Skip to content

Incident Lifecycle

It is important to understand the lifecycle of how incidents are processed at PhishFort. Since most phishing, malware and other attacks are uniquely tailored to specific targets or industries, each incident must be reviewed on a case-by-case basis so that the correct countermeasures can be deployed. While we trust clients to suggest the required course of action, we prefer to tailor the approach ourselves depending on several characteristics unique to each incident.

A simplified overview of the lifecycle is as follows,

  1. Incidents reported by the client first enter the PhishFort system in the status of "pending_review". Incidents in this state have not yet been reviewed.
  2. Once PhishFort starts reviewing the incident it enters into a "case_building" status. The incident may remain in this state for some time as our analysts review it, choose a plan of action, tailor countermeasures and gather evidence. During this phase the status may also become "approval_required" (takedown pending approval) or "takedown_ready" (takedown approved).

  3. Once PhishFort has reviewed the incident and begun actioning it, the status will reflect the current state of the incident:

    • "takedown_in_progress" — A takedown has been initiated and is in progress.
    • "takedown_success" — The takedown has been completed successfully.
    • "takedown_attempt_failed" — The takedown was attempted but failed.
    • "blocklisted" — The incident has been blocklisted with our partners (no takedown performed).
    • "pre_weaponised" — The incident has been placed into monitoring.

  4. No further action is required from the client, PhishFort will process the incident and attempt a takedown or monitor it for malicious content.

Warning

An incident may also have a status of "action_required" at any point in the lifecycle if it is awaiting action from the client.

Info

An incident that has been fully resolved will have a status of "closed".

Notes on takedowns

When the takedown process is initiated, the status field is set to "takedown_in_progress" and the burnStartedTimestamp field is set to indicate the date and time when the incident takedown process was initiated. Once the takedown has been completed ie. the site is no longer responding to requests, the content has been removed or the domain has been suspended, the status becomes "takedown_success" and an additional takedownTimestamp field will be set with the date and time of when the takedown was regarded as successful by PhishFort. If the takedown attempt fails, the status will be set to "takedown_attempt_failed".

Notes on blacklisted incidents

If a takedown cannot be performed, such as in the case where the site hosts no content and there is insufficient evidence to prove the domain is similar enough to warrant a copyright approach, the incident will be blacklisted with our partners and reported to additional blacklists eg. Google SafeBrowsing. The status will be set to "blocklisted" and no burnStartedTimestamp or takedownTimestamp fields will be present.

Notes on incident review requests

Several functions of the API may support requesting a review, takedown or for the incident to be placed into monitoring. The incident lifecycle in its entirety still holds, immediately after issuing a request for review from the API, the incident will enter the status of "pending_review" until an analyst can review the request. From there, based on the nature of the request and the decided action from the analyst, the incident may enter one of many statuses after being reviewed by an analyst:

  • "pre_weaponised" if a monitoring request is requested
  • "takedown_in_progress" if a takedown is requested
  • The incident may be deleted if it is requested to be marked as safe