Educause Security Discussion mailing list archives
Re: SOP for Managing Phishing/Ransomware Attempts
From: Keith Hartranft <kkh288 () LEHIGH EDU>
Date: Tue, 23 Aug 2016 10:46:34 -0400
Thank you Paul, And yes, we also do incorporate Takedown notices into our process (not shown) but for most hosters it is LAST and sometimes pretty futile. The only hoster thus far where process it early is Formcrafts where if you click "abuse" (attackers sometimes hide it) and fill out the form with legit information, it immediately 404's the site. If the Formcrafts site is numbered we then move several numbers in either direction and also report those as well as attackers make several copies of the site and send multiple emails. I gotta hand it to Formcrafts for this feature. It's tedious but it works! As for other providers, I'd say Weebly and Wix do reasonably well, however in the upcoming presentation (yes, it's coming ....) I'll try to demo how fast Avast and Google Safebrowsing "pickup" Phishtank submissions. Not to "plug" anything specific but it's neat to see. You go to the phishing site, sit on the phishing site, submit to Phishtank, and have Avast notify you that the site is "dangerous" in about 5 minutes. We find the browser blocks and AV/Site reputation blocks work much faster for our off campus folks than takedowns. Please know I'm happy to be a "verifier" for any teams using this process! We also find that notification to the sending/abused email (especially if .edu or .gov) also results in fewer incoming emails as well and we try to do that ahead of processing any takedowns. Thanks all for your interest! Keith On Tue, Aug 23, 2016 at 9:58 AM, Dicovitsky, Paul < pdicovitsky () middlebury edu> wrote:
Keith, Thank you kindly for sharing your Phishing Attack incident response processes. We’ve developed similar procedures in-house, so I found it fascinating to compare notes. We incorporate *takedown requests* into our Phishing Attack Incident Response Process. The idea is to identify the hosting provider for the phishing message’s landing page, reach out to their abuse desk, and request that they takedown the page. Some hosting providers have proven to be very helpful in this matter. When it works, the takedown requests protect our users, even when they are off campus, and outside some of our more traditional protection capabilities. Here are some handy links for hosting providers that we’ve worked with on recent takedowns: https://www.yola.com/support/contact/report-abuse https://www.weebly.com/spam http://support.strikingly.com/hc/en-us/articles/206051452- Identifying-and-Reporting-Phishing-Websites I’d be very interested in discussing compromised account mitigation strategies with institutions that have migrated to mail to Exchange Online and/or Office 365 as well as Google Mail. What are people’s experiences with Exchange Online’s native capabilities to detect compromised accounts and block outgoing spam floods? Perhaps a separate thread is in order? *Thanks,* Paul Dicovitsky Network Security Administrator | ITS *Middlebury College* 802-443-5085 *From:* The EDUCAUSE Security Constituent Group Listserv [mailto: SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Keith Hartranft *Sent:* Tuesday, August 16, 2016 3:38 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts Hello David, Attached are the anti-phishing flow processes you requested. They may need some explanation for the steps to be most effective and I'm working to arrange a Zoomcast or meeting of some sort to do just that. I'll let you know when that is arranged. Thanks, Keith On Tue, Aug 16, 2016 at 3:34 PM, David D Grisham <DGrisham () salud unm edu> wrote: Please count me in. Cheers.-grish *David Grisham* David Grisham, PhD, CISM, CRISC, CHS III Manager, ITSecurity, UNM Hospitals, UNM Health Science Center 505.272.5657 Dgrisham () salud UNM edu *From:* The EDUCAUSE Security Constituent Group Listserv [mailto: SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Bertone, John *Sent:* Tuesday, August 16, 2016 1:17 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts Keith, I would be interested . Thanks, John John Bertone Director of Network Operations Bunker Hill Community College 250 Rutherford Ave Boston, MA 02129 Email: jbertone () bhcc mass edu Phone: 617-228-3460 Mobile: 617-959-4366 *From:* The EDUCAUSE Security Constituent Group Listserv [ mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On Behalf Of *Keith Hartranft *Sent:* Tuesday, August 16, 2016 1:22 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts Hi all, I've been asked by some folks to share our flow processes for anti-phishing and please know I'm happy to do so. If there is sufficient interest I'd also be happy to arrange a Webcast of some sort to do a walk through of the process. Thanks, Keith On Sat, Aug 13, 2016 at 12:11 PM, Joel Anderson <joela () umn edu> wrote: FWIW, I describe a lot of what we've been doing in a SANS paper, including using "honeypeeps" to identify phisher's source IP addresses. We also maintain a blog (phishing.it.umn.edu <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fphishing.it.umn.edu&data=01%7c01%7cpdicovitsky%40MIDDLEBURY.EDU%7c7803b220d2694195639c08d3c60ce442%7ca1bb0a191576421dbe93b3a7d4b6dcaa%7c1&sdata=MN7EM7jqrOfHRvJY2yHiWvMkQlRYWt7Ac9Dz1rbMaxI%3d>) to highlight phishing campaigns and post advisories. *Reducing the Catch: Fighting Spear-Phishing in a Large Organization* https://www.sans.org/reading-room/whitepapers/forensics/ reducing-catch-fighting-spear-phishing-large-organization-35547 <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.sans.org%2freading-room%2fwhitepapers%2fforensics%2freducing-catch-fighting-spear-phishing-large-organization-35547&data=01%7c01%7cpdicovitsky%40MIDDLEBURY.EDU%7c7803b220d2694195639c08d3c60ce442%7ca1bb0a191576421dbe93b3a7d4b6dcaa%7c1&sdata=urWeziJlyLtQhkFUFabDAGf%2fXVHexpzUN5B%2fL8Ie%2bWs%3d> On Thu, Aug 11, 2016 at 8:39 AM, Keith Hartranft <kkh288 () lehigh edu> wrote: Hello all, We do have a somewhat formalized process for Phishing emails and it has been flowcharted. I'd be happy to share these with RI folks and we've talked about (Doug help please?) a central place/wiki for that. I will say the process is specific to how our systems are structured but I think there are some things that all organizations might find useful in our process. A few things to note: - We have not "pulled" phishing emails from mailboxes. We do however note particularly good ones, note who has "opened" them, and watch for suspicious logons from those users with our SIEM dashes. Particularly good phishes we also "seed" with peep accounts and then monitor those locations more closely - We run our own DNS block (Malwaredomains) which helps mitigate on campus access. You may get that feed as well ..... in a variety of ways. We also report to Google Safebrowsing, Phishtank, Symantec, ThreatStream via HiTrust .... which gets links into Browser and many AV Browser/reputation blocks VERY quickly. - We use GMail content filters to protect many users from common phishes that would have gotten through in the past. We react with new rules when new "more inventive?" phishes occur. I think this has had significant impact on phish reduction ...... but with the semester about to begin, we'll see for certain. - We post phishes to our Help pages and warnings. If the phish is particular good or generates a high level of calls or response .... we send a campus notification. (As we had last year with a "Terror Threat Email") It should be noted that a second round of "Terror Threat" attempts was almost totally mitigated by the content compliance filters. - We do some limited data mining via Vault for new phishes that miss the content compliance net and respond accordingly. - We notify senders of possible account compromise if in the edu or gov spaces. We sometimes notify hosts if they are particularly responsive (Formcrafts you can 404 the site by reporting) I think those are the highlights. Any questions ...... fire away! Thanks, Keith On Thu, Aug 11, 2016 at 1:46 AM, Steven Alexander < steven.alexander () kccd edu> wrote: I'm new to my role so I don't know if we've had objections in the past, but we do pull phishing/malicious emails from our user's inboxes. Once we've identified that the content is dangerous, the safest option is to remove it. Simply alerting people that the content is dangerous might reduce click rates substantially, but it won't reduce them to zero. I'd rather have to defend the decision to pull than deal with a breach or a ransomware infection. I think the best approach is to be up front set clear ground rules for when this capability can be used. If it's only used to pull emails with malicious attachments and phishing links, there shouldn't be many objections. If it's used to stifle a discussion, even once, it will be hard to regain the trust of your faculty and other users. Steven Alexander Director of IT Security Kern Community College District ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [ SECURITY () LISTSERV EDUCAUSE EDU] on behalf of James Valente [ jvalente () SALEMSTATE EDU] Sent: Wednesday, August 10, 2016 3:31 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts <snip> Also, RE: Removing malicious messages. I know this has come up in other discussions amongst schools and a few people have mentioned that there have been members of the faculty who get very upset if messages are deleted. We haven't tried to pull or delete messages here, however. Thanks, James Valente Associate Director of Information Security Salem State University -- *Keith K Hartranft, CISSP, CISM, PCI-DSS ISA & PCIP* *Chief Information Security Officer* *Lehigh University 610-758-3994 <610-758-3994>* -- -- --------------------------------------------------- joel anderson * joela () umn edu * @joelpetera --> 612-625-7389 --> pager: 612-648-6823 Security Analyst University Information Security - University of Minnesota http://it.umn.edu/practices-information-security-policy <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fit.umn.edu%2fpractices-information-security-policy&data=01%7c01%7cpdicovitsky%40MIDDLEBURY.EDU%7c7803b220d2694195639c08d3c60ce442%7ca1bb0a191576421dbe93b3a7d4b6dcaa%7c1&sdata=5RL5Ddj%2b5oYBMWIwZox7RkAG7nEq3HS6zuqCyfstRMw%3d> "Email is the thermal exhaust port on the Death Star of IT infrastructure." - me [image: Image removed by sender.] -- *Keith K Hartranft, CISSP, CISM, PCI-DSS ISA & PCIP* *Chief Information Security Officer* *Lehigh University 610-758-3994 <610-758-3994>* -- *Keith K Hartranft, CISSP, CISM, PCI-DSS ISA & PCIP* *Chief Information Security Officer* *Lehigh University 610-758-3994 <610-758-3994>*
-- *Keith K Hartranft, CISSP, CISM, PCI-DSS ISA & PCIP* *Chief Information Security Officer* *Lehigh University610-758-3994*
Current thread:
- Re: SOP for Managing Phishing/Ransomware Attempts, (continued)
- Re: SOP for Managing Phishing/Ransomware Attempts Keith Hartranft (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts McDowell, Karen (krm6r) (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Keith Hartranft (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Fisch, Neal (Aug 18)
- Re: SOP for Managing Phishing/Ransomware Attempts Wall Wofford (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Bertone, John (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Keith Hartranft (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts David D Grisham (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Keith Hartranft (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Dicovitsky, Paul (Aug 23)
- Re: SOP for Managing Phishing/Ransomware Attempts Keith Hartranft (Aug 23)
- Re: SOP for Managing Phishing/Ransomware Attempts Frank Barton (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Keith Hartranft (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Hall, Rand (Aug 17)
- Re: SOP for Managing Phishing/Ransomware Attempts Dennis Levine (Aug 17)
- Re: SOP for Managing Phishing/Ransomware Attempts Ben Woelk (Aug 17)
- Re: SOP for Managing Phishing/Ransomware Attempts Theresa Semmens (Aug 17)
- Re: SOP for Managing Phishing/Ransomware Attempts Matt Hall (Aug 22)
- Re: SOP for Managing Phishing/Ransomware Attempts Emily Harris (Aug 23)
- Re: SOP for Managing Phishing/Ransomware Attempts Cavender, Terry (Aug 23)
- Re: SOP for Managing Phishing/Ransomware Attempts Faison, Joel T (Aug 23)