Resource Downloads
Google Slides | Microsoft PowerPoint | PDF Presentation
Injection
A nearby school district calls to inform you that they received a malicious email from an elementary teacher at your domain/district. They provide the email headers, username/email address and email timestamps of 6 messages.
Discussion Prompts
- How do you determine if this is a confirmed security incident or some kind of anomaly?
- How do you identify what systems, data, people, and operational processes are potentially involved?
- What real or potential risk(s) does your organization face?
- What short term containment options do you have?
- Can you contain it without destroying evidence?
- What is the operational impact of the incident and your containment strategy?
Check Your Work
- Initial analysis to determine if emails are from your domain or lookalike?
- Header Analysis
- Log Correlation
- Mail Flow audit – origin and destination and all senders
- Extent of issue – is the user compromised? Then what? Emails sent? Where? Just this user?
- Notifications to our internal and external recipients of email from our district.
- Follow compromised account containment activities.