In this blog, we examine the steps that you need to take for your organization to recover from a Phishing Attack.

The Process of Recovering from a Phishing Attack

  1. Identification:

This is the first step in responding to a Phishing attack.  At this stage, an alert is “sounded” of an impending Phishing attack, and it must be further investigated into.  It is important to collect as much information and data about the Phishing E-Mail, and the following items should be captured:

  • The E-Mail address of the sender;
  • The intended recipient of the E-Mail;
  • The Subject Line of the particular E-Mail;
  • Carefully examine the E-Mail message, and if there is an attachment , make sure that you use the appropriate protocols to download it safely, make sure you store it in a separate folder (or even a zip file), and that it is also password protected so that only the appropriate IT personnel can access it.
  • If there is a suspicious link as well, which takes the recipient to a potential spoofed website, this will also have to be investigated.  However, for these purposes, it is important to use a dedicated computer solely for just these purposes.  Do not use any other server, workstation, or wireless device for this, as the potentially spoofed website could contain malware which could download itself rapidly.
  1. Triage:

If the above investigation discovers that an actual Phishing attack is underway, then the following steps must be accomplished:

  • Determine the specific kind of Phishing E-Mail it is.  For example, is it a:
    • BEC (Business Email Compromise)
    • Spear Phishing (where one particular individual or individuals are targeted);
    • Clone Phishing (where an original E-Mail message has been transformed into a malicious one);
    • Whaling (this is similar to BEC, but primarily C-Level Executives are specifically targeted);
    • Link Manipulation (this where a spoofed website is involved);
    • Website Forgery (this is where JavaScript code is used to maliciously alter the URL bar);
    • Covert Redirect (this when a website address looks genuine and authentic, but the victim is taken to a spoofed website);
    • Social Engineering (this occurs typically in a business environment where lower-ranking employees [such as administrative assistants] are targeted and conned to give out corporate secrets);
    • SMS (in these instances, wireless devices, primarily Smartphones are targeted, and malicious text messages are sent instead).

Once the above has been determined, then determine the priority level (this will be on a scale that you have determined, for instance, low priority to medium priority to high priority [this would be considered to be a “Severe” type of ranking]).  From there, then notify the IT staff, primarily those involved with the Security aspects of the organization, that an attack is underway, if they are not aware of the situation already.

  1. Investigation:

At this phase, the actual E-Mail message and its contents need to examined carefully, the and degree of damage needs to be ascertained.  In terms of the former, the following must be looked into:

  • Analysis of the E-Mail Header:
    • The From Field:  This will contain the name of the sender;
    • X-Authenticated User:  This will contain the E-Mail address of the sender (such as johndoe@anywhere.com);
    • The Mail Server IP Address:  This will contain the actual TCP/IP address of the E-Mail server from where the Phishing E-Mail was sent.  It is important to keep in mind as well that the physical location of the E-Mail server does not necessarily imply that the Cyber attacker is located in that geographic as well.  Many times, they will be in a separate location from that of the E-Mail server.
  • Analysis of the E-Mail message: 
  • At this phase, the actual contents of the E-Mail message need to be examined carefully, as there are many telltale signs which can be difficult to spot at first glance.
  • Analysis of the Domain Link:
  • If the Phishing E-Mail contains a suspicious link, as stated before, carefully examine the spoofed website, and determine where the data on the website is actually posted (such as the determining the TCP/IP address of the Web server that hosts the spoofed website, etc.).

With regards to the latter point in this part, the level and/or severity of the damage needs to be ascertained and ultimately determined.  Examples of this include the following:

  • The total number of impacted employees;
  • What actions were carried out by the employees with regards to the Phishing E-Mail, for instance:
    • Did they download an attachment;
    • Or, did they go to a spoofed website and unknowingly submitted their personal information, or even sensitive business login information.
  • What was impacted:
    • Servers;
    • Workstations;
    • Wireless Devices;
    • The Network Infrastructure;
    • Other aspects of the IT Infrastructure.

 

Conclusions

Our next blog will look at the remaining steps that you need to take.