pixel_dreams - Fotolia
If an employee clicks on a link in an email that on second thought looks suspicious, what should the security team do besides scanning the employee's client device? Should the device be isolated from the network and the account access/privileges frozen?
There are three areas I'd consider after a user has potentially clicked on a malicious link in an email. Just like anything else in security, you need to review the entire issue and not just fix the symptom.
The first step is to verify if the system was compromised. This will entail reviewing how the security team became aware of the issue -- did a user call in or was it seen in an incident? -- and using this as a troubleshooting starting point. Review all the security monitoring systems to see if there was any unauthorized activity seen from this machine/user account on the network after the malicious link was clicked. Comb through the logs of the system and validate all endpoint agents are up to date and working properly. If possible, take a snapshot of the system with incident response tools like Mandiant Redline, or Resilient's Incident Response Platform to get a better look at what's happening under the hood. Most importantly, review the malicious link itself on a lab machine to test the fundability of what occurs after being clicked. It's good to have a lab system segmented from the network and purposely vulnerable for tests like these that can be rebooted back into a previous state -- think software like Faronics' Deep Freeze or Toolwiz Time Freeze. Test these malicious links in lab systems while running packet captures to review the actual data transfers. Look at the spam filters and comb through the headers of the email to get a better understanding of its origin.
Secondly, determine if there are gaps in your planning or architecture. Does your organization have the needed policy, procedure and technology to stop phishing attacks from entering the network? And if they enter the network would you be able to stop them on the endpoint? This is why ransomware has become such a huge issue over the past couple years. There is technology to stop much of this, but having an incident response team that understands how to react, having tools like spam/phishing filters, next generation endpoint and so on, and having internal policies that manage patching on operating system and third-party software is also something to consider.
Lastly, and potentially most importantly, there needs to be user training on phishing alerts on a continual basis. Many attackers have stopped targeting the perimeter and are focusing on the users since they're the easiest way in. Using software like PhishMe or KnowBe4's Phishing Security Test, hanging posters, creating security awareness and making it part of your organization's culture can go a long way so that you may never have to search a system for malware again. If the users don't click on the malicious link, you won't have to worry as much.
Ask the Expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)
Learn how to prevent ransomware or recover from a ransomware breach
Find out how to prevent voicemail phishing scams
Check out ways to defend against phishing
Dig Deeper on Threats and vulnerabilities
Related Q&A from Matthew Pascucci
Understanding the differences between sandboxes vs. containers for security can help companies determine which best suits their particular use cases. Continue Reading
Troubleshooting VPN session timeout and lockout issues should focus first on isolating where the root of the problem lies -- be it the internet ... Continue Reading
What sets web roles and worker roles apart in Microsoft's Azure Cloud Services? Here's a look at how they are different. Continue Reading