What should happen after an employee clicks on a malicious link?

If an employee clicks on a link in an email that on second thought looks suspicious, what should the security team…


* remove unnecessary class from ul
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

* Replace “errorMessageInput” class with “sign-up-error-msg” class
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {

* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
return validateReturn;

* DoC pop-up window js – included in moScripts.js which is not included in responsive page
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {, “Consent”, “width=500,height=600,scrollbars=1”);

do besides scanning the employee’s client device? Should the device be isolated from the network and the account access/privileges frozen?

There are three areas I’d consider after a user has potentially clicked on a malicious link in an email. Just like anything else in security, you need to review the entire issue and not just fix the symptom.

The first step is to verify if the system was compromised. This will entail reviewing how the security team became aware of the issue — did a user call in or was it seen in an incident? — and using this as a troubleshooting starting point. Review all the security monitoring systems to see if there was any unauthorized activity seen from this machine/user account on the network after the malicious link was clicked. Comb through the logs of the system and validate all endpoint agents are up to date and working properly. If possible, take a snapshot of the system with incident response tools like Mandiant Redline, or Resilient’s Incident Response Platform to get a better look at what’s happening under the hood. Most importantly, review the malicious link itself on a lab machine to test the fundability of what occurs after being clicked. It’s good to have a lab system segmented from the network and purposely vulnerable for tests like these that can be rebooted back into a previous state — think software like Faronics’ Deep Freeze or Toolwiz Time Freeze. Test these malicious links in lab systems while running packet captures to review the actual data transfers. Look at the spam filters and comb through the headers of the email to get a better understanding of its origin.

Secondly, determine if there are gaps in your planning or architecture. Does your organization have the needed policy, procedure and technology to stop phishing attacks from entering the network? And if they enter the network would you be able to stop them on the endpoint? This is why ransomware has become such a huge issue over the past couple years. There is technology to stop much of this, but having an incident response team that understands how to react, having tools like spam/phishing filters, next generation endpoint and so on, and having internal policies that manage patching on operating system and third-party software is also something to consider.

Lastly, and potentially most importantly, there needs to be user training on phishing alerts on a continual basis. Many attackers have stopped targeting the perimeter and are focusing on the users since they’re the easiest way in. Using software like PhishMe or KnowBe4’s Phishing Security Test, hanging posters, creating security awareness and making it part of your organization’s culture can go a long way so that you may never have to search a system for malware again. If the users don’t click on the malicious link, you won’t have to worry as much.

Ask the Expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn how to prevent ransomware or recover from a ransomware breach

Find out how to prevent voicemail phishing scams

Check out ways to defend against phishing

Dig Deeper on Information Security Incident Response-Information

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever’s puzzling you.

Source link