Resource Downloads
Google Slides | Microsoft PowerPoint | PDF Presentation
Injection
When following up with an associate superintendent about malicious emails coming from their district email address, you determine that the account was compromised from a phishing email they received last week.
Discussion Prompts
- How do you determine if this is a confirmed security incident or some kind of anomaly?
- How do you identify what systems, data, people, and operational processes are potentially involved?
- What real or potential risk(s) does your organization face?
- What short term containment options do you have?
- Can you contain it without destroying evidence?
- What is the operational impact of the incident and your containment strategy?
Check Your Work
- Compromised Account Containment:
- End sessions
- Revoke tokens
- Force password change
- Force MFA
- Check email for rules or delegation changes.
- Review Account Activity
- Access Logs
- VPN Connections
- Impossible travel
- If lateral movement is detected consider implementing broader containment effort.
- Investigate phishing email:
- Did others receive it?
- Did others visit the phishing link?
- Follow up as appropriate.
- Ask the user if the compromised password is used on other accounts (business or personal)
- Recommend the user to change, use different passwords and MFA per each account.