Re: SOP for Managing Phishing/Ransomware Attempts

[Ravi Tanikella <rtanikella () FORDHAM EDU>]

> Keith,
>
> I would be interested as well. 
>
> Thanks,
- Ravi

> On Aug 17, 2016, at 2:58 PM, Brian Griffith <griffibw () WHITMAN EDU> wrote:
>
> Interested!
>
> Thanks,
>
> Brian Griffith
> Information Security Officer
> Whitman College
>
>
> > On Aug 17, 2016, at 5:07 AM, Kenneth West <kwest () UGA EDU> wrote:
> >
> > I am interested.
> >  
> > Thanks,
> >  
> >  
> >  
> > From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
> > Alexandre Adao
> > Sent: Tuesday, August 16, 2016 10:35 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts
> >  
> > I am interested.
> > Thanks,
> >  
> > --Alex Adao
> >  
> >  
> > On Tue, Aug 16, 2016 at 9:56 PM, Amir Akbari <aa3840 () tc columbia edu> wrote:
> > The Infosec team at teachers college is interested too.  Please count us in.
> >  
> > Thanks,
> > Amir
> >  
> >  
> > <image001.jpg>
> >
> > Amir Akbari
> > Chief Information Security Officer
> > 525 West 120th Street, Box 43
> > New York, N.Y. 10027
> > T. 212.678.3920
> > E. amir.akbari () tc columbia edu
> >  
> > On Aug 16, 2016, at 9:49 PM, Rob Cherveny <Rob.Cherveny () UNG EDU> wrote:
> >  
> > UNG is in. 
> >
> > --
> > Rob Cherveny, PMP
> > Director, Information Security 
> > University of North Georgia
> >
> >
> > On Aug 16, 2016, at 18:02, Kyle Kniffin <kyle () POLK EDU> wrote:
> >
> > Please add myself as well.
> >
> >
> > Thanks,
> >
> > Kyle Kniffin
> > Network Engineer
> > Polk State College
> > 999 Ave. H. NE
> > Winter Haven, FL 33881
> > (863) 298-6840
> >
> >
> > ________________________________
> > From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Taylor 
> > Randle <TRandle () PARKER EDU>
> > Sent: Tuesday, August 16, 2016 5:51 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts
> >
> >
> > Interested as well. Thanks!
> >
> >
> >
> >
> >
> > Taylor Randle
> > IT Security Manager
> >
> >
> > [Description: Description: Description: 
> > https://www.parker.edu/uploadedImages/0000_Home/0012_Images/Email_Signature/Parker_H_RGB.png]
> >
> >
> > 2540 Walnut Hill Lane, Dallas, TX 75229
> > T: 214.902.2439 | F: 214.902.2431
> > trandle () parker edu<mailto:trandle () parker edu>
> > www.parker.edu<http://www.parker.edu/> | www.parkerseminars.com<http://www.parkerseminars.com/>
> >
> >
> > [Description: Description: Description: 
> > https://www.parker.edu/uploadedImages/0000_Home/0012_Images/Email_Signature/Facebook_Square_RGB.png]<http://www.facebook.com/ParkerUniversity>
> >
> >
> > [Description: Description: Description: 
> > https://www.parker.edu/uploadedImages/0000_Home/0012_Images/Email_Signature/YouTube_Square_RGB.png]<http://www.youtube.com/ParkerUniversity>
> >
> >
> > [Description: Description: Description: 
> > https://www.parker.edu/uploadedImages/0000_Home/0012_Images/Email_Signature/Twitter_Icon_RGB.png]<http://www.twitter.com/ParkerUniv>
> >
> >
> >
> > ................................................
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
> > Miguel Angel Gonzalez de la Torre
> > Sent: Tuesday, August 16, 2016 4:47 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts
> >
> >
> >
> > Count me in… and thanks for sharing…
> >
> >
> >
> > Ing. Miguel Angel González de la Torre, MCC
> >
> > Director Seguridad de la Información
> > Dirección de Tecnologías de Información
> >
> > Contáctame por Skype for Bussines<sip:mglez () itesm mx>
> >
> > Tel.: 52 (81) 8158 2000, ext. 2936. Fax: 81 81582287
> > Enlace intercampus: 80-689-2936.
> >
> >
> >
> > From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jeff 
> > Choo
> > Sent: martes, 16 de agosto de 2016 04:18 p. m.
> > To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> > Subject: Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts
> >
> >
> >
> > Me too!  Thanks!
> >
> >
> >
> >
> >
> > Jeff Choo - Director, Information Technology | Information Security Officer
> >
> > William James College
> >
> > One Wells Avenue, Newton, MA 02459
> >
> > Helpdesk: 617-327-6777 x1600
> >
> > Direct: 617-564-9344
> >
> > Email: jeff_choo () williamjames edu<mailto:jeff_choo () williamjames edu>
> >
> >
> >
> >
> >
> >
> >
> > From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
> > Theresa Semmens
> > Sent: Tuesday, August 16, 2016 5:11 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> > Subject: Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts
> >
> >
> >
> > Count NDSU in please.
> >
> >
> >
> > Theresa Semmens, CISA
> >
> > NDSU Chief Information Security Officer
> >
> > Director, Records Management
> >
> > Office: 210D Quentin Burdick Building
> >
> > Mail: NDSU Dept 4500
> >
> > PO Box 6050
> >
> > Fargo, ND 58108-6050
> >
> > P: 701-231-5870
> >
> > F: 701-231-8541
> >
> > E: Theresa.Semmens () ndsu edu<mailto:Theresa.Semmens () ndsu edu>
> >
> > www.ndsu.edu/its/security<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ndsu.edu_its_security&d=CwMGaQ&c=Gm3BBxc8aT6kWRgL0BN82PxksiHdQKp4W7aI7_AdSxA&r=xDtDABfGYGJ71kVjoddAkDo50mNveYXRZ9AXjiL6brc&m=FOLZnPoCGyTUZIXQa90OLoYS6HoVim6k63qCrXxxzUM&s=-olvvXYgT4Vx-gUGao4S_iClPLMiUw0ZIj901UU3MI0&e=>
> >
> >
> >
> > From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Andy 
> > Morgan
> > Sent: Tuesday, August 16, 2016 2:39 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> > Subject: [SECURITY] SOP for Managing Phishing/Ransomware Attempts
> >
> >
> >
> > Count me in
> >
> >
> >
> > From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David 
> > D Grisham.
> > Sent: August 16, 2016 3:35 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> > Subject: Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts
> >
> >
> >
> > Please count me in.
> >
> > Cheers.-grish
> >
> > David Grisham
> >
> > David Grisham, PhD, CISM, CRISC,  CHS III
> >
> > Manager, ITSecurity, UNM Hospitals, UNM Health Science Center
> >
> > 505.272.5657
> >
> > Dgrisham () salud UNM edu<mailto:Dgrisham () salud UNM edu>
> >
> >
> >
> >
> >
> >
> >
> > From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
> > Bertone, John
> > Sent: Tuesday, August 16, 2016 1:17 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> > Subject: Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts
> >
> >
> >
> > Keith,
> >
> >
> >
> > I would be interested .
> >
> >
> >
> > Thanks,
> >
> >
> >
> > John
> >
> >
> >
> > John Bertone
> >
> > Director of Network Operations
> >
> > Bunker Hill Community College
> >
> > 250 Rutherford Ave
> >
> > Boston, MA 02129
> >
> > Email: jbertone () bhcc mass edu<mailto:jbertone () bhcc mass edu>
> >
> > Phone: 617-228-3460
> >
> > Mobile: 617-959-4366
> >
> >
> >
> > From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Keith 
> > Hartranft
> > Sent: Tuesday, August 16, 2016 1:22 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> > Subject: Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts
> >
> >
> >
> > Hi all,
> >
> >
> >
> > I've been asked by some folks to share our flow processes for anti-phishing and please know I'm happy to do so. If 
> > there is sufficient interest I'd also be happy to arrange a Webcast of some sort to do a walk through of the process.
> >
> >
> >
> > Thanks,
> >
> >
> >
> > Keith
> >
> >
> >
> > On Sat, Aug 13, 2016 at 12:11 PM, Joel Anderson <joela () umn edu<mailto:joela () umn edu>> wrote:
> >
> > FWIW, I describe a lot of what we've been doing in a SANS paper, including using "honeypeeps" to identify phisher's 
> > source IP addresses.  We also maintain a blog 
> > (phishing.it.umn.edu<https://urldefense.proofpoint.com/v2/url?u=http-3A__phishing.it.umn.edu&d=CwMGaQ&c=Gm3BBxc8aT6kWRgL0BN82PxksiHdQKp4W7aI7_AdSxA&r=xDtDABfGYGJ71kVjoddAkDo50mNveYXRZ9AXjiL6brc&m=FOLZnPoCGyTUZIXQa90OLoYS6HoVim6k63qCrXxxzUM&s=i66JthojdOlcA91D4VaNLB6tOhFWTGZS-FZ6eTkcZw8&e=>)
> >  to highlight phishing campaigns and post advisories.
> >
> >
> >
> > Reducing the Catch: Fighting Spear-Phishing in a Large Organization
> >
> > https://www.sans.org/reading-room/whitepapers/forensics/reducing-catch-fighting-spear-phishing-large-organization-35547<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.sans.org_reading-2Droom_whitepapers_forensics_reducing-2Dcatch-2Dfighting-2Dspear-2Dphishing-2Dlarge-2Dorganization-2D35547&d=CwMGaQ&c=Gm3BBxc8aT6kWRgL0BN82PxksiHdQKp4W7aI7_AdSxA&r=xDtDABfGYGJ71kVjoddAkDo50mNveYXRZ9AXjiL6brc&m=FOLZnPoCGyTUZIXQa90OLoYS6HoVim6k63qCrXxxzUM&s=buD-sRg0k82ERSiNNo3rd_oVbCZNEdhcD9xFX-suQRQ&e=>
> >
> >
> >
> >
> > On Thu, Aug 11, 2016 at 8:39 AM, Keith Hartranft <kkh288 () lehigh edu<mailto:kkh288 () lehigh edu>> wrote:
> >
> > Hello all,
> >
> >
> >
> > We do have a somewhat formalized process for Phishing emails and it has been flowcharted. I'd be happy to share 
> > these with RI folks and we've talked about (Doug help please?) a central place/wiki for that.
> >
> >
> >
> > I will say the process is specific to how our systems are structured but I think there are some things that all 
> > organizations might find useful in our process.
> >
> >
> >
> > A few things to note:
> >
> >
> >
> > *   We have not "pulled" phishing emails from mailboxes. We do however note particularly good ones, note who has 
> > "opened" them, and watch for suspicious logons from those users with our SIEM dashes. Particularly good phishes we 
> > also "seed" with peep accounts and then monitor those locations more closely
> > *   We run our own DNS block (Malwaredomains) which helps mitigate on campus access. You may get that feed as well 
> > ..... in a variety of ways. We also report to Google Safebrowsing, Phishtank, Symantec, ThreatStream via HiTrust 
> > .... which gets links into Browser and many AV Browser/reputation blocks VERY quickly.
> > *   We use GMail content filters to protect many users from common phishes that would have gotten through in the 
> > past. We react with new rules when new "more inventive?" phishes occur. I think this has had significant impact on 
> > phish reduction ...... but with the semester about to begin, we'll see for certain.
> > *   We post phishes to our Help pages and warnings. If the phish is particular good or generates a high level of 
> > calls or response .... we send a campus notification. (As we had last year with a "Terror Threat Email") It should 
> > be noted that a second round of "Terror Threat" attempts was almost totally mitigated by the content compliance 
> > filters.
> > *   We do some limited data mining via Vault for new phishes that miss the content compliance net and respond 
> > accordingly.
> > *   We notify senders of possible account compromise if in the edu or gov spaces. We sometimes notify hosts if they 
> > are particularly responsive (Formcrafts you can 404 the site by reporting)
> >
> > I think those are the highlights. Any questions ...... fire away!
> >
> >
> >
> > Thanks,
> >
> >
> >
> > Keith
> >
> >
> >
> > On Thu, Aug 11, 2016 at 1:46 AM, Steven Alexander <steven.alexander () kccd edu<mailto:steven.alexander () kccd 
> > edu>> wrote:
> >
> > I'm new to my role so I don't know if we've had objections in the past, but we do pull phishing/malicious emails 
> > from our user's inboxes.  Once we've identified that the content is dangerous, the safest option is to remove it.  
> > Simply alerting people that the content is dangerous might reduce click rates substantially, but it won't reduce 
> > them to zero.  I'd rather have to defend the decision to pull than deal with a breach or a ransomware infection.
> >
> > I think the best approach is to be up front set clear ground rules for when this capability can be used.  If it's 
> > only used to pull emails with malicious attachments and phishing links, there shouldn't be many objections.  If it's 
> > used to stifle a discussion, even once, it will be hard to regain the trust of your faculty and other users.
> >
> > Steven Alexander
> > Director of IT Security
> > Kern Community College District
> >
> > ________________________________
> > From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
> > LISTSERV EDUCAUSE EDU>] on behalf of James Valente [jvalente () SALEMSTATE EDU<mailto:jvalente () SALEMSTATE EDU>]
> > Sent: Wednesday, August 10, 2016 3:31 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> > Subject: Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts
> >
> > <snip>
> >
> > Also, RE: Removing malicious messages. I know this has come up in other discussions amongst schools and a few people 
> > have mentioned that there have been members of the faculty who get very upset if messages are deleted. We haven't 
> > tried to pull or delete messages here, however.
> >
> > Thanks,
> > James Valente
> > Associate Director of Information Security
> > Salem State University
> >
> >
> >
> >
> >
> > --
> >
> > Keith K Hartranft, CISSP, CISM, PCI-DSS ISA & PCIP
> >
> > Chief Information Security Officer
> >
> > Lehigh University
> > 610-758-3994<tel:610-758-3994>
> >
> >
> >
> >
> >
> > --
> >
> > --
> >  ---------------------------------------------------
> >  joel anderson * joela () umn edu<mailto:joela () umn edu> *  @joelpetera
> >
> >  -->  612-625-7389<tel:612-625-7389>  --> pager: 612-648-6823<tel:612-648-6823>
> >
> >  Security Analyst
> >
> > University Information Security - University of Minnesota
> >
> >  
> > http://it.umn.edu/practices-information-security-policy<https://urldefense.proofpoint.com/v2/url?u=http-3A__it.umn.edu_practices-2Dinformation-2Dsecurity-2Dpolicy&d=CwMGaQ&c=Gm3BBxc8aT6kWRgL0BN82PxksiHdQKp4W7aI7_AdSxA&r=xDtDABfGYGJ71kVjoddAkDo50mNveYXRZ9AXjiL6brc&m=FOLZnPoCGyTUZIXQa90OLoYS6HoVim6k63qCrXxxzUM&s=pgsvPPVj3iMpV33j2cPpmFBaJM54TQbKSmQQxIbzA88&e=>
> >
> >
> >
> > "Email is the thermal exhaust port on the Death Star
> >
> > of IT infrastructure." - me
> >
> >
> >
> > [https://acclaim-production-app.s3.amazonaws.com/images/410bb477-13b7-49bb-a019-8ebbe087a565/Template_GSNA.png]
> >
> >
> >
> >
> >
> >
> >
> > --
> >
> > Keith K Hartranft, CISSP, CISM, PCI-DSS ISA & PCIP
> >
> > Chief Information Security Officer
> >
> > Lehigh University
> > 610-758-3994
> >
> > This message may contain confidential information intended only for the individual named. If you received this 
> > message by mistake, please let the sender know by e-mail reply and delete it from your system. If you are not the 
> > intended recipient you are hereby notified that disclosing, copying, distributing or taking any action in reliance 
> > on the contents of this information is strictly prohibited.
> >
> > ________________________________
> >
> > Please Note: Due to Florida's very broad public records law, most written communications to or from College 
> > employees regarding College business are public records, available to the public and media upon request. Therefore, 
> > this email communication may be subject to public disclosure.
> >
> > Save a tree - Think before you print this email
> >  
> >
> >
> >  
> > --
> > =============================================
> > Alexandre Magno Adão
> > Director of Information Security
> > Morgan State University (CGW 300k)
> > Office of  Information Technology (OIT)
> > 443-443-885-4415 Office
> > 443-803-3154 Cell