RA4001: Report Incident To External Companies

Summary

ID	RA4001
Brief Description	Report incident to external companies
Author	@atc_project
Creation Date	2019/01/31
References	https://www.antiphishing.org/report-phishing/ https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en https://www.ic3.gov/default.aspx http://www.us-cert.gov/nav/report_phishing.html https://blog.thehive-project.org/2017/06/19/thehive-cortex-and-misp-how-they-all-fit-together/ https://www.sei.cmu.edu/education-outreach/computer-security-incident-response-teams/national-csirts/ https://www.crowdstrike.com/blog/indicators-attack-vs-indicators-compromise/ https://mitre.github.io/unfetter/about/
Response Stage	Eradication

Description

Report incident to external security companites, i.e. National Computer Security Incident Response Teams (CSIRTs). Provide all Indicators of Compromise and Indicators of Attack that have been observed.

A phishing attack could be reported to:

1. National Computer Security Incident Response Teams (CSIRTs)
2. U.S. government-operated website
3. Anti-Phishing Working Group (APWG)
4. Google Safe Browsing
5. The FBI's Intenet Crime Complaint Center (IC3)

This Response Action could be automated with TheHive and MISP integration.