I once saw a quote (or a Tweet) that said "Expect, practise you desire to have a defensible network or not?" This quote stuck with me over the years as information technology essentially asked (in well nether 140 characters), "Practice yous have the right technology, vantage points, processes, procedures, training, executive back up, personnel, policy, controls, logs, etc., in place to duke it out and protect yourself?"
At that place are a lot of things nosotros can practise to reduce the bear upon of a successful phishing set on. But like all things in information security, we can't completely eliminate the risk, so it'due south important to proactively prepare an effective phishing incident response strategy. So, what do you practice if you suspect or know there was a successful phishing attack against your organization? Here is our list of 14 things you need to do when it happens:
What To Do When You Have Been Phished: xiv Things To Practise
ane. Activate IR procedures
You do take a phishing incident response plan, right? Y'all have done an IR tabletop to test how smoothly things go, right? Afterward y'all confirm that you are dealing with a real incident, depict the shades, grab the playbook, and order pizza. You lot'll need to figure out the who, what, when, and where of the incident — too equally what time to tell your family you recall you'll be home the next day.
ii. Obtain a copy of the electronic mail with total headers and any original attachments
Role of your phishing e-mail incident response should be to make sure that you lot get the phishing email with full headers showing routing info, etc. In Outlook, you'll have to await at the message's Properties in order to see all of the email routing information. Take note of the IP address that the message came from. In almost cases it will exist from a compromised auto of some sort – either an terminate user's desktop acting every bit a bot for the bulletin or from a compromised or vulnerable server. Either way, it volition assistance to have all of this information.
iii. Mine the web for threat intelligence
In that location are a lot of threat intel and lookup sites out at that place. Have whatsoever URLs, attachments, etc., to www.virustotal.com or whatever of the other sandbox and lookup sites out there. (I personally like world wide web.hybrid-analysis.com.) Accept domains, IPs, etc., to sites like IPVoid.com. Google the IP, hostnames, URLs, files, etc., of what yous see.
But be conscientious that you don't actually become to malicious sites. If you paste an IP into your browser, it volition modify it to a URL and become to the IP. That'southward embarrassing (and potentially dangerous). Rather, put the IP address in quotes to ensure that your browser knows you lot are simply searching.
iv. Talk to the clicker(s)
This is a elementary footstep that is sometimes overlooked. Don't sidestep the terminate user! Inquire whatsoever and all clickers what happened, what they saw, and if they noticed anything strange or out of place earlier or later interacting with the phish.
5. Adjust perimeter electronic mail filters to block similar messages
In order to prevent other users from falling victim to the same attack, look for attributes in the email that you tin filter on. In some cases the From, Subject, and other fields may alter. Look for something that will remain somewhat static. Black listing based on a regex obviously isn't a long-term solution, only in the curt term it can aid stop any other messages from getting in.
half-dozen. Start searching internal systems
Search your firewall logs for all of the suspicious IPs, URLs, etc., from the email, URL, attachment, etc. to come across if there was any traffic leaving your network going to those IPs. Continue in listen that some attacker control and control domains will change their IPs every few minutes. Every bit such, you lot will want to search your DNS logs (you lot are logging all DNS requests, aren't you?) and see if any host on your network did a lookup on them.
Go along in listen you volition probable demand to search DHCP logs every bit well to see what workstation had the IP when the DNS lookup happened. (Yous exercise have DHCP logs, right?). Use Splunk or Elasticsearch/Logstash/Kibana (ELK).
7. Review proxy or outbound web logs
If you use a proxy such as Badge, WebSense, or the like, it makes sense to search the logs to see if any other users accessed the site or other telltale URLs. Or if you log all outbound firewall requests, cheque for the IP accost of the server that the site is running on.
Want to acquire more than almost phishing attacks? Download our Country of the Phish Report .
viii. Review postal service server logs
Check to see which users received the bulletin by searching your post server logs. If possible, search on the message ID, source IPs, From, Field of study, file zipper name, etc.
9. Review DNS logs
Logging DNS traffic is no longer hard. Enabling DNS logging in Demark is not hard either. When enabled, yous tin can import these logs into Splunk, then run queries on them to see which of your hosts did a lookup on any malicious domains yous find.
10. Ensure logs are retained
Nada stops an investigation common cold like a total lack of critical logs. Ensure that your DNS, DHCP, firewall, proxy, and other logs don't rotate off. Depending on how things go, you may need to save these logs and handle them in a way that will stand up up in court. Your IR program should address this.
11. Make an case out of it
Rahm Emanuel once said, "Yous never let a serious crisis go to waste. And what I mean by that, it'due south an opportunity to do things yous think you could not do earlier." Retrieve this quote the side by side fourth dimension y'all are dealing with a successful phishing attack, and utilise that outcome as an opportunity to raise security awareness amid management and your users.
In that location'south a reason, later on all, that high schools put wrecked cars out front of their buildings during prom flavour. It hits home because it'due south relatable; those who are forced to face up a possibility often can't help but recollect, "That could take been me!" But tread softly — you don't want users to feel that reporting something leads to professional embarrassment.
12. Make clean upward
Every bit a general rule of thumb, you'll need to alter the afflicted users' passwords — even if you are pretty sure that nothing serious happened. Why? Considering you'll never accept 100% assurance that the victims weren't completely compromised.
If a user's credentials (especially those used for remote access) are compromised, an attacker could come back and utilize legitimate access methods similar OWA or the VPN. After passwords accept been changed, review the activity of whatsoever impacted user business relationship for a menstruation of time pre- and post-incident.
xiii. Bank check for active sessions of affected users
A popular technique amid attackers is to leverage legitimate access methods like VPNs and Citrix to maintain a presence within the network and exfiltrate data. Following an attack, collect a list of the affected users and check to ensure that there aren't whatever current connections that shouldn't be active.
You practise have a listing of every remote access method, don't you?
14. Train your users to be "smart skeptics"
fourteen. Train your users to be "smart skeptics"
Become proactive! Have you lot e'er received an electronic mail and thought, "In that location'south something not quite correct with this…"? Those of us in the security space like to say we have "infosec spidey sense." Only we didn't get this overnight; it's a skill that nosotros've passively built up over time. Wouldn't information technology be dandy if instead of a Pavlovian response to click on anything in their inbox, your users paused for even 500 milliseconds and though, "Wait a sec…could this exist a PHISH?" Use phishing tests and security awareness grooming to your reward.
It can be done! Trust us, nosotros're professionals at this.
Notation: This commodity originated on the ThreatSim® web log. ThreatSim was acquired by Wombat Security in October 2015.
Posting Komentar untuk "what to do if you respond to a phishing email"