So here it is… the first one you've received. Everything has been building up to this.
You spent days preparing the business case, weeks designing the training program… and it's finally paid off.
The first user-reported phishing email has hit your inbox.
Now… what should you do with it?
Time is of the Essence
Reported phishing emails are good for a lot of reasons.
For starters, they can help you understand where, how, and when you're being attacked. By recording their rise and fall, you can better gauge the threat posed by phishing, and track your users' susceptibility. You can even use them as a model to inform future phishing simulations.
But perhaps the single best thing is the opportunity they provide to enhance the security profile of your organization. In the cyber security world opportunities to get ahead of incoming threats are few and far between, and reported suspicous emails and messages constitute a tremendous asset for precisely this reason.
Recently, we covered the importance of not allowing user-reported phishing emails to sit in a queue. When you receive an asset this important and time sensitive, it simply doesn't make sense to leave it languishing in an inbox.
In order to maximize the value and opportunity afforded by user-reporting, the first thing your analysts should do is to dissect reported phish and their payloads to extract email, network, and host indicators of compromise (IOCs) — Artifacts indicating with a high degree of confidence that the sample is malicious.
Using these IOCs, six actions can be taken immediately to mitigate the attack, and enhance your organization's security profile going forward.
Step 1: Quarantine
Phishing attacks are rarely isolated. In fact, even spear phishing attacks are typically directed at a small group of users, rather than an individual.
So why treat reported emails and messages as isolated cases? Whenever a suspectedphish or attack is reported, your analysts should immediately scan the organization's mail server for any messages with matching IOCs. By immediately removing and quarantining similar emails, you can dramatically reduce the threat posed by an attack.
Remember: If an attacker tries to phish 50 of your users, you don't need all of them to spot and report it. Instead, what you need it just one user to spot and report it promptly. Once you have that reported phish, your analysts can do the rest.
Step 2: Bolster Perimeter Defenses
Just because technology isn't enough to protect against phishing alone, doesn't mean it should be disregarded. After all, perimeter defenses such as firewalls and intrusion prevention systems (IPS) play a vital role in curbing the threat of phishing attacks.
Consistently feeding phishing network IOCs into these technologies will have a huge impact on their effectiveness over time.
Step 3: Tighten the Net
Other technical controls that play an essential role in the fight against phishing are email security and content filtering tools, which (when properly configured) can slash the number of malicious emails that make it into user inboxes.
Again, the number will never reach zero, but by consistently feeding email and attachment IOCs into these controls you can minimize it as far as possible.
Step 4: Blacklist
A common phishing tactic is to direct victims to a malicious domain in order to steal their login credentials. Similarly, when malware is employed, communications are secretly sent to a so-called command and control (C2) server before any real harm is done.
By identifying malicious domains in user-reported emails, and adding those domains to your DNS blacklist, you can further blunt the impact of incoming phishing attacks.
Step 5: Secure Browsing
Blacklisting isn't the only use for malicious domains and URLs identified in reported emails. Google Safe Browsing is a free global service which warns users when they attempt to navigate to a dangerous website, or download dangerous files.
By submitting malicious domains and URLs to Google Safe Browsing, you can help users all over the world (including your own) browse the web more securely.
Step 6: Advise
While you're playing the good samaritan, there's one more thing you can do to help your own organization and others all over the world.
A virus signature, sometimes called a virus definition, is a unique string of binary that identifies a piece of malware. By submitting host IOCs from user-reported phish to antivirus providers you can help them stay up-to-date with the latest threats, and ensure your own antivirus products are kept up to date.
Two Keys to Tighter Security
When it comes to cyber security, there are two imperatives:
1) Do you know about a threat quickly enough to respond?
2) Do you know enough about a threat to respond appropriately?
By analyzing user-reported phish in a timely manner, and extracting all relevant IOCs, you can answer both of these questions with a resounding yes. Not only will be able to respond to the immediate threat by quarantining similar emails, you'll also have the opportunity to tighten your security controls against future attacks.
To find out more about how you can develop a world-class anti-phishing program, download our free on-demand webinar: Best Practice for Enterprise Phishing Protection.