Title	Report incident to external companies
ID	RA4001
Description	Report incident to external companies
Author	@atc_project
Creation Date	2019/01/31
Category	General
Stage	RS0004: Eradication
Automation	thehive
References	https://www.antiphishing.org/report-phishing/ https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en https://www.ic3.gov/default.aspx http://www.us-cert.gov/nav/report_phishing.html https://blog.thehive-project.org/2017/06/19/thehive-cortex-and-misp-how-they-all-fit-together/ https://www.sei.cmu.edu/education-outreach/computer-security-incident-response-teams/national-csirts/ https://www.crowdstrike.com/blog/indicators-attack-vs-indicators-compromise/ https://mitre.github.io/unfetter/about/

Workflow

Report incident to external security companites, i.e. National Computer Security Incident Response Teams (CSIRTs).
Provide all Indicators of Compromise and Indicators of Attack that have been observed.

A phishing attack could be reported to:

1. National Computer Security Incident Response Teams (CSIRTs)
2. U.S. government-operated website
3. Anti-Phishing Working Group (APWG)
4. Google Safe Browsing
5. The FBI's Intenet Crime Complaint Center (IC3)

This Response Action could be automated with TheHive and MISP integration.