Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What should happen after an employee clicks on a malicious link?

The response to an employee clicking on a malicious link is important for organizations to get right. Expert Matthew Pascucci discusses how to handle the aftermath of an attack.

If an employee clicks on a link in an email that on second thought looks suspicious, what should the security team...

do besides scanning the employee's client device? Should the device be isolated from the network and the account access/privileges frozen?

There are three areas I'd consider after a user has potentially clicked on a malicious link in an email. Just like anything else in security, you need to review the entire issue and not just fix the symptom.

The first step is to verify if the system was compromised. This will entail reviewing how the security team became aware of the issue -- did a user call in or was it seen in an incident? -- and using this as a troubleshooting starting point. Review all the security monitoring systems to see if there was any unauthorized activity seen from this machine/user account on the network after the malicious link was clicked. Comb through the logs of the system and validate all endpoint agents are up to date and working properly. If possible, take a snapshot of the system with incident response tools like Mandiant Redline, or Resilient's Incident Response Platform to get a better look at what's happening under the hood. Most importantly, review the malicious link itself on a lab machine to test the fundability of what occurs after being clicked. It's good to have a lab system segmented from the network and purposely vulnerable for tests like these that can be rebooted back into a previous state -- think software like Faronics' Deep Freeze or Toolwiz Time Freeze. Test these malicious links in lab systems while running packet captures to review the actual data transfers. Look at the spam filters and comb through the headers of the email to get a better understanding of its origin.

Secondly, determine if there are gaps in your planning or architecture. Does your organization have the needed policy, procedure and technology to stop phishing attacks from entering the network? And if they enter the network would you be able to stop them on the endpoint? This is why ransomware has become such a huge issue over the past couple years. There is technology to stop much of this, but having an incident response team that understands how to react, having tools like spam/phishing filters, next generation endpoint and so on, and having internal policies that manage patching on operating system and third-party software is also something to consider.

Lastly, and potentially most importantly, there needs to be user training on phishing alerts on a continual basis. Many attackers have stopped targeting the perimeter and are focusing on the users since they're the easiest way in. Using software like PhishMe or KnowBe4's Phishing Security Test, hanging posters, creating security awareness and making it part of your organization's culture can go a long way so that you may never have to search a system for malware again. If the users don't click on the malicious link, you won't have to worry as much.

Ask the Expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn how to prevent ransomware or recover from a ransomware breach

Find out how to prevent voicemail phishing scams

Check out ways to defend against phishing

This was last published in December 2016

Dig Deeper on Email and messaging threats

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does your organization handle the response to malicious links?
Cancel
We put Reboot Restore Rx on the machines, previously we used Windows SteadyState (RIP) and we just have our users restart the machine at the end of the day which wipes everything off the machine.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close