COUNTYWIDE CERT INCIDENT RESPONSE
PHISHING EMAIL PROCEDURES
I. PURPOSE
To establish a countywide procedure for use by Departmental Information Security Officers (DISO) and
departmental help desks to promote consistency and uniformity in gathering pertinent information in a timely
manner to identify and respond to phishing attacks against the County of Los Angeles (County), where potential
impact to departments’ business and computing services may occur.
Phishing attacks may include suspicious or malicious emails, text messages, or phone calls. Due to the criticality
of these threats to County systems and data, the Internal Services Department’s (ISD) Help Desk is the primary
intake resource for reporting phishing incidents.
II. PHISHING INCIDENT RESPONSE PROCESS FLOW
DEPT/DISO
• Obtain email
sample
• Perform Tier 1
analysis
ISD/Security
Operations
• Perform Tier 2
analysis
• Implement
preventive
controls
• Coordinate
incident
• Assist DISO with
Tier 1 analysis
• Assist ISD with
• Open ISD help
desk ticket
CISO
• Notify CISO of
Tier 2 analysis
results
• Notify BOS and
• Notify CISO
County PIO
• Complete CSIR
* Bullet points listed in chronological order
III. DEPARTMENT / DISO ACTIVITIES (TIER 1)
A. Analysis
1. Retain a copy of the suspicious email by saving the original message as an attachment (open the email
within Outlook and use the Save As function). Do not forward the email before saving it as an
attachment, as portions of the original headers will be lost. Screen prints of the email will not help, as
attachments or web links within the email will not be able to be inspected.
2. Review the email headers to compare and verify if the sender in the email message is different than the
actual sender identified in the headers (spoofing of the sender email address is one potential indicator
of a malicious email). The headers can be reviewed by opening the email in Outlook and clicking on the
message options arrow in the corner of the TAGS ribbon banner.
3. Review any file attachments for malware. Do not open the attachment; save the file locally, then scan
the file via the VirusTotal website – https://www.virustotal.com/.
4. Review the real site/url associated with all web links in the email by hovering over the link. Do not click
on the links unless you have a standalone computer that has its own Internet connection and doesn’t
OFFICE OF THE CISO
Page 1 of 2
Revised 03/21/2016
COUNTYWIDE CERT INCIDENT RESPONSE
PHISHING EMAIL PROCEDURES
connect to the County network. Use the VirusTotal website (https://www.virustotal.com/) to assess the
actual site/url associated with all links in the email.
5. Review the email message body to determine if it is asking the user to reply with sensitive information
(e.g., passwords) or take other inappropriate actions (e.g., send a wire transfer).
6. Perform research on the Internet for known instances of the same email subject, sender, and message
to see if it is a known scam.
7. Contact other identified recipients to inform them of the issue and provide handling instructions. It is
ok to have users delete the email once one original sample has been retained.
8. Run anti-virus scans on computers where users opened suspicious file attachments or clicked on
suspicious web links; ensure malware detections are configured to be quarantined (i.e., not deleted).
B. Reporting
1. Open a security incident ticket with the ISD Help Desk if there are any indicators of concern from the
analysis. Indicate that the ticket should be assigned to ISD Security Operations. Include a copy of the
original email, results of your analysis, and any other relevant background information (e.g., if any
County data was involved, a list of all known recipients, their job functions, and if any users opened
attachments, clicked links, replied to the message, etc.).
2. Notify the CISO office via CISOnotify@cio.lacounty.gov. Reference the ISD Help Desk ticket number and
include all files and analysis that was included with the Help Desk ticket.
3. Complete and submit a Computer Security Incident Report (CSIR) to CISOnotify@cio.lacounty.gov.
IV. ISD / SECURITY OPERATIONS ACTIVITIES (TIER 2)
1. Perform an email search on the sender to identify all County recipients of the email; provide a list of
recipients to affected DISOs.
2. Block the email sender from sending to/receiving from the County.
3. Register the email as phishing with Cisco IronPort services.
4. Perform an email search to identify any County users that replied to the sender or other reply to email
address that may have been specified in message; provide a list of users to affected DISOs.
5. Run a Bluecoat report to identify any County users that accessed a suspicious link from the email; provide a
list of users to affected DISOs.
6. Configure Bluecoat to block the malicious sites, if applicable.
7. Notify the CISO office (CISOnotify@cio.lacounty.gov) of the completed analysis and tasks; reference the
original Help Desk ticket number.
V. CISO ACTIVITIES
1. Assist department/DISO with phishing incident analysis and direction as needed.
2. Assist ISD/Security Operations with phishing incident analysis and direction as needed.
3. Coordinate incident response activities with other County and external entities as required (e.g., DA-CiRT,
OCI, County Counsel, Chief HIPAA Privacy Officer, Homeland Security/MS-ISAC, etc.).
4. Notify the Board of Supervisors (BOS) and County Public Information Officer (CPIO) as necessary.
OFFICE OF THE CISO
Page 2 of 2
Revised 03/21/2016