Phishing Incident Response: Get Started in 3 Steps
So, you want to improve your response to phishing threats? Smart idea. PhishMe®’s recent report on phishing response trends shows that phishing is the #1 security concern, but almost half of organizations say they’re not ready for an attack.
Here’s how to get your phish together, in three basic steps.
- Disabuse the “abuse box.”
The abuse box is the inbox where companies forward suspicious emails. Sometimes it’s managed by the helpdesk, sometimes by specialized security teams.
Nearly always it’s cluttered, stuffed with everything from social media invites to legitimately dangerous malware.
That’s why the abuse box usually sucks. Whoever has the unlucky task of combing through all those emails wastes a lot of precious time. They manually deal with helpdesk tickets, change requests and site blocks. If they have other things to do (imagine), they might even ignore the abuse box.
Also, to find real threats, abuse box managers might manually test links and malware, which requires specialized skills they may or may not have. Done wrong, this can have disastrous effects.
In other words, the traditional abuse box isn’t working. It’s time to replace it with a better approach.
- Get organized to find real threats.
First, if you haven’t already, consolidate all those emails. It’s not unusual for organizations to send sketchy emails to more than one place. You need a central repository, one place where everyone knows to look. This simple tip can add up big in saved time.
Next, you’ll need to identify types of phishing attacks. For instance, business email compromise (BEC) attacks contain no links or attachments, just urgent pleas for money from a “trusted” source.
Other emails come with malicious links. You can hover over the links to see where they go. Whatever you do, never, ever click on an email link. Use a site like Virus Total to test for malicious behavior. But remember, just because an external site like Virus Total doesn’t recognize links doesn’t mean they’re okay.
Again, just don’t click.
As for attachments, submit them to an external site that uses anti-virus to detect foul play. This tip comes with the same caveat as above—none of these sites are foolproof, so proceed with caution. Also, consider setting up a Cuckoo sandbox to detonate and observe malware characteristics safely.
- Turn your employees into human sensors.
Despite your security defenses, most if not all technological, phishing attacks still get through. If that weren’t true, you wouldn’t be reading this blog.
It’s critical to get your employees trained and involved in the fight against phishing. They are, after all, the targets of attackers. With the right conditioning and education, they can also become your last line of defense.
PhishMe’s approach is simple: change risky behavior through practice, practice, practice. Let employees learn by reacting to simulated phishes, real-world scenarios based on the latest phishing threats.
The right response (report, don’t click) gets a pat on the back. The wrong response gets a quick tutorial on phishing do’s and don’ts. Soon enough, your human sensors are prepared to detect and report all types of phishing. That helps your incident responders do their job.
These 3 steps can launch your program. For more background on phishing response, read PhishMe’s new report, “Phishing Response Trends: It’s a Cluster.”