Taking Defensive Actions Flashcards
This section of the Phishing Analysis domain is going to cover a number of preventative and reactive security measures to keep organizations safe from phishing attacks and campaigns. We will cover both technical and administrative controls to ensure that phishing is addressed at both the technological and human levels to give the organization the best chance of defending against these attacks.
Learning Objectives
Understand and explain how a range of technical and administrative controls can be used for preventative and reactive measures, to protect an organization from attack.
Fully understand the immediate response process, which incorporates everything you’ve learned so far in this domain.
Understand how email, web, and file-based artifacts can be blocked or monitored within security tools.
Preventative: Marking External Emails
Employees must understand the risk of external emails. Although they could be legitimate from entities such as customers, employee personal email addresses, vendors, suppliers, and potential clients – the majority of phishing emails will come from external addresses. In platforms such as Microsoft Exchange or Office365, there is the ability to alter the subject line or body text of an email address that is coming into the organization to alert the recipient that this email isn’t an internal communication, and could potentially be malicious. This simple warning can make employees think twice about interacting with an external email, such as opening an attachment or clicking on a hyperlink.
A good idea is to apply a rule where any email coming from an external sender into the organization has the subject line appended with a very short message, such as “[EXTERNAL]” or “[EXT]”.
Example Walkthrough
To quickly show you what email marking looks like, this example will show us setting up a rule on our Security Blue Team email addresses within Office 365. Here’s what an email looks like coming from an external source without any rules being used.
Example Walkthrough contd
To implement a rule, we’ll head over to the Exchange admin center and click on mail flow on the left-hand menu.
From here we’re able to create email rules. We will click the “+” icon, and select “Create a new rule…”.
Example Walkthrough contd
In the below screenshot, we have named our rule “Received from scope Outside the organization”. The rule is applied if:
The sender is outside the organization (securityblue.team domain)
AND the recipient is inside the organization
If these two conditions are met (which will always occur when an external email is delivered to a @securityblue.team mailbox) the following action will be taken:
Prepend the subject of the message with “[EXTERNAL]”
You can see the completed rule below on the right-hand side.
Example Walkthrough contd
So now if we send another email to our @securityblue.team mailbox from our Gmail address, we can see that the email is now being marked!
The same method can be applied to automatically add warning messages to the start of the body content instead of (or as well as) appending the subject line, and styling can be applied such as making the text red so it stands out more, and means the employee is more likely to read it and proceed with caution.