MANAGED SECURITY SERVICES
Phishing Monitoring
Security monitoring to filter malicious email and respond accordingly when users fall prey to phishing.
A phishing monitoring program is necessary for any organization with humans receiving email, but how should you evaluate a managed security services group who provides the service?
It’s critical that the group performing monitoring or configuration of email security tools has a solid understanding of the attack strategies employed in phishing attacks. The landscape is vast, has a long history, and is constantly evolving. The group should be well versed in all available toolsets for monitoring.
The most important capability is phishing-related incident response. If an attack is executed successfully, the time between compromise and execution of malicious activity on the network can be measured in minutes. A managed services group should have the ability to launch an investigation and perform necessary damage control within minutes of being notified of a phishing click.
A managed security services group should be able to list a set of procedures that include something similar to the following in regard to investigation and response:
- Classify the incident: Is it phishing, spam, or malware
- Quarantine the emails in question
- Take steps to determine which users clicked or which machines the links were clicked from
- Once identified: Block malicious domains, URLs, and IPs associated with the phishing link(s) at the firewall/proxy level
- User account maintenance: Reset passwords for user accounts that clicked
- Review forwarding rules on compromised accounts to ensure mail is not forwarding to bad actors
- Review outgoing messages on mail server to determine if compromised accounts sent emails
A managed security services group should be able to list a set of procedures that include something similar to the following in regard to investigation and response:
15 minutes: The average time from when an attacker steals authentication credentials to when they are able to abuse the stolen account for additional motives. They may be able to use that account to discover more accounts by querying a global address book to commence spamming and more phishing.
90% or more of data breaches start with a phishing email according to Proofpoint. This represents a lower barrier of entry for the attacker. Why spend time searching for 0-days and writing complex scripts to exploit the target when the attacker can just write a coercive email?
$1.6M: The average total resulting cost of a phishing attack according to a poll with 88 respondents. Phishing can be expensive and the damage from a successful attack can dwarf the efforts to mitigate incoming attempts.