Phishing scams meant to hit up your email for credit card information, your Social Security number, and other sensitive data may seem like a known threat. But phishing scams are only getting more sophisticated as time goes on and it’s unfortunately too easy to fall victim. You should contact credit bureaus and credit card issuers as well as change login information on accounts to take precautions. However, phishing prevention needs to go a lot deeper especially in larger organizations.
Here’s what you need to do if one of your employees accidentally clicked a phishing link or opened a suspicious attachment.
Steps to Take After You Have Been Hit By a Phishing Attack
- Activate IR Procedures: It’s go time for your IR procedures. Once you’ve realized that phishing actually took place, you’ll need to determine the who, what, when, and where of the incident.
- Obtain a Copy: Copy the email message in full. This includes headers, attachments, routing information, and IP address. Don’t leave any text out.
- Mine for Web Threats: Examine the URLs, domains, and IP address linked to the email. You can easily look them up in IP Void and Virus Total. Don’t neglect to put the IP address in quotes when searching for it so you don’t accidentally go to a malicious site.
- Talk to Clickers: Ask the user who clicked the malicious link about what they saw. What happened when they clicked it and if they noticed anything out of place.
- Adjust Perimeter Email Filters: You want to prevent this same attack from striking again, so you’ll want to search carefully for attributes in that email you can filter on that are likely to remain static. Subject lines and from fields will change but a regex is less likely to change immediately.
- Start Searching: Pore over your firewall logs for all suspicious URLs and IPs from the email, attachment, and anything else the attachment left behind. Go through your DNS logs and see if any host on your network did lookups on the IPs associated with the phish. DHCP logs should tell you which workstation this happened at.
- Review Proxy: If you use a proxy, examine the logs to see if any other users accessed the phish or other suspicious URLs. If you log outbound firewall requests, check for the IP address of the server that the malicious site is running on.
- Review Mail: Which users received the suspicious email? Check the mail server logs. Scope out the source IP, from and subject lines, attachment name, and other information.
- Review DNS: Import your DNS logs into Splunk and run queries on them to determine which one of your hosts did lookups on any malicious domains that come up.
- Ensure Logs are Retained: Make sure that your logs haven’t rotated off. This goes for DNS, firewall, proxy, DHCP, and other logs. Save these logs in the event you need to take them to court.
- Make an Example Out of It: Use this phishing attack as a learning experience. Demonstrate to your employees that this is what happens if they are careless when clicking on attachments or don’t examine emails carefully. But you also need to make them feel like there’s no shame in reporting the incident if something does happen.
- Clean up and apply spam filters: Change the affected users’ passwords even if you don’t think anything happened. Better safe than sorry. If a user’s credentials were definitely compromised, an attacker can easily return using legitimate access methods. Remember to monitor the accounts of impacted users for a while after the incident.