Skip to content
English
More support Sign in
Contact us
  • There are no suggestions because the search field is empty.

Getting Started: Incident Responder

Empower your security teams with our Incident Responder, leveraging automated analysis to prioritize and address phishing threats for an effective and swift incident response.

- Use Cases
- FAQ
- Get Started

Use Cases

Introduction

Primary use cases for Incident Responder are centered around the following:

  1. I want an incident response system that can automate the technical analysis and investigation of suspicious, malicious emails in under a minute.

  2. I want to integrate Incident Responder with other Threat Intelligence / Sharing and Incident Response solutions already purchased.

  3. I want to make sure that the privacy of users is protected.

  4. I want the service to work on mobile as well as desktop devices.

  5. I want an interface/management console, which can manage each incident.

Incident Responder satisfies the criteria of each of these use cases; read on to see how:

🤔 Use Case 1: I want to automate the technical analysis and investigation of suspicious emails in under a minute

Receiving a suspicious email is not great, but with Incident Responder, you’re able to take the right steps to protect your organization from any malicious attacks from suspected emails and resulting in damaging data breaches. Use the details we gather from the Phishing Reporter about this discovered Incident and start a New Investigation. This will allow investigators to assess the extent of the attack carried out from the suspicious email by using filters to determine which specific departments or individuals have been impacted.

Playbooks are an essential feature of Incident Responder as it automates and initiates investigations without too much oversight from the user. We suggest that you monitor how they are performing and tweak them occasionally to get the best information and results from the investigations.

Incident Analysis is then carried out on the suspicious email within the Incident Response platform as well as other third-party technologies to provide the best results. Take proactive and efficient action based on the results to enhance the safety, security, and resilience of your organization, colleagues, and systems, thereby reducing the risk of future incidents.

🤔 Use Case 2: I want a system that integrates with my other Threat Intelligence / Sharing and incident response solutions

Integrations are widely used in the information security community, and Incident Responder is no exception when it comes to being adaptable for use with other platforms. The new Integrations feature walks users through the stages of integrating another cybersecurity solution. To fully achieve Threat Intelligence and Incident Response coverage, don't forget to activate the new Integration as the final step.

🤔 Use Case 3: I want to make sure that the privacy of users is protected

Privacy concerns are of paramount importance in an incident response platform. Both Users and Company Administrators who manage the platform do not have access to the contents of any emails in the users’ inboxes.

🤔 Use Case 4: I want the service to work on mobile as well as desktop devices

The Incident Responder service can be used on both mobile as well as desktop devices.

🤔 Use Case 5: I need a user-friendly interface and management console to effectively handle and oversee each incident.

In a fast-paced InfoSec environment, it's natural to sometimes lose track of ongoing activities. Incident Responder provides a comprehensive, intuitive dashboard displaying an overview into enrolled users, reported emails, incidents undergoing investigation, top rules, Incident Analysis, and ROI.

To maximize the effectiveness of the Incident Responder, it is recommended to utilize the generated Reports in conjunction with authorized third-party technologies. These Reports can align with your organization's procedures and help prevent potential cyber threats in the future. Additionally, you can leverage Threat Sharing/Threat Intelligence platforms to share reported Incidents for the greater benefit of your industry or sector. By utilizing these resources, you can enhance your incident response capabilities and contribute to a safer and more secure environment.

🤔 Use Case Bonus: I have a single master tenant on O365 but manage multiple business units under that tenant. I would like to restrict the Incident Responder integration to specific groups within the Master tenant.

Yes, it’s possible to integrate with your master (single) tenant via the graph API, then you can restrict the API integration to a distribution group in Azure AD. i.e., you can decide which user mailboxes to integrate with (it does not have to be all of them). Please follow the steps below:
  1. You need to implement the graph API settings for Incident Responder (following our standard configuration, which includes making the API work for “all’ users - https://doc.keepnetlabs.com/technical-guide/phishing-incident-responder/api-settings/configuration-steps-for-office-365-to)
  2. Next, limit access to the App from Azure AD as it relates to Exchange Online (https://docs.microsoft.com/en-us/graph/auth-limit-mailbox-access)

FAQ

Q. Does the incident responder violate the user's privacy?
A. No, it does not. No one, including the Company Admins who manage the platform's interface, can view the contents of a user's inbox.


Q. Is it possible to centralize the distribution of add-in?
A. Yes, it is. Many institutions manage the add-in (install, uninstall, enable, disable) with central administration tools, such as Microsoft SCCM, IBM Bigfix.


Q. Are the emails sent by users for analysis securely stored on the server?
A. The platform generates a random key which is unique for each customer then encrypts all reported emails on disk with AES 256 algorithm.


Q. Can I integrate this solution with other security products?
A. Yes, it is possible to integrate any solution. There are many platforms such as DNS Firewall, Sandbox, exploitation tool platforms. To complete the integration, you can utilize our integrations guide along with the documentation provided by your vendor. This will provide you with all the necessary information and steps to successfully integrate the solution.


Q. How do you report the incidents analyzed, investigated and responded to?
A. The incident responder features automatic investigation by which it can detect and remove the suspicious email or any of its variants in any of your users' inboxes, and you can automatically report it.


Q. How do you analyse the emails? Which tools are used for analysis?
A. We analyze suspicious emails by Header, Body and Attachment using our third-party engines integrated into our interface. It is possible to add a new analysis service here.


Q. If the suspicious email analyzed is found to be malicious, can we delete this email from the inboxes without any intervention?
A. Yes, this is a feature of Incident Responders' automatic investigation. With this, you can detect and remove the suspicious email and any of its versions from any of your users' inboxes, which you can then automatically report.
Q. What are the dependencies of the plugin? Java, Flash or something else?
A. There are no dependencies required.


Q. Can the plugin be disabled by individual users?
A. This depends on your company policy. If the user has a right to disable it, then it can be disabled. Many organizations handle these processes via GPO.


Q. What port does the add-in use? 
A. Add-in connects to the server through https (default port 443).

Ready to get started?

Let's examine the Incident Responder's fundamental features.