate and filter phishing indicators from external feeds and internal email gateway telemetry.
- Impersonation Correlation: Cross-reference with domain impersonation alerts and typosquatting detection from use-case-01-intelligence-platform-alerts.
- Campaign Analysis: Cluster related phishing indicators to identify coordinated campaigns.
- BEC Detection: Identify Business Email Compromise patterns targeting executives and finance teams.
- IOC Extraction: Extract phishing IOCs (URLs, domains, sender IPs, file hashes) for operationalization.
- Takedown Coordination: Initiate takedown procedures for identified phishing domains and infrastructure.
- User Notification: Alert affected users and distribute awareness advisories.
Salidas (Outputs) / Productos
- Phishing campaign analysis reports
- Extracted phishing IOCs for SIEM/email gateway rules
- Takedown requests for malicious domains
- User awareness advisories
- Phishing trend analysis for use-case-08-strategic-intel-report
Fuentes de Inteligencia
- Phishing feed providers
- Email gateway telemetry
- User-reported phishing emails
- Domain monitoring (typosquatting, lookalike domains)
- Social media impersonation alerts
- Industry phishing threat reports
Herramientas
- Phishing feeds
- Email gateway (anti-phishing, anti-spam)
- Domain monitoring platforms
- Takedown service providers
Métricas de Éxito
- Mean time to detect phishing campaigns
- Number of phishing domains taken down
- Reduction in successful phishing attacks
- User phishing report rate (awareness indicator)
- BEC attempt detection rate
Integración con Otros Use Cases
| Use Case | Relationship |
|---|---|
| use-case-00-keywords-repository | Brand/domain keywords enable impersonation detection |
| use-case-01-intelligence-platform-alerts | Domain impersonation alerts feed phishing analysis |
| use-case-02-cti-feeds | Phishing IOCs enrich CTI feeds |
| use-case-04-infostealer-monitoring | Phishing often delivers infostealers |
| use-case-05-daily-cti-report | Active phishing campaigns reported daily |
| use-case-07-threat-hunting | Phishing IOCs generate endpoint hunting leads |
| use-case-09-mitre-ecommerce-retail | T1566 phishing techniques mapped to sector context |
Referencias
- programa CTI corporativo (cliente sector logistica)- programa CTI corporativo
- programa CTI cliente sector logistica
- plan-ejercicio-vishing
- caso-marks-spencer-scattered-spider