Phishing and compromised accounts

Awareness – before and after
- email alerts, websites, posters
- see: Stop. Think. Connect.
- certificate verification – click on and verify
- use unique passwords for every account
- how to detect:
reporting phished credentials, revoke and reset [preferably unassisted] (“I’ve been phished, now what?” with an anonymous option?)
verify suspicious emails with the CSIRT / help-desk prior to clicking
have an option for users to submit mail as spam / phishing to train the filtering system
post-incident interview = learning (anything more we can do) + training (anything more they can do) [consider on case-by-case basis or for high-profile accounts]

add URLs, IPs, etc. of malicious domains to firewall rules/IPS blacklists/router blackholes, etc.
use multi-factor authentication [use the last incident as incentive/motivation for implementing]
use email authentication with DNS: SPF and/or DKIM > DMARC (dmarc.org/overview/)
consider requiring remote users to access the mail server/website via VPN only [enforce on the server side]
alternatively use geo-fencing: only allow login to email/vpn/ssh services from expected countries/ip ranges
anti -malware,-spam,-phishing, etc. solutions
- if letting through, take it up with vendor. If not resolved satisfactorily, change vendors – there are many solutions.
- how can the filters be improved? Consider multi-layered approach + AI-backed (e.g. machine learning) – phishing emails are becoming more and more sophisticated (difficult to detect)
- enable flagging of suspicious emails – e.g. passed the threshold but not with a clean score – allow through but notify user (pref. in subject)
- support scanning of attachments
- support previewing attachments (e.g. as an image)
kill switch to reset all user accounts
don’t email cleartext passwords. Use a secure system to store hashes. Use PGP/GPG to encrypt sensitive info that is emailed.

use browsers containing anti-phishing measures – detection of fraudulent sites using a list of known phishing sites + clear warnings (e.g. banners/pop-ups to users)
use browser add-ins such as: RequestPolicy, Ghostery, DISCONNECT. and/or NoScript
- (see: tma.ifip.org/wordpress/wp-content/uploads/2017/06/tma2017_paper30.pdf)
use email client with built-in malicious email filtering, warnings, etc. (e.g. “this might be spam”)
disable macros by default (using group policy if possible)

reset credentials
add URLs, IPs, etc. of malicious domains to firewall rules/IPS blacklists/router blackholes, etc.
report for takedown
- start with your ISP
- contact abuse at remote ISP if known (e.g. whois)
- safebrowsing.google.com/safebrowsing/report_phish/?hl=en
- www.phishtank.com/
- apwg.org/report-phishing/
implement honeypot allowing compromised credentials for monitoring, attacker/intent identification, etc. (CSIRT/advanced)