When a user clicks something suspicious...

Posted by rxtc@reddit | sysadmin | View on Reddit | 4 comments

What is your company's process/procedure when a user clicks on something they shouldn't have (i.e., an e-mail with a suspicious link)? I know this sounds basic. Do you just run a scan and, if it comes back OK, be done with it...or do you go all the way and reformat their drive and reinstall the OS? Would it be overboard if you reformat even though scans come back as safe?

Reply to Post

4 Comments

[-]

KindlyGetMeGiftCards@reddit

Every situation is different, you can always go nuclear if you are unsure, but it's most likely not necessary. Info and details are your friend I saw a phishing email the other day, so I clicked the link, it went to a website with a pdf, in there was a link to another website, this was a fake office 365, so I signed in as my friend Bill, he works at microsoft, you may have heard of him, then it asks for a password so I put that in and watch. This was done in an isolated environment, I did it so I know what questions to ask the users who click the link, most reported or ignored the email, a couple clicked the link, just the first link. no further action needed, but I knew what to ask. Info was my friend here. Another time we also had a user's account compromised, most likely a cookie token was stolen, so we had to physically take their computer, disconnect it from the network, disable account and other remediation actions to secure the issue. At the end of the day the computer I wasn't 100% sure about, so did a full wipe, best to be sure than in doubt. Didn't delete their cloud accounts or anything, singed out all their sessions, reset passwords, reset mfa, etc. at that point it was limiting what the bad actors have access to, they already gleaned what ever by the time we jumped on it, just stop access.

[-]

thatohgi@reddit

User clicks link They either call us or we start seeing suspicious activity Rotate creds/MFA & revoke all session tokens Educate user on what led to the compromise/incident Run AV scan Remediate Close ticket No need to wipe/reload unless that is indicated in the remediation efforts.

[-]

ughisthisnametaken@reddit

imnotaero had a good response. I would just like to add that you shouldnt necessarily trust a scan that comes back clean. EDRs are great tools and significantly help with your cybersecurity posture and defense in depth, but they can all by bypassed. I know that in this specific situation that you posted about it may be unlikely that the user downloaded a payload, but for future stuff just dont take a clean AV/EDR scan at face value.

[-]

imnotaero@reddit

Well, first off, some combination of IT/user training. What was the lure that worked, and is it deserving of additional attention? Do you need to change a process to keep it from working again, or just remind the user of their responsibilities. You need data about what happened. This should include a user interview (and you should perhaps be skeptical that the user will be entirely forthcoming.) The more data you have about what the user and computer did, the more confident you can be that you're choosing the right course of action, be it wipe or no wipe. The top concern I'd have is that the user clicked a link and was presented with a fake login page, and then provided credentials to an attacker. Resetting the user's password is an easy win. Then monitor the user's account for strange access patterns, just in case they changed their Spring2024!! password to Summer2024!!.