Re: SOP for Managing Phishing/Ransomware Attempts

[Keith Hartranft <kkh288 () LEHIGH EDU>]

Hello John,

Attached are the anti-phishing flow processes you requested. They may need
some explanation for the steps to be most effective and I'm working to
arrange a Zoomcast or meeting of some sort to do just that. I'll let you
know when that is arranged.

Thanks,

Keith

On Tue, Aug 16, 2016 at 3:16 PM, Bertone, John <jbertone () bhcc mass edu>
wrote:

> Keith,
>
>
>
> I would be interested .
>
>
>
> Thanks,
>
>
>
> John
>
>
>
> John Bertone
>
> Director of Network Operations
>
> Bunker Hill Community College
>
> 250 Rutherford Ave
>
> Boston, MA 02129
>
> Email: jbertone () bhcc mass edu
>
> Phone: 617-228-3460
>
> Mobile: 617-959-4366
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Keith Hartranft
> *Sent:* Tuesday, August 16, 2016 1:22 PM
>
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts
>
>
>
> Hi all,
>
>
>
> I've been asked by some folks to share our flow processes for
> anti-phishing and please know I'm happy to do so. If there is sufficient
> interest I'd also be happy to arrange a Webcast of some sort to do a walk
> through of the process.
>
>
>
> Thanks,
>
>
>
> Keith
>
>
>
> On Sat, Aug 13, 2016 at 12:11 PM, Joel Anderson <joela () umn edu> wrote:
>
> FWIW, I describe a lot of what we've been doing in a SANS paper, including
> using "honeypeeps" to identify phisher's source IP addresses.  We also
> maintain a blog (phishing.it.umn.edu) to highlight phishing campaigns and
> post advisories.
>
>
>
> *Reducing the Catch: Fighting Spear-Phishing in a Large Organization*
>
> https://www.sans.org/reading-room/whitepapers/forensics/
> reducing-catch-fighting-spear-phishing-large-organization-35547
>
>
>
> On Thu, Aug 11, 2016 at 8:39 AM, Keith Hartranft <kkh288 () lehigh edu>
> wrote:
>
> Hello all,
>
>
>
> We do have a somewhat formalized process for Phishing emails and it has
> been flowcharted. I'd be happy to share these with RI folks and we've
> talked about (Doug help please?) a central place/wiki for that.
>
>
>
> I will say the process is specific to how our systems are structured but I
> think there are some things that all organizations might find useful in our
> process.
>
>
>
> A few things to note:
>
>
>
>    - We have not "pulled" phishing emails from mailboxes. We do however
>    note particularly good ones, note who has "opened" them, and watch for
>    suspicious logons from those users with our SIEM dashes. Particularly good
>    phishes we also "seed" with peep accounts and then monitor those locations
>    more closely
>    - We run our own DNS block (Malwaredomains) which helps mitigate on
>    campus access. You may get that feed as well ..... in a variety of ways. We
>    also report to Google Safebrowsing, Phishtank, Symantec, ThreatStream via
>    HiTrust .... which gets links into Browser and many AV Browser/reputation
>    blocks VERY quickly.
>    - We use GMail content filters to protect many users from common
>    phishes that would have gotten through in the past. We react with new rules
>    when new "more inventive?" phishes occur. I think this has had significant
>    impact on phish reduction ...... but with the semester about to begin,
>    we'll see for certain.
>    - We post phishes to our Help pages and warnings. If the phish is
>    particular good or generates a high level of calls or response .... we send
>    a campus notification. (As we had last year with a "Terror Threat Email")
>    It should be noted that a second round of "Terror Threat" attempts was
>    almost totally mitigated by the content compliance filters.
>    - We do some limited data mining via Vault for new phishes that miss
>    the content compliance net and respond accordingly.
>    - We notify senders of possible account compromise if in the edu or
>    gov spaces. We sometimes notify hosts if they are particularly responsive
>    (Formcrafts you can 404 the site by reporting)
>
> I think those are the highlights. Any questions ...... fire away!
>
>
>
> Thanks,
>
>
>
> Keith
>
>
>
> On Thu, Aug 11, 2016 at 1:46 AM, Steven Alexander <
> steven.alexander () kccd edu> wrote:
>
> I'm new to my role so I don't know if we've had objections in the past,
> but we do pull phishing/malicious emails from our user's inboxes.  Once
> we've identified that the content is dangerous, the safest option is to
> remove it.  Simply alerting people that the content is dangerous might
> reduce click rates substantially, but it won't reduce them to zero.  I'd
> rather have to defend the decision to pull than deal with a breach or a
> ransomware infection.
>
> I think the best approach is to be up front set clear ground rules for
> when this capability can be used.  If it's only used to pull emails with
> malicious attachments and phishing links, there shouldn't be many
> objections.  If it's used to stifle a discussion, even once, it will be
> hard to regain the trust of your faculty and other users.
>
> Steven Alexander
> Director of IT Security
> Kern Community College District
>
> ________________________________
> From: The EDUCAUSE Security Constituent Group Listserv [
> SECURITY () LISTSERV EDUCAUSE EDU] on behalf of James Valente [
> jvalente () SALEMSTATE EDU]
> Sent: Wednesday, August 10, 2016 3:31 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts
>
> <snip>
>
>
> Also, RE: Removing malicious messages. I know this has come up in other
> discussions amongst schools and a few people have mentioned that there have
> been members of the faculty who get very upset if messages are deleted. We
> haven't tried to pull or delete messages here, however.
>
> Thanks,
> James Valente
> Associate Director of Information Security
> Salem State University
>
>
>
>
>
> --
>
> *Keith K Hartranft, CISSP, CISM, PCI-DSS ISA & PCIP*
>
> *Chief Information Security Officer*
>
>
> *Lehigh University 610-758-3994 <610-758-3994>*
>
>
>
>
>
> --
>
> --
>    ---------------------------------------------------
>    joel anderson * joela () umn edu *  @joelpetera
>
>    -->  612-625-7389  --> pager: 612-648-6823
>
>    Security Analyst
>
>   University Information Security - University of Minnesota
>
>    http://it.umn.edu/practices-information-security-policy
>
>
>
> "Email is the thermal exhaust port on the Death Star
>
>  of IT infrastructure." - me
>
>
>
>
>
>
>
>
>
> --
>
> *Keith K Hartranft, CISSP, CISM, PCI-DSS ISA & PCIP*
>
> *Chief Information Security Officer*
>
>
> *Lehigh University 610-758-3994 <610-758-3994>*



-- 

*Keith K Hartranft, CISSP, CISM, PCI-DSS ISA & PCIP*
*Chief Information Security Officer*

*Lehigh University610-758-3994*

Attachment: Investigate Phishing Email Diagram_Final.pdf
Description:

Attachment: Sink Protect Phishing Email Diagram_Final.pdf
Description:

Attachment: SEAL Email Account IOC Diagram_Final.pdf
Description:

Attachment: Siem Protect Phishing Email Diagram_Final.pdf
Description: