Re: SOP for Managing Phishing/Ransomware Attempts

[James Valente <jvalente () SALEMSTATE EDU>]

I wrote up a script a while back that parsed the syslog output from our email firewall and could alert us to possible 
phishing attempts.

Every 30 minutes it will grab the last 45 minutes of log entries and pull out the sender name and source IP and will 
alert if either has a certain number of hits. It took a while of tweaking to get it high enough that regular email 
traffic wasn't setting off alerts while still alerting us to as many real phishing attempts as possible.   I found that 
it was important to also check the source IP because we've had spoofed email addresses that differ with each recipient 
and no alert would be set off. Checking both increases the chances of picking something up.  I had to add code to 
ignore certain senders, servers, or domains (internal mailservers, constantcontact, pretty much anything that regularly 
sends bulk messages)

Along with asking users to report phishing to our security mail, it really helps to cut down our maximum response time 
during the day to about 30 minutes, though it's usually much faster.



Once we get the alerts or reported messages, we can pull a list of recipients off the firewall and blast out a mass 
warning to everyone that the message was a phish, to delete/ignore it, and contact the Information Security department 
if they already entered their credentials.

The number of users who have fallen for a phish since we started doing this has dropped by about 90%, I believe.

I'm guessing some email firewalls already allow you to configure alerts like this, but our Barracuda does not.

Also, RE: Removing malicious messages. I know this has come up in other discussions amongst schools and a few people 
have mentioned that there have been members of the faculty who get very upset if messages are deleted. We haven't tried 
to pull or delete messages here, however.

Thanks,
James Valente
Associate Director of Information Security
Salem State University
________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Christopher 
Jones [Christopher.Jones () UFV CA]
Sent: Wednesday, August 10, 2016 17:56
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] SOP for Managing Phishing/Ransomware Attempts

We are looking at revamping our current procedures for managing phishing and ransomware attempts.  What we have in 
place now is fairly informal, but are looking to develop a more formal plan.  If anyone has gone through this process 
and would be willing to share, that would be most appreciated.  Specifically, we could use information such as:

     1. Thresholds for when to generate general university-wide alerts
     2. Number of phishing messages received before a “search and destroy” operation is implemented to remove malicious 
messages from inboxes

Thanks.

Christopher Jones
IT Security Analyst
University of the Fraser Valley
Christopher.Jones () ufv ca