,TABLE OF CONTENTS
AI-ENHANCED PHISHING ATTACKS PLAYBOOK ........................................................ 3
ADVANCED RANSOMWARE CAMPAIGNS PLAYBOOK ................................................ 7
SUPPLY CHAIN COMPROMISES PLAYBOOK.............................................................11
ZERO-DAY EXPLOITS PLAYBOOK .............................................................................14
AI-POWERED MALWARE PLAYBOOK........................................................................17
DEEPFAKE SOCIAL ENGINEERING PLAYBOOK .........................................................20
ǪUANTUM COMPUTING THREATS PLAYBOOK .........................................................23
IoT VULNERABILITIES PLAYBOOK ............................................................................2C
INSIDER THREATS PLAYBOOK.................................................................................23
CLOUD SECURITY MISCONFIGURATIONS PLAYBOOK ..............................................32
ADVANCED PERSISTENT THREATS (APTs) PLAYBOOK ..............................................35
CREDENTIAL STUFFING ATTACKS PLAYBOOK ..........................................................33
FILELESS MALWARE PLAYBOOK..............................................................................43
ROGUE ACCESS POINT (ROGUE AP) ATTACK PLAYBOOK ..........................................47
SǪL INJECTION ATTACK PLAYBOOK ........................................................................51
STEGANOGRAPHY-BASED DATA EXFILTRATION PLAYBOOK .....................................55
CACHE POISONING ATTACK PLAYBOOK .................................................................53
HOMOGRAPH ATTACK PLAYBOOK ..........................................................................C2
DENIAL-OF-SERVICE (DoS) ATTACK PLAYBOOK .......................................................CC
MALWARE ATTACK PLAYBOOK ................................................................................C3
PHISHING ATTACK PLAYBOOK................................................................................72
WATERING HOLE ATTACK PLAYBOOK......................................................................75
ISLAND HOPPING ATTACK PLAYBOOK ....................................................................78
,AI-ENHANCED PHISHING ATTACKS PLAYBOOK
1.PREPARATION
• Create and Maintain a List of:
o Approved Email Communication Tools:
▪ Identify all sanctioned email systems and ensure monitoring for
unauthorised usage.
o Key User Groups:
▪ Executives, finance teams and high-value targets (HVTs) vulnerable to
phishing attempts.
o Common Indicators of AI-Enhanced Emails:
▪ Abnormal linguistic patterns, overly personalised messages or AI-
generated content.
• Email Templates:
o Awareness Campaigns:
▪ Inform employees about AI-generated phishing tactics.
▪ Provide guidance on recognising suspicious emails with examples.
o Internal Communication:
▪ Notify teams about the detection of AI-driven phishing campaigns.
o External Notifications:
▪ Alert partners or clients if they might be impacted by phishing
targeting your organisation.
• Ensure that:
o Email security solutions (e.g., DMARC, DKIM, SPF) are implemented and
monitored.
o Anti-phishing software detects:
▪ Emails containing language indicative of AI tools (e.g., ChatGPT,
Bard).
▪ Highly personalised emails targeting HVTs.
▪ Links leading to phishing sites hosted on compromised domains.
o Multi-Factor Authentication (MFA) is enforced across all critical systems.
o Training sessions on phishing simulations are conducted regularly.
• Perform Fire Drills:
o Test the playbook with scenarios involving AI-driven phishing:
▪ Highly personalised emails to HVTs.
▪ Phishing links mimicking login portals.
o Validate detection and response times.
o Ensure escalation paths are updated.
• Review Threat Intelligence:
o Monitor trends in AI-driven phishing attacks.
o Review intelligence on compromised accounts or exploited platforms.
o Analyse phishing sites for generative AI usage patterns.
, • Asset Inventory:
o Maintain a list of:
▪ HVTs and their associated email accounts.
▪ Domains used for corporate communications.
▪ Approved third-party tools and services integrated with email.
2.DETECT
• MD1. Identify Threat Indicators:
o Alerts:
▪ SIEM:
▪ Unusual email activity (e.g., multiple failed login attempts).
▪ Sudden spikes in email traffic from external domains.
▪ Email Security Solutions:
▪ Flagged suspicious emails containing generative AI markers.
▪ Network Monitoring:
▪ Links leading to known phishing sites or credential harvesting.
o Notifications:
▪ Employees reporting phishing emails.
▪ External vendors or clients flagging suspicious communication.
• MD2. Identify Risk Factors:
o Common Risks:
▪ Credential theft via fake login portals.
▪ Deployment of malicious attachments (e.g., macros, Trojans).
o Company-Specific Risks:
▪ Potential financial losses or reputational damage.
▪ Exposure of proprietary data.
• MD3. Data Collection:
o Email Headers:
▪ Analyse metadata for spoofed addresses or unusual sending
patterns.
o Attachments:
▪ Inspect for malicious macros or payloads.
o URLs:
▪ Validate links for phishing or C2 activity.
• MD4. Categorise:
o Types of AI-Enhanced Phishing:
▪ Spear Phishing: Highly personalised messages.
▪ Whaling: Targeting executives with realistic-looking requests.
▪ Business Email Compromise (BEC): Impersonating trusted entities.
• MD5. Is it an Advanced Attack?
o If the attack uses deepfake audio or AI-enhanced emails:
▪ Escalate to senior analysts or Incident Response Team (IRT).
• MD6. Triage:
AI-ENHANCED PHISHING ATTACKS PLAYBOOK ........................................................ 3
ADVANCED RANSOMWARE CAMPAIGNS PLAYBOOK ................................................ 7
SUPPLY CHAIN COMPROMISES PLAYBOOK.............................................................11
ZERO-DAY EXPLOITS PLAYBOOK .............................................................................14
AI-POWERED MALWARE PLAYBOOK........................................................................17
DEEPFAKE SOCIAL ENGINEERING PLAYBOOK .........................................................20
ǪUANTUM COMPUTING THREATS PLAYBOOK .........................................................23
IoT VULNERABILITIES PLAYBOOK ............................................................................2C
INSIDER THREATS PLAYBOOK.................................................................................23
CLOUD SECURITY MISCONFIGURATIONS PLAYBOOK ..............................................32
ADVANCED PERSISTENT THREATS (APTs) PLAYBOOK ..............................................35
CREDENTIAL STUFFING ATTACKS PLAYBOOK ..........................................................33
FILELESS MALWARE PLAYBOOK..............................................................................43
ROGUE ACCESS POINT (ROGUE AP) ATTACK PLAYBOOK ..........................................47
SǪL INJECTION ATTACK PLAYBOOK ........................................................................51
STEGANOGRAPHY-BASED DATA EXFILTRATION PLAYBOOK .....................................55
CACHE POISONING ATTACK PLAYBOOK .................................................................53
HOMOGRAPH ATTACK PLAYBOOK ..........................................................................C2
DENIAL-OF-SERVICE (DoS) ATTACK PLAYBOOK .......................................................CC
MALWARE ATTACK PLAYBOOK ................................................................................C3
PHISHING ATTACK PLAYBOOK................................................................................72
WATERING HOLE ATTACK PLAYBOOK......................................................................75
ISLAND HOPPING ATTACK PLAYBOOK ....................................................................78
,AI-ENHANCED PHISHING ATTACKS PLAYBOOK
1.PREPARATION
• Create and Maintain a List of:
o Approved Email Communication Tools:
▪ Identify all sanctioned email systems and ensure monitoring for
unauthorised usage.
o Key User Groups:
▪ Executives, finance teams and high-value targets (HVTs) vulnerable to
phishing attempts.
o Common Indicators of AI-Enhanced Emails:
▪ Abnormal linguistic patterns, overly personalised messages or AI-
generated content.
• Email Templates:
o Awareness Campaigns:
▪ Inform employees about AI-generated phishing tactics.
▪ Provide guidance on recognising suspicious emails with examples.
o Internal Communication:
▪ Notify teams about the detection of AI-driven phishing campaigns.
o External Notifications:
▪ Alert partners or clients if they might be impacted by phishing
targeting your organisation.
• Ensure that:
o Email security solutions (e.g., DMARC, DKIM, SPF) are implemented and
monitored.
o Anti-phishing software detects:
▪ Emails containing language indicative of AI tools (e.g., ChatGPT,
Bard).
▪ Highly personalised emails targeting HVTs.
▪ Links leading to phishing sites hosted on compromised domains.
o Multi-Factor Authentication (MFA) is enforced across all critical systems.
o Training sessions on phishing simulations are conducted regularly.
• Perform Fire Drills:
o Test the playbook with scenarios involving AI-driven phishing:
▪ Highly personalised emails to HVTs.
▪ Phishing links mimicking login portals.
o Validate detection and response times.
o Ensure escalation paths are updated.
• Review Threat Intelligence:
o Monitor trends in AI-driven phishing attacks.
o Review intelligence on compromised accounts or exploited platforms.
o Analyse phishing sites for generative AI usage patterns.
, • Asset Inventory:
o Maintain a list of:
▪ HVTs and their associated email accounts.
▪ Domains used for corporate communications.
▪ Approved third-party tools and services integrated with email.
2.DETECT
• MD1. Identify Threat Indicators:
o Alerts:
▪ SIEM:
▪ Unusual email activity (e.g., multiple failed login attempts).
▪ Sudden spikes in email traffic from external domains.
▪ Email Security Solutions:
▪ Flagged suspicious emails containing generative AI markers.
▪ Network Monitoring:
▪ Links leading to known phishing sites or credential harvesting.
o Notifications:
▪ Employees reporting phishing emails.
▪ External vendors or clients flagging suspicious communication.
• MD2. Identify Risk Factors:
o Common Risks:
▪ Credential theft via fake login portals.
▪ Deployment of malicious attachments (e.g., macros, Trojans).
o Company-Specific Risks:
▪ Potential financial losses or reputational damage.
▪ Exposure of proprietary data.
• MD3. Data Collection:
o Email Headers:
▪ Analyse metadata for spoofed addresses or unusual sending
patterns.
o Attachments:
▪ Inspect for malicious macros or payloads.
o URLs:
▪ Validate links for phishing or C2 activity.
• MD4. Categorise:
o Types of AI-Enhanced Phishing:
▪ Spear Phishing: Highly personalised messages.
▪ Whaling: Targeting executives with realistic-looking requests.
▪ Business Email Compromise (BEC): Impersonating trusted entities.
• MD5. Is it an Advanced Attack?
o If the attack uses deepfake audio or AI-enhanced emails:
▪ Escalate to senior analysts or Incident Response Team (IRT).
• MD6. Triage:
