Educause Security Discussion mailing list archives
Re: SOP for Managing Phishing/Ransomware Attempts
From: James Valente <jvalente () SALEMSTATE EDU>
Date: Wed, 10 Aug 2016 22:31:09 +0000
I wrote up a script a while back that parsed the syslog output from our email firewall and could alert us to possible phishing attempts. Every 30 minutes it will grab the last 45 minutes of log entries and pull out the sender name and source IP and will alert if either has a certain number of hits. It took a while of tweaking to get it high enough that regular email traffic wasn't setting off alerts while still alerting us to as many real phishing attempts as possible. I found that it was important to also check the source IP because we've had spoofed email addresses that differ with each recipient and no alert would be set off. Checking both increases the chances of picking something up. I had to add code to ignore certain senders, servers, or domains (internal mailservers, constantcontact, pretty much anything that regularly sends bulk messages) Along with asking users to report phishing to our security mail, it really helps to cut down our maximum response time during the day to about 30 minutes, though it's usually much faster. Once we get the alerts or reported messages, we can pull a list of recipients off the firewall and blast out a mass warning to everyone that the message was a phish, to delete/ignore it, and contact the Information Security department if they already entered their credentials. The number of users who have fallen for a phish since we started doing this has dropped by about 90%, I believe. I'm guessing some email firewalls already allow you to configure alerts like this, but our Barracuda does not. Also, RE: Removing malicious messages. I know this has come up in other discussions amongst schools and a few people have mentioned that there have been members of the faculty who get very upset if messages are deleted. We haven't tried to pull or delete messages here, however. Thanks, James Valente Associate Director of Information Security Salem State University ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Christopher Jones [Christopher.Jones () UFV CA] Sent: Wednesday, August 10, 2016 17:56 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] SOP for Managing Phishing/Ransomware Attempts We are looking at revamping our current procedures for managing phishing and ransomware attempts. What we have in place now is fairly informal, but are looking to develop a more formal plan. If anyone has gone through this process and would be willing to share, that would be most appreciated. Specifically, we could use information such as: 1. Thresholds for when to generate general university-wide alerts 2. Number of phishing messages received before a “search and destroy” operation is implemented to remove malicious messages from inboxes Thanks. Christopher Jones IT Security Analyst University of the Fraser Valley Christopher.Jones () ufv ca
Current thread:
- SOP for Managing Phishing/Ransomware Attempts Christopher Jones (Aug 10)
- Re: SOP for Managing Phishing/Ransomware Attempts Rob Cherveny (Aug 10)
- Re: SOP for Managing Phishing/Ransomware Attempts David D Grisham (Aug 10)
- Re: SOP for Managing Phishing/Ransomware Attempts Frank Barton (Aug 10)
- Re: SOP for Managing Phishing/Ransomware Attempts James Valente (Aug 10)
- Re: SOP for Managing Phishing/Ransomware Attempts David D Grisham (Aug 10)
- Re: SOP for Managing Phishing/Ransomware Attempts Rob Cherveny (Aug 10)
- Re: SOP for Managing Phishing/Ransomware Attempts James Valente (Aug 10)
- Re: SOP for Managing Phishing/Ransomware Attempts Steven Alexander (Aug 10)
- Re: SOP for Managing Phishing/Ransomware Attempts Frank Barton (Aug 11)
- Re: SOP for Managing Phishing/Ransomware Attempts Keith Hartranft (Aug 11)
- Re: SOP for Managing Phishing/Ransomware Attempts Joel Anderson (Aug 13)
- Re: SOP for Managing Phishing/Ransomware Attempts Keith Hartranft (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Wall Wofford (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Sue Rivera (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Keith Hartranft (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Keith Hartranft (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts McDowell, Karen (krm6r) (Aug 16)
- Re: SOP for Managing Phishing/Ransomware Attempts Steven Alexander (Aug 10)