pixel_dreams - Fotolia

What should happen after an employee clicks on a malicious link?

The response to an employee clicking on a malicious link is important for organizations to get right. Expert Matthew Pascucci discusses how to handle the aftermath of an attack.

If an employee clicks on a link in an email that on second thought looks suspicious, what should the security team do besides scanning the employee's client device? Should the device be isolated from the network and the account access/privileges frozen?

There are three areas I'd consider after a user has potentially clicked on a malicious link in an email. Just like anything else in security, you need to review the entire issue and not just fix the symptom.

The first step is to verify if the system was compromised. This will entail reviewing how the security team became aware of the issue -- did a user call in or was it seen in an incident? -- and using this as a troubleshooting starting point. Review all the security monitoring systems to see if there was any unauthorized activity seen from this machine/user account on the network after the malicious link was clicked. Comb through the logs of the system and validate all endpoint agents are up to date and working properly. If possible, take a snapshot of the system with incident response tools like Mandiant Redline, or Resilient's Incident Response Platform to get a better look at what's happening under the hood. Most importantly, review the malicious link itself on a lab machine to test the fundability of what occurs after being clicked. It's good to have a lab system segmented from the network and purposely vulnerable for tests like these that can be rebooted back into a previous state -- think software like Faronics' Deep Freeze or Toolwiz Time Freeze. Test these malicious links in lab systems while running packet captures to review the actual data transfers. Look at the spam filters and comb through the headers of the email to get a better understanding of its origin.

Secondly, determine if there are gaps in your planning or architecture. Does your organization have the needed policy, procedure and technology to stop phishing attacks from entering the network? And if they enter the network would you be able to stop them on the endpoint? This is why ransomware has become such a huge issue over the past couple years. There is technology to stop much of this, but having an incident response team that understands how to react, having tools like spam/phishing filters, next generation endpoint and so on, and having internal policies that manage patching on operating system and third-party software is also something to consider.

Lastly, and potentially most importantly, there needs to be user training on phishing alerts on a continual basis. Many attackers have stopped targeting the perimeter and are focusing on the users since they're the easiest way in. Using software like PhishMe or KnowBe4's Phishing Security Test, hanging posters, creating security awareness and making it part of your organization's culture can go a long way so that you may never have to search a system for malware again. If the users don't click on the malicious link, you won't have to worry as much.

Ask the Expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn how to prevent ransomware or recover from a ransomware breach

Find out how to prevent voicemail phishing scams

Check out ways to defend against phishing

Dig Deeper on Threats and vulnerabilities