Got phished. Now what?
So what should we do if one of our colleagues gets phished? The first thing to reemphasize is to not tease or punish them. It’s an easy mistake to make. The rest of the company will be watching, and the more scared they get, the less helpful they’ll be in future incidents.
If you think an attack has taken place, contact your legal department right away. They’ll coordinate communication with law enforcement.
You’ll want to bring in an incident response company to help with the aftermath. Recovering from an attack like this is outside the scope of this course.
That said, there are some things that you can expect that an incident response company would want to be able to do as part of an incident response. To start with, they’ll want to figure out what the phisher was after and how the attack was carried out. Generally, this will mean finding out what malicious website(s) the phisher used. Once you find this out, you’ll want to block all access to that site at your firewall. Phishing is a numbers game, and it’s likely that other members of your organization were targeted as well. You’ll also want to find out whether any other members of your organization also clicked on the link. Hopefully you’ll be able to find that out by looking at your firewall logs. Though if you have people who work remotely, you most likely won’t be able to block their access to the malicious site and won’t be able to know whether or not they went to that site.
Once you know who’s visited the malicious site, you’ll know whose accounts could have been compromised. Have them rotate their passwords. Next, you’ll want to see what their account has done since they visited the malicious site. It can also help to find out if any accounts have recently logged in from IP addresses they haven’t logged in from before. You’ll also want to see who has logged in from the same IP as those used by the accounts of the people who visited the malicious site. This can provide another clue as to whose accounts have been compromised. If you have a single-sign-on provider, you’ll have a much easier time finding this out.
The last couple of paragraphs assumed a lot of infrastructure was already in place. If you don’t have these tools in place, set aside some time to think about how you’d carry out an investigation without them. If the answer is that you wouldn’t be able to do much of an investigation if you didn’t have them, then you’ll probably want to budget some time and money to get those tools in place before an attack happens, rather than afterward.