C410 A2BE CB73 EF77 746E 9682 E2C4 91CE D20D 800F
Non-technical user mitigations
- Awareness – before and after
- email alerts, websites, posters
- see: Stop. Think. Connect.
- certificate verification – click on and verify
- use unique passwords for every account
- how to detect:
- reporting phished credentials, revoke and reset [preferably unassisted] (“I’ve been phished, now what?” with an anonymous option?)
- verify suspicious emails with the CSIRT / help-desk prior to clicking
- have an option for users to submit mail as spam / phishing to train the filtering system
- post-incident interview = learning (anything more we can do) + training (anything more they can do) [consider on case-by-case basis or for high-profile accounts]
Technical mitigations
- add URLs, IPs, etc. of malicious domains to firewall rules/IPS blacklists/router blackholes, etc.
- use multi-factor authentication [use the last incident as incentive/motivation for implementing]
- use email authentication with DNS: SPF and/or DKIM > DMARC (dmarc.org/overview/)
- consider requiring remote users to access the mail server/website via VPN only [enforce on the server side]
- alternatively use geo-fencing: only allow login to email/vpn/ssh services from expected countries/ip ranges
- anti -malware,-spam,-phishing, etc. solutions
- if letting through, take it up with vendor. If not resolved satisfactorily, change vendors – there are many solutions.
- how can the filters be improved? Consider multi-layered approach + AI-backed (e.g. machine learning) – phishing emails are becoming more and more sophisticated (difficult to detect)
- enable flagging of suspicious emails – e.g. passed the threshold but not with a clean score – allow through but notify user (pref. in subject)
- support scanning of attachments
- support previewing attachments (e.g. as an image)
- kill switch to reset all user accounts
- don’t email cleartext passwords. Use a secure system to store hashes. Use PGP/GPG to encrypt sensitive info that is emailed.
At user level / endpoints
- use browsers containing anti-phishing measures – detection of fraudulent sites using a list of known phishing sites + clear warnings (e.g. banners/pop-ups to users)
- use browser add-ins such as: RequestPolicy, Ghostery, DISCONNECT. and/or NoScript
- use email client with built-in malicious email filtering, warnings, etc. (e.g. “this might be spam”)
- disable macros by default (using group policy if possible)
Post attack
- reset credentials
- add URLs, IPs, etc. of malicious domains to firewall rules/IPS blacklists/router blackholes, etc.
- report for takedown
- implement honeypot allowing compromised credentials for monitoring, attacker/intent identification, etc. (CSIRT/advanced)
For MS Office 365 / Outlook specifically
University awareness examples
Further reading