Phishing is one of the most commonly exploited external attack vectors, and the threat is showing no signs of going away anytime soon.
91% of UK companies surveyed experienced at least one successful email-based phishing attack last year; therefore, knowing what to do and when to do it as quickly as possible is paramount for your SecOps team.
This article looks at how to implement a SecOps response plan for phishing email breaches, not the pre-planning you should do as part of your central Incident Response Plan.
React Quickly
A successful phishing email would almost certainly fall into the description of “High risk to / definite breach of sensitive client or personal data” in your severity matrix.
You must treat these incidents as critical unless you have multiple layers of security protecting your users. Even if you have MFA enabled, attackers can execute an MFA flood attack to penetrate your company’s defences. If you’ve not protected against this, read my article on How to Protect against MFA Flood attacks.
An attacker will quickly act upon a successful phishing email, usually within minutes. Therefore, your SecOps team must react very quickly.
The following steps may vary depending on what solutions you have in place, but as a general guide, you should try to do things in a particular order.
SecOps Phishing Response – Step by Step
- Within the SecOps team, if you have two engineers, split duties between two people to allow the quick resolution of the issues. I recommend one engineer does the email trace and technical investigation while the other does the analysis and handles all communications with the users.
- Contact the initial recipient of the phishing email immediately and establish if credentials were compromised. If they were, block sign-ins on the user’s account until the investigation is complete.
- Analyse the initial phishing email and identify if it was sent to other users within the business or if emails from the same address have been received.
- If staff are uncontactable, use your firewall URL logs to identify any users that have accessed the malicious URL. If you do not have a next-generation firewall, consider adding this to your budget, as this could save your team hours of labour and reduce risk. For any users identified as clicking the link, you could block sign-ins on those accounts until you can confirm the credentials were not compromised. This should be written in process and decided in the planning phase.
- Make a list of users who have received an email from the malicious sender and communicate that malicious email has been received from the address, and report anything unusual immediately.
- Track each email until you are sure that no credentials have been compromised.
- You could enforce a password change on all users who received the email, which would be the safest action. However, this may not be the most popular choice when scrutinised by upper management.
Lessons Learned
Once the incident is over, you should consider the lessons learned.
- How did this email circumnavigate your Anti-SPAM system?
- How was the user tricked into giving up their credentials?
- What would have happened if this incident had gone undetected? Where there additional layers of security in place?
- Why were the people that received the email the ones who received it? Do they have publicly available information about them? Have their email addresses been scraped from your website?
- Where the users adequately trained to spot an email like this?
- Do you have processes in place to prevent financial fraud due to phishing emails?
Security is most effective in multiple layers
Phishing is an initial access technique, and it can be very effective. Strive for a defence in the depth security model, which adds multiple layers of security, making it more difficult for someone to bypass your security controls. Today, you should have, as a minimum, a mail filtering solution like Mimecast, Barracuda, Spam Titan or Mail Assure.
Additionally, enforce Multi-Factor Authentication on your email solution and configure your MFA not to allow push notifications or use another method not susceptible to an MFA push attack.
Ensure that you train your end users to recognise a phishing attempt and conduct phishing simulations to help identify and train those staff who would otherwise be a higher risk to your network.
Large businesses and enterprises need to be prepared for insider attacks by deploying a SEIM solution and Identify Protection Solution.
