COUNTYWIDE CERT INCIDENT RESPONSE PHISHING EMAIL PROCEDURES I. PURPOSE To establish a countywide procedure for use by Departmental Information Security Officers (DISO) and departmental help desks to promote consistency and uniformity in gathering pertinent information in a timely manner to identify and respond to phishing attacks against the County of Los Angeles (County), where potential impact to departments’ business and computing services may occur. Phishing attacks may include suspicious or malicious emails, text messages, or phone calls. Due to the criticality of these threats to County systems and data, the Internal Services Department’s (ISD) Help Desk is the primary intake resource for reporting phishing incidents. II. PHISHING INCIDENT RESPONSE PROCESS FLOW DEPT/DISO • Obtain email sample • Perform Tier 1 analysis ISD/Security Operations • Perform Tier 2 analysis • Implement preventive controls • Coordinate incident • Assist DISO with Tier 1 analysis • Assist ISD with • Open ISD help desk ticket CISO • Notify CISO of Tier 2 analysis results • Notify BOS and • Notify CISO County PIO • Complete CSIR * Bullet points listed in chronological order III. DEPARTMENT / DISO ACTIVITIES (TIER 1) A. Analysis 1. Retain a copy of the suspicious email by saving the original message as an attachment (open the email within Outlook and use the Save As function). Do not forward the email before saving it as an attachment, as portions of the original headers will be lost. Screen prints of the email will not help, as attachments or web links within the email will not be able to be inspected. 2. Review the email headers to compare and verify if the sender in the email message is different than the actual sender identified in the headers (spoofing of the sender email address is one potential indicator of a malicious email). The headers can be reviewed by opening the email in Outlook and clicking on the message options arrow in the corner of the TAGS ribbon banner. 3. Review any file attachments for malware. Do not open the attachment; save the file locally, then scan the file via the VirusTotal website – https://www.virustotal.com/. 4. Review the real site/url associated with all web links in the email by hovering over the link. Do not click on the links unless you have a standalone computer that has its own Internet connection and doesn’t OFFICE OF THE CISO Page 1 of 2 Revised 03/21/2016 COUNTYWIDE CERT INCIDENT RESPONSE PHISHING EMAIL PROCEDURES connect to the County network. Use the VirusTotal website (https://www.virustotal.com/) to assess the actual site/url associated with all links in the email. 5. Review the email message body to determine if it is asking the user to reply with sensitive information (e.g., passwords) or take other inappropriate actions (e.g., send a wire transfer). 6. Perform research on the Internet for known instances of the same email subject, sender, and message to see if it is a known scam. 7. Contact other identified recipients to inform them of the issue and provide handling instructions. It is ok to have users delete the email once one original sample has been retained. 8. Run anti-virus scans on computers where users opened suspicious file attachments or clicked on suspicious web links; ensure malware detections are configured to be quarantined (i.e., not deleted). B. Reporting 1. Open a security incident ticket with the ISD Help Desk if there are any indicators of concern from the analysis. Indicate that the ticket should be assigned to ISD Security Operations. Include a copy of the original email, results of your analysis, and any other relevant background information (e.g., if any County data was involved, a list of all known recipients, their job functions, and if any users opened attachments, clicked links, replied to the message, etc.). 2. Notify the CISO office via CISOnotify@cio.lacounty.gov. Reference the ISD Help Desk ticket number and include all files and analysis that was included with the Help Desk ticket. 3. Complete and submit a Computer Security Incident Report (CSIR) to CISOnotify@cio.lacounty.gov. IV. ISD / SECURITY OPERATIONS ACTIVITIES (TIER 2) 1. Perform an email search on the sender to identify all County recipients of the email; provide a list of recipients to affected DISOs. 2. Block the email sender from sending to/receiving from the County. 3. Register the email as phishing with Cisco IronPort services. 4. Perform an email search to identify any County users that replied to the sender or other reply to email address that may have been specified in message; provide a list of users to affected DISOs. 5. Run a Bluecoat report to identify any County users that accessed a suspicious link from the email; provide a list of users to affected DISOs. 6. Configure Bluecoat to block the malicious sites, if applicable. 7. Notify the CISO office (CISOnotify@cio.lacounty.gov) of the completed analysis and tasks; reference the original Help Desk ticket number. V. CISO ACTIVITIES 1. Assist department/DISO with phishing incident analysis and direction as needed. 2. Assist ISD/Security Operations with phishing incident analysis and direction as needed. 3. Coordinate incident response activities with other County and external entities as required (e.g., DA-CiRT, OCI, County Counsel, Chief HIPAA Privacy Officer, Homeland Security/MS-ISAC, etc.). 4. Notify the Board of Supervisors (BOS) and County Public Information Officer (CPIO) as necessary. OFFICE OF THE CISO Page 2 of 2 Revised 03/21/2016