Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SOP for Managing Phishing/Ransomware Attempts

From: "Hall, Rand" <hallr () MERRIMACK EDU>
Date: Wed, 17 Aug 2016 09:31:09 -0400
Another Google Apps consideration: Resetting user-Authorized access to
services <https://support.google.com/a/answer/2537800?hl=en#auth>. IIRC,
I've seen user-authorized services (like iOS Mail) continue to be used
after password change/restoration.


Rand

Rand P. Hall
Director, Network Services                 askIT!
Merrimack College
978-837-3532
rand.hall () merrimack edu

If I had an hour to save the world, I would spend 55 minutes defining the
problem and five minutes finding solutions. – Einstein

On Tue, Aug 16, 2016 at 3:40 PM, Frank Barton <bartonf () husson edu> wrote:


Keith, one thing that I would add to your "checklist" - not only remove
forwarding addresses, but also check for filters that don't make sense -
we've seen filters: "Delete: to:me" so that people don't get the responses
going "WTF"

I've also used the presence of that filter as an indication of compromise

Frank

On Tue, Aug 16, 2016 at 3:34 PM, David D Grisham <DGrisham () salud unm edu>
wrote:


Please count me in.

Cheers.-grish

*David Grisham*

David Grisham, PhD, CISM, CRISC,  CHS III

Manager, ITSecurity, UNM Hospitals, UNM Health Science Center

505.272.5657

Dgrisham () salud UNM edu







*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Bertone, John
*Sent:* Tuesday, August 16, 2016 1:17 PM

*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts



Keith,



I would be interested .



Thanks,



John



John Bertone

Director of Network Operations

Bunker Hill Community College

250 Rutherford Ave

Boston, MA 02129

Email: jbertone () bhcc mass edu

Phone: 617-228-3460

Mobile: 617-959-4366



*From:* The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
Behalf Of *Keith Hartranft
*Sent:* Tuesday, August 16, 2016 1:22 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts



Hi all,



I've been asked by some folks to share our flow processes for
anti-phishing and please know I'm happy to do so. If there is sufficient
interest I'd also be happy to arrange a Webcast of some sort to do a walk
through of the process.



Thanks,



Keith



On Sat, Aug 13, 2016 at 12:11 PM, Joel Anderson <joela () umn edu> wrote:

FWIW, I describe a lot of what we've been doing in a SANS paper,
including using "honeypeeps" to identify phisher's source IP addresses.  We
also maintain a blog (phishing.it.umn.edu) to highlight phishing
campaigns and post advisories.



*Reducing the Catch: Fighting Spear-Phishing in a Large Organization*

https://www.sans.org/reading-room/whitepapers/forensics/redu
cing-catch-fighting-spear-phishing-large-organization-35547



On Thu, Aug 11, 2016 at 8:39 AM, Keith Hartranft <kkh288 () lehigh edu>
wrote:

Hello all,



We do have a somewhat formalized process for Phishing emails and it has
been flowcharted. I'd be happy to share these with RI folks and we've
talked about (Doug help please?) a central place/wiki for that.



I will say the process is specific to how our systems are structured but
I think there are some things that all organizations might find useful in
our process.



A few things to note:



   - We have not "pulled" phishing emails from mailboxes. We do however
   note particularly good ones, note who has "opened" them, and watch for
   suspicious logons from those users with our SIEM dashes. Particularly good
   phishes we also "seed" with peep accounts and then monitor those locations
   more closely
   - We run our own DNS block (Malwaredomains) which helps mitigate on
   campus access. You may get that feed as well ..... in a variety of ways. We
   also report to Google Safebrowsing, Phishtank, Symantec, ThreatStream via
   HiTrust .... which gets links into Browser and many AV Browser/reputation
   blocks VERY quickly.
   - We use GMail content filters to protect many users from common
   phishes that would have gotten through in the past. We react with new rules
   when new "more inventive?" phishes occur. I think this has had significant
   impact on phish reduction ...... but with the semester about to begin,
   we'll see for certain.
   - We post phishes to our Help pages and warnings. If the phish is
   particular good or generates a high level of calls or response .... we send
   a campus notification. (As we had last year with a "Terror Threat Email")
   It should be noted that a second round of "Terror Threat" attempts was
   almost totally mitigated by the content compliance filters.
   - We do some limited data mining via Vault for new phishes that miss
   the content compliance net and respond accordingly.
   - We notify senders of possible account compromise if in the edu or
   gov spaces. We sometimes notify hosts if they are particularly responsive
   (Formcrafts you can 404 the site by reporting)

I think those are the highlights. Any questions ...... fire away!



Thanks,



Keith



On Thu, Aug 11, 2016 at 1:46 AM, Steven Alexander <
steven.alexander () kccd edu> wrote:

I'm new to my role so I don't know if we've had objections in the past,
but we do pull phishing/malicious emails from our user's inboxes.  Once
we've identified that the content is dangerous, the safest option is to
remove it.  Simply alerting people that the content is dangerous might
reduce click rates substantially, but it won't reduce them to zero.  I'd
rather have to defend the decision to pull than deal with a breach or a
ransomware infection.

I think the best approach is to be up front set clear ground rules for
when this capability can be used.  If it's only used to pull emails with
malicious attachments and phishing links, there shouldn't be many
objections.  If it's used to stifle a discussion, even once, it will be
hard to regain the trust of your faculty and other users.

Steven Alexander
Director of IT Security
Kern Community College District

________________________________
From: The EDUCAUSE Security Constituent Group Listserv [
SECURITY () LISTSERV EDUCAUSE EDU] on behalf of James Valente [
jvalente () SALEMSTATE EDU]
Sent: Wednesday, August 10, 2016 3:31 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts

<snip>


Also, RE: Removing malicious messages. I know this has come up in other
discussions amongst schools and a few people have mentioned that there have
been members of the faculty who get very upset if messages are deleted. We
haven't tried to pull or delete messages here, however.

Thanks,
James Valente
Associate Director of Information Security
Salem State University





--

*Keith K Hartranft, CISSP, CISM, PCI-DSS ISA & PCIP*

*Chief Information Security Officer*


*Lehigh University 610-758-3994 <610-758-3994>*





--

--
   ---------------------------------------------------
   joel anderson * joela () umn edu *  @joelpetera

   -->  612-625-7389  --> pager: 612-648-6823

   Security Analyst

  University Information Security - University of Minnesota

   http://it.umn.edu/practices-information-security-policy



"Email is the thermal exhaust port on the Death Star

 of IT infrastructure." - me









--

*Keith K Hartranft, CISSP, CISM, PCI-DSS ISA & PCIP*

*Chief Information Security Officer*


*Lehigh University 610-758-3994 <610-758-3994>*





--
Frank Barton
ACMT
IT Systems Administrator
Husson University
Previous By Date Next
Previous By Thread Next

Current thread: