Trevor Hawthorn | January 30, 2017

The First Five Things to Do After a Phishing Attack

Do you have the right technology, vantage points, processes, procedures, training, executive support, personnel, policy, controls, logs, etc., in place to duke it out and protect yourself?

There are a lot of things you can do to reduce the impact of a successful phishing attack. But like all things in information security, you can't completely eliminate the risk, which means that it’s important to proactively prepare an effective response strategy.

So, what do you do if you suspect or know there was a successful phishing attack against your organization? Here are the first five things after you find out you’ve been hit.

1. Activate IR procedures

You do have incident response (IR) procedures defined, right? And you have done an IR tabletop to test how smoothly things go, right? (If not…get on it.)

After you confirm that you are dealing with a real phishing incident, draw the shades, grab the playbook, and order delivery. You’ll need to figure out all the details of the incident — the who, what, when, and where — as well as what time to tell your family you think you’ll be home the next day.

2. Obtain a copy of the email with complete headers and any original attachments

Make sure that you get the email message with full headers showing routing info, etc. Take note of the originating IP address that the message; in most cases it will be from a compromised machine of some sort — either an end user’s desktop acting as a bot for the message or from a compromised or vulnerable server. These types of details will help with your investigation.

3. Search the web for threat intelligence

There are a lot of threat intel and lookup sites out there. Take any URLs, attachments, etc., to sandbox and lookup sites out there. Take domains, IPs, etc., to sites like IPVoid.com. Google the IP, hostnames, URLs, files, etc., of what you see.

Be careful, however, that you don’t actually go to malicious sites. If you paste an IP into your browser, it will change it to a URL and go to the IP. That’s embarrassing (and potentially dangerous). Instead, put the IP address in quotes to ensure that your browser and Google know you are just searching.

4. Talk to the clicker(s)

Don’t bypass the user! This is a simple step that is sometimes overlooked. Ask any and all clickers what happened, what they saw, and if they noticed anything strange or out of place before or after interacting with the phish.

5. Adjust perimeter email filters to block similar messages

In order to prevent other users from falling victim to the same attack, look for attributes in the email that you can filter on. Look for something that will remain somewhat static; in some cases the From, Subject, and other fields may change. Blacklisting based on a regex isn’t a long-term solution, but it can help stop other messages from getting in during the time following an attack.

There are additional things you can do right the ship following a phishing attack. See the Wombat blog for nine more tips.