Educause Security Discussion mailing list archives
Re: SOP for Managing Phishing/Ransomware Attempts
From: "Fisch, Neal" <Neal.Fisch () CSUCI EDU>
Date: Thu, 18 Aug 2016 15:46:00 +0000
Count me in as well Keith and thanks! Neal Fisch Director, Enterprise Services and Security Information Security Officer Division of Technology & Communication California State University Channel Islands One University Drive, Camarillo CA 93012 Solano Hall – Room 2178 Email: neal.fisch () csuci edu<mailto:neal.fisch () csuci edu> Voice: 805-437-3278 | Mobile: 805-443-6529 | Fax: 805-437-3377 [EXT_IS] From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Keith Hartranft Sent: Tuesday, August 16, 2016 12:30 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts Hello Karen, Attached are the anti-phishing flow processes you requested. They may need some explanation for the steps to be most effective and I'm working to arrange a Zoomcast or meeting of some sort to do just that. I'll let you know when that is arranged. Thanks, Keith On Tue, Aug 16, 2016 at 3:10 PM, McDowell, Karen (krm6r) <krm6r () virginia edu<mailto:krm6r () virginia edu>> wrote: Keith, I’m interested, too. Thanks for all this info. Karen ================================== Karen McDowell, Ph.D., GCIH Information Security Analyst, ISPRO, University of Virginia 2400 Old Ivy Road, Charlottesville, VA 22903 http://www.virginia.edu/informationsecurity http://securingthehuman.org http://stopthinkconnect.org 434-924-9815<tel:434-924-9815> Find UVa ISPRO on social media: Like us on Facebook.com/uvaispro Follow us on Twitter.com/uvaispro From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Keith Hartranft Sent: Tuesday, August 16, 2016 3:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts Wall, Attached are the anti-phishing flow processes you requested. They may need some explanation for the steps to be most effective and I'm working to arrange a Zoomcast or meeting of some sort to do just that. I'll let you know when that is arranged. Thanks, Keith On Tue, Aug 16, 2016 at 2:33 PM, Wall Wofford <wall () fuller edu<mailto:wall () fuller edu>> wrote: Hi Keith - I'd be interested! Thanks - Benjamin On Tue, Aug 16, 2016 at 10:22 AM, Keith Hartranft <kkh288 () lehigh edu<mailto:kkh288 () lehigh edu>> wrote: Hi all, I've been asked by some folks to share our flow processes for anti-phishing and please know I'm happy to do so. If there is sufficient interest I'd also be happy to arrange a Webcast of some sort to do a walk through of the process. Thanks, Keith On Sat, Aug 13, 2016 at 12:11 PM, Joel Anderson <joela () umn edu<mailto:joela () umn edu>> wrote: FWIW, I describe a lot of what we've been doing in a SANS paper, including using "honeypeeps" to identify phisher's source IP addresses. We also maintain a blog (phishing.it.umn.edu<http://phishing.it.umn.edu>) to highlight phishing campaigns and post advisories. Reducing the Catch: Fighting Spear-Phishing in a Large Organization https://www.sans.org/reading-room/whitepapers/forensics/reducing-catch-fighting-spear-phishing-large-organization-35547 On Thu, Aug 11, 2016 at 8:39 AM, Keith Hartranft <kkh288 () lehigh edu<mailto:kkh288 () lehigh edu>> wrote: Hello all, We do have a somewhat formalized process for Phishing emails and it has been flowcharted. I'd be happy to share these with RI folks and we've talked about (Doug help please?) a central place/wiki for that. I will say the process is specific to how our systems are structured but I think there are some things that all organizations might find useful in our process. A few things to note: * We have not "pulled" phishing emails from mailboxes. We do however note particularly good ones, note who has "opened" them, and watch for suspicious logons from those users with our SIEM dashes. Particularly good phishes we also "seed" with peep accounts and then monitor those locations more closely * We run our own DNS block (Malwaredomains) which helps mitigate on campus access. You may get that feed as well ..... in a variety of ways. We also report to Google Safebrowsing, Phishtank, Symantec, ThreatStream via HiTrust .... which gets links into Browser and many AV Browser/reputation blocks VERY quickly. * We use GMail content filters to protect many users from common phishes that would have gotten through in the past. We react with new rules when new "more inventive?" phishes occur. I think this has had significant impact on phish reduction ...... but with the semester about to begin, we'll see for certain. * We post phishes to our Help pages and warnings. If the phish is particular good or generates a high level of calls or response .... we send a campus notification. (As we had last year with a "Terror Threat Email") It should be noted that a second round of "Terror Threat" attempts was almost totally mitigated by the content compliance filters. * We do some limited data mining via Vault for new phishes that miss the content compliance net and respond accordingly. * We notify senders of possible account compromise if in the edu or gov spaces. We sometimes notify hosts if they are particularly responsive (Formcrafts you can 404 the site by reporting) I think those are the highlights. Any questions ...... fire away! Thanks, Keith On Thu, Aug 11, 2016 at 1:46 AM, Steven Alexander <steven.alexander () kccd edu<mailto:steven.alexander () kccd edu>> wrote: I'm new to my role so I don't know if we've had objections in the past, but we do pull phishing/malicious emails from our user's inboxes. Once we've identified that the content is dangerous, the safest option is to remove it. Simply alerting people that the content is dangerous might reduce click rates substantially, but it won't reduce them to zero. I'd rather have to defend the decision to pull than deal with a breach or a ransomware infection. I think the best approach is to be up front set clear ground rules for when this capability can be used. If it's only used to pull emails with malicious attachments and phishing links, there shouldn't be many objections. If it's used to stifle a discussion, even once, it will be hard to regain the trust of your faculty and other users. Steven Alexander Director of IT Security Kern Community College District ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>] on behalf of James Valente [jvalente () SALEMSTATE EDU<mailto:jvalente () SALEMSTATE EDU>] Sent: Wednesday, August 10, 2016 3:31 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] SOP for Managing Phishing/Ransomware Attempts <snip> Also, RE: Removing malicious messages. I know this has come up in other discussions amongst schools and a few people have mentioned that there have been members of the faculty who get very upset if messages are deleted. We haven't tried to pull or delete messages here, however. Thanks, James Valente Associate Director of Information Security Salem State University -- Keith K Hartranft, CISSP, CISM, PCI-DSS ISA & PCIP Chief Information Security Officer Lehigh University 610-758-3994<tel:610-758-3994> -- -- --------------------------------------------------- joel anderson * joela () umn edu<mailto:joela () umn edu> * @joelpetera --> 612-625-7389<tel:612-625-7389> --> pager: 612-648-6823<tel:612-648-6823> Security Analyst University Information Security - University of Minnesota http://it.umn.edu/practices-information-security-policy "Email is the thermal exhaust port on the Death Star of IT infrastructure." - me [https://acclaim-production-app.s3.amazonaws.com/images/410bb477-13b7-49bb-a019-8ebbe087a565/Template_GSNA.png] -- Keith K Hartranft, CISSP, CISM, PCI-DSS ISA & PCIP Chief Information Security Officer Lehigh University 610-758-3994<tel:610-758-3994> -- Benjamin Wall Wofford Director of Technology Support Services Fuller Theological Seminary wall () fuller edu<mailto:wall () fuller edu> phone: 626-304-3798<tel:626-304-3798> -- Keith K Hartranft, CISSP, CISM, PCI-DSS ISA & PCIP Chief Information Security Officer Lehigh University 610-758-3994<tel:610-758-3994> -- Keith K Hartranft, CISSP, CISM, PCI-DSS ISA & PCIP Chief Information Security Officer Lehigh University 610-758-3994
Current thread:
- Re: SOP for Managing Phishing/Ransomware Attempts, (continued)
- Re: SOP for Managing Phishing/Ransomware Attempts Frank Barton (Aug 11)
- Re: SOP for Managing Phishing/Ransomware Attempts Keith Hartranft (Aug 11)
- Re: SOP for Managing Phishing/Ransomware Attempts Joel Anderson (Aug 13)
- Re: SOP for Managing Phishing/Ransomware Attempts Keith Hartranft (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Wall Wofford (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Sue Rivera (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Keith Hartranft (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Keith Hartranft (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts McDowell, Karen (krm6r) (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Keith Hartranft (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Fisch, Neal (Aug 18)
- Re: SOP for Managing Phishing/Ransomware Attempts Wall Wofford (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Bertone, John (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Keith Hartranft (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts David D Grisham (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Keith Hartranft (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Dicovitsky, Paul (Aug 23)
- Re: SOP for Managing Phishing/Ransomware Attempts Keith Hartranft (Aug 23)
- Re: SOP for Managing Phishing/Ransomware Attempts Frank Barton (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Keith Hartranft (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Hall, Rand (Aug 17)