Investigating a phishing attack
The investigation phase takes the following steps, in the context of a phishing attack.
Log retrieval and review
The IR team retrieves logs from security tools and the affected systems or devices to build a map of the events that took place before, during, and after the phishing incident. System logs help identify key actors in an attack by listing information such as IP or MAC addresses. This information is vital as it can be used to track down perpetrators or find out where data has been exfiltrated to if data theft has occurred.
Identification of the tools that detected the attack
There are many security tools on the market but not all of them are effective. Companies purchase security tools using trust-based reviews, recommendations, and overall impressions of the functionalities advertised. However, attacks can reveal whether the tools are effective or not. Therefore, the security team will be keen to identify the security...