Phishing Monitoring

Use Cases for Phishing Monitoring

A phishing monitoring program is necessary for any organization with humans receiving email, but how should you evaluate a managed security services group who provides the service?


What Types of Security Assessments Should You Be Doing?

It’s critical that the group performing monitoring or configuration of email security tools has a solid understanding of the attack strategies employed in phishing attacks. The landscape is vast, has a long history, and is constantly evolving. The group should be well versed in all available toolsets for monitoring.

The most important capability is phishing-related incident response. If an attack is executed successfully, the time between compromise and execution of malicious activity on the network can be measured in minutes. A managed services group should have the ability to launch an investigation and perform necessary damage control within minutes of being notified of a phishing click.

Are There Requisite Procedures for Analyst Response?

A managed security services group should be able to list a set of procedures that include something similar to the following in regard to investigation and response:

  • Classify the incident: Is it phishing, spam, or malware
  • Quarantine the emails in question
  • Take steps to determine which users clicked or which machines the links were clicked from
  • Once identified: Block malicious domains, URLs, and IPs associated with the phishing link(s) at the firewall/proxy level
  • User account maintenance: Reset passwords for user accounts that clicked
  • Review forwarding rules on compromised accounts to ensure mail is not forwarding to bad actors
  • Review outgoing messages on mail server to determine if compromised accounts sent emails

A managed security services group should be able to list a set of procedures that include something similar to the following in regard to investigation and response:

Are There Requisite Procedures for Analyst Response?

15 minutes: The average time from when an attacker steals authentication credentials to when they are able to abuse the stolen account for additional motives. They may be able to use that account to discover more accounts by querying a global address book to commence spamming and more phishing.

90% or more of data breaches start with a phishing email according to Proofpoint. This represents a lower barrier of entry for the attacker. Why spend time searching for 0-days and writing complex scripts to exploit the target when the attacker can just write a coercive email?

$1.6M: The average total resulting cost of a phishing attack according to a poll with 88 respondents. Phishing can be expensive and the damage from a successful attack can dwarf the efforts to mitigate incoming attempts.