PhishER Quickstart Guide
This quickstart guide is designed to help you get started with your PhishER platform. For each step listed below, we provide specific details and recommendations.
Important:
The steps in this guide are intended for those who have PhishER enabled on their account and are able to access the platform. Visit here for more information about how to enable and access PhishER.
Jump to:
Step 1: Configure PhishER Settings
Step 2: Create Rules
Step 3: Create Actions
Step 4: Monitor Inbox
Step 1: Configure PhishER Settings
ACCOUNT
|
|
Reporting Emails
|
Reporting Emails are all of the email addresses tied to your PhishER platform. Your reporting emails will be used to forward user-reported messages to your PhishER inbox. There are two methods for forwarding user-reported emails to PhishER: Automatic email forwarding with the Phish Alert Button (PAB) - RECOMMENDED
Manual email forwarding |
INTEGRATIONS
|
|
VirusTotal
|
We recommend integrating your VirusTotal account with PhishER. If you do not have a VirusTotal account, you can join their Community for free here. This integration will enable you to run a VirusTotal scan on message attachments and URLs. If automatic scanning is enabled, VirusTotal will automatically be sent a hash of all attachments and/or URLs received by your PhishER inbox. A VirusTotal scan will apply one or more of the following tags to your email(s): VT_Pending, VT_Bad, VT_Scanned, VT_Bypassed, or VT_Hash_not_found
|
KNOWBE4 LABS
|
|
PhishML
|
We recommend enabling PhishML on your PhishER platform. PhishML is a machine-learning module that generates three confidence values for each message that enters your PhishER inbox. These three values represent the percentage of certainty that a message is clean, spam, or a threat. Customize your threshold values using the range sliders (threshold values can range anywhere between 51-100). We recommend assigning a value of 95 for each threshold to ensure highly accurate tagging. PhishML will apply one of the following tags to your message(s) if the active confidence threshold is met or exceeded: PML:CLEAN, PML:SPAM, or PML:THREAT
|
Related Resources:
Step 2: Create Rules
Using YARA logic, create custom rules to identify and tag messages as they enter your PhishER inbox. We suggest starting with the following types of rules:
Important: Variable names are only necessary depending on the condition for that particular YARA rule. The following condition statements do not require defined variable names for them to run:
- any of them
- all of them
For more information about using undefined values in YARA rules, please visit this Writing YARA rules article.
Create a rule that detects common spam messages that are sent to your users. This can include marketing or automated software emails from an organization. You may use the following example as a base for your custom rule:
rule Spam {
strings:
$ = "promo@organization-1.com"
$ = "promo@organization-2.com"
$ = "promo@organization-3.com"
$ = "promo@organization-4.com"
condition:
any of them
}
Create a rule that detects all legitimate emails sent from your domain. This can include mass emails sent from your Human Resources and/or IT department. You may use the following example as a base for your custom rule:
rule Internal {
strings:
$ = /from.{0,20}@domain.com/
$ = /to.{0,20}@domain.com/
$ = /Authentication-Results:.[spf=pass]/
condition:
all of them
}
Create a rule that detects all KnowBe4 Training emails. You may use the following example as a base for your custom rule:
rule KnowBe4_TrainingEmails
{
strings:
$ = /Return-Path:.{0,20}psm.knowbe4.com>/ nocase
$ = /Received:.{0,20}\[147.160.167.\]\d{1,3}/ nocase
$ = /Received:.{0,20}\[23.21.109.197\]/ nocase
$ = /Received:.{0,20}\[23.21.109.212\]/ nocase
$ = /Received:.{0,20}psm.knowbe4.com/ nocase
condition:
any of them
}
Related Resources:
- PhishER Product Manual - Rules
- How Do I Create a Rule and Action in PhishER?
- How to Write YARA Rules
- YARA Rule Examples
Step 3: Create Actions
When a message is assigned a tag, the tag will indicate how the message should be handled in PhishER. For each tag that is created in Step 2, create an action to automate how a message is handled.
Using automated PhishML and VirusTotal tags, here are the settings for three suggested actions:
This action will help prioritize messages that are potentially malicious and may require your analysis. All other settings for this action can be customized based on your organization's preferences.
-
For Choose how this action should be triggered, select the following settings:
- Specify Tags
- HAS ANY VT_BAD PML:THREAT
- Specify Tags
-
For Choose the action to be taken on matched messages, select the following settings:
- Set Priority High
This action will help prioritize messages that are considered to be safe or non-threatening. All other settings for this action can be customized based on your organization's preferences.
-
For Choose how this action should be triggered, select the following settings:
- Specify Tags
- HAS ALL PML:CLEAN
- Specify Tags
-
For Choose the action to be taken on matched messages, select the following settings:
- Set Priority Medium
This action will help prioritize messages that are determined to be unsolicited or unwanted but not likely to be malicious. All other settings for this action can be customized based on your organization's preferences.
-
For Choose how this action should be triggered, select the following settings:
- Specify Tags
- HAS ALL PML:SPAM
- Specify Tags
-
For Choose the action to be taken on matched messages, select the following settings:
- Set Priority Low
Related Resources:
- PhishER Product Manual - Actions
- How Do I Create a Rule and Action in PhishER?
- How to Use PhishML Tags
Step 4: Monitor Inbox
Now that the dispositioning of your messages is automated through custom rules and actions, it’s important to monitor your PhishER inbox for new trends or threats. You can identify trends by analyzing the Rooms section of your PhishER platform.
Rooms are filtered views of the messages in your PhishER inbox. Each filtered view is a dynamic grouping of messages by a commonality. Use this information as a starting point to help you decide which rules to update or create for your PhishER inbox.
Related Resources:
Comments
0 comments
Article is closed for comments.