Enterprises today are most vulnerable to phishing exploits at the user level. Understandably, users are an easier target than the other hardened, Internet-facing systems in any enterprise.
Phishing campaigns are getting more sophisticated and frequent, with greater effort being focused on making the information in the emails more and more believable—even targeting specific people within an organization. Thus, users are growing less and less capable of discerning legitimate email from phishing campaigns.
This video describes the steps enterprises should take to catch these types of exploits before any data gets moved out of the network. These guidelines include, but are not limited to:
- Educate users
- Assume a user in your organization is going to get exploited
- Maintain visibility—look for activity you’re likely to see after the exploit happens
- Identify and target “attractive” data in the enterprise
- Focus on the activity in-and-around “attractive” data
- Move out from this central location, monitoring & investigating accounts and users accessing “attractive” data
- Set up baseline monitoring
- Watch for anomalous activity (after hours, simultaneous authentications from multiple locations, etc.)
- Watch for activity that occurs around the potential exploit.
In short, focus on attempting to find the activity AROUND the exploit, rather than solely focusing on the exploit itself.