Phishing Site Take Down Operation Playbook

December 17, 20234 min read


  • Global United Insurance Co., a prominent insurance company with a flourishing online presence, became a target for a sophisticated phishing attack. The corporation’s cybersecurity team discovered a fake website that was cleverly designed to replicate the company’s client portal.
  • Using social engineering tactics, the attackers disseminated emails to customers, inducing them to “verify their accounts” due to a supposed security breach. The counterfeit website harvested login credentials, compromising personal data and financial information. An internal investigation led by the company’s incident response manager, Jane Doe, uncovered that several senior clients had already reported suspicious activities in their accounts.
  • The infrastructure supporting the malicious website was intricate, traced back to servers across multiple jurisdictions. Global United’s reputation for safeguarding customer data was at stake. The cyber range exercise was designed to simulate a realistic takedown procedure of the phishing infrastructure. The objectives were to test the rapidity and effectiveness of response strategies, refine coordination with external entities, and ultimately, reinforce the company’s defenses against future phishing attempts.

Playbook Objectives:

  • To form a structured response to phishing site identification and takedown
  • To improve coordination between internal cybersecurity teams and external partners such as hosting providers, domain registrars, and law enforcement
  • To enhance the team’s capability in the investigation and analysis of phishing campaigns
  • To minimize the timeframe from the phishing site’s discovery to its deactivation
  • To train employees in recognizing and responding to phishing incidents effectively

Difficulty level:

  • Intermediate to Advanced. Participants would require experience in cyber threat intelligence, incident response, and knowledge of legal and communication protocols involved in the takedown of malicious websites.
  •  The scenario involves “Global United Insurance Co.” dealing with a sophisticated phishing attack where a fraudulent website replicates their client portal. Senior clients have reported unauthorized activities in their accounts after having interacted with phishing emails that claim a need to “verify their accounts” due to a security incident.


  • The category for the cybersecurity topic is “Incident Response and Threat Intelligence Operations.”

Exercise Attack Steps:

  • Initial Identification:
    • Simulate the receipt of a phishing email by an employee or customer notification.
    • Have the team confirm the existence and authenticity of the phishing site.
  • Investigation:
    • Enact trace routes and digital forensics to understand the architecture of the attack.
    • Assign roles for intelligence gathering, tracing the phishing email’s source, and analyzing the website’s registration details.
  • Containment:
    • Lay out steps to disable all internal links that might lead to the phishing site and flag emails for quarantine.
    • Draft communications to warn the staff and clients about the phishing attack.
  • Eradication:
    • Prepare and execute a step-by-step plan targeting the disruption of the phishing infrastructure.
    • Cover legal considerations and processes for contacting external entities like ISPs, domain registrars, and CERTs to issue takedown notices.
  • Recovery:
    • Outline a strategy that ensures all traces of the phishing site are removed.
    • Implement additional security measures to fortify against similar attacks.
  • Post-Exercise Analysis:
    • Conduct a team review to discuss the effectiveness of the coordination and communication throughout the exercise.
    • Identify areas for improvement and update policies and procedures accordingly.
  • Client Engagement and Public Relations:
    • Develop a communication plan for stakeholders and customers to rebuild trust and provide assurance of the company’s proactive measures.
    • Train the PR team to handle media inquiries and to disseminate accurate information about the incident and its resolution.
By running this lab exercise, Global United Insurance Co. aims to not only circumvent the immediate threat but also revitalize and improve its ability to protect against and dismantle phishing schemes efficiently and effectively in the future.