Email Phishing Attacks on the Rise
According to the US-CERT targeted phishing email campaigns are on the rise this summer. The phishing email campaigns act as an entry point for attackers to spread throughout an organization’s entire enterprise, steal sensitive business or personal information, or disrupt business operations.
Here is the US-CERT’s recommended actions.
Phishing Mitigation and Response Recommendations
Implement perimeter blocks for known threat indicators:
- Email server or email security gateway filters for email indicators
- Web proxy and firewall filters for websites or Internet Protocol (IP) addresses linked in the emails or used by related malware
- DNS server blocks (blackhole) or redirects (sinkhole) for known related domains and hostnames
- Remove malicious emails from targeted user mailboxes based on email indicators (e.g., using Microsoft ExMerge).
- Identify recipients and possible infected systems:
- Search email server logs for applicable sender, subject, attachments, etc. (to identify users that may have deleted the email and were not identified in purge of mailboxes)
- Search applicable web proxy, DNS, firewall or IDS logs for activity the malicious link clicked.
- Search applicable web proxy, DNS, firewall or IDS logs for activity to any associated command and control (C2) domains or IP addresses associated with the malware.
- Review anti-virus (AV) logs for alerts associated with the malware. AV products should be configured to be in quarantine mode. It is important to note that the absence of AV alerts or a clean AV scan should not be taken as conclusive evidence a system is not infected.
- Scan systems for host-level indicators of the related malware (e.g., YARA signatures)
For systems that may be infected:
- Capture live memory of potentially infected systems for analysis
- Take forensic images of potentially infected systems for analysis
- Isolate systems to a virtual local area network (VLAN) segmented form the production agency network (e.g., an Internet-only segment
Report incidents, with as much detail as possible, to the NCCIC.
Educate Your Users
Organizations should remind users that they play a critical role in protecting their organizations form cyber threats. Users should:
- Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. Be particularly wary of compressed or ZIP file attachments.
- Avoid clicking directly on website links in emails; attempts to verify web addresses independently (e.g., contact your organization’s helpdesk or sear the Internet for the main website of the organization or topic mentioned in the email).
- Report any suspicious emails to the information technology (IT) helpdesk or security office immediately.
Basic Cyber Hygiene
Practicing basic cyber hygiene would address or mitigate the vast majority of security breaches handled by today’s security practitioners:
- Privilege control (i.e., minimize administrative or superuser privileges)
- Application white-listing / software execution control (by file or location)
- System application patching (e.g., operating system vulnerabilities, third-party vendor applications)
- Security software updating (e.g., AV definitions, IDS/IPS signatures and filters)
- Network segmentation (e.g., separate administrative networks from business-critical networks with physical controls and virtual local area networks)
- Multi-factor authentication (e.g., one-time password tokens, personal identity verification (PIV cards)