Does your Incident Response Plan include Phishing?
It’s no secret that 90% of breaches start with a phishing attack. The question is: are you prepared to recognize phishing and respond to it? Many organizations are concerned with how much spam they receive and implement controls specific to spam. But you shouldn’t confuse preventing spam with responding to phishing attacks.
As our CTO Aaron Higbee points out in his recent post, “spam” and “phishing” are used “interchangeably” but are not the same thing. To be adequately prepared to respond to phishing attacks, you must take the problem seriously and have a plan on how to respond. From the monetary loss that can come from a business email compromise (BEC) to the popularity and devastation of ransomware, phishing attacks can cause serious financial and productivity losses to your company. Here are a few tips on how to respond:
Commit to your Abuse Inbox
We often hear from our customers that their abuse inbox was overwhelming. It can be incredibly challenging to keep up, recognize connected campaigns, and respond to users that their issue is being handled. Without a defined process and the proper solutions, this can seem daunting and the intelligence gathered from internal resources can be lost.
Define a Process
When a user reports a phish, you need to act. Why? Because that threat is already inside your environment. The scope of the incident is yet to be determined but now you know there is an active attacker in progress. Removing the reported email from your mail system will help prevent anyone that may have received it from falling victim to the attack. But it’s not enough:
- Get the indicators of compromise (IOCs) associated with the threat and put them into your block list to prevent any escalation of the threat.
- Use the same IOCs and search your SIEM for any hits. This will help you figure out if there is a patient zero and enhance your ability to fully eradicate the threat.
- If you have threat analysis capabilities, you can use that intelligence to check systems in-scope of the attachment for any related files, hashes, registry key creation/modification, started processes, etc.
Improve Over Time
These are early steps to get you started and you can certainly grow from here. Other incidents may require you to alert executive staff or involve a public relations team to respond to your customers, for example. How you choose to respond to a phishing attack may vary given your organizational needs, tools, and skillset but you must account for it in your Incident Response Plan.
The worst thing you can do is nothing at all.