Module 1
Triage - Deciding when to investigate
Last updated on: 22 August 2024
Edit this page on GitHubModule 1
Last updated on: 22 August 2024
Edit this page on GitHubWhen you receive or are forwarded a suspicious message, conduct initial triage in order to determine if it is indeed malicious, to figure out the best rapid response for the targeted recipient(s) if it is, and to determine if further investigation is needed. For most messages, it’s enough to conduct basic heuristics to separate untargeted from targeted threats and to identify harm-reducing actions.
After completing this subtopic, the practitioner should be able to differentiate between legitimate emails, untargeted spam or phishing emails, and targeted ones based on several heuristic indicators.
The practitioner should be able to recognize common phishing email techniques and attacker objectives. They should be able to spot common telltale signs of a phishing message. If you need to brush up on this topic, check out Jigsaw’s Phishing Quiz.
Low-tech approaches to determining if a message was actually sent by a person you know are often the simplest and fastest way to determine if that message is authentic. A great example of such a low tech approach is following up with the sender of a potentially suspicious email (assuming you know them) on another communication medium like an instant messenger to make sure that it was indeed them who sent the email and that it’s legitimate.
Also check out these two articles with examples of tactics and deceptive techniques commonly used in phishing messages: 6 Common Phishing Attacks and How to Protect Against Them and 5 Common Phishing Techniques (vadesecure.com).
Spam and non targeted phishing messages are an unfortunate reality of the internet. Investigating messages and related malicious infrastructure is only a practical and useful exercise in a small set of cases. Consider the following criteria when deciding if it is worth spending time investigating the message and related infrastructure:
A general rule is that only targeted messages are usually worth investigating. Many spam or phishing emails end up being quite low quality or sent en masse. Those are usually sent by adversaries who might have some financial motive but have not targeted the organization specifically due to its human rights or civil society work. They are therefore less likely to attack NGOs in the future, and a write-up of their activities would be of less benefit to the community.
Attackers who use lower quality or mass messaging are also likely to be caught by automated testing and rules and simply change messaging, in contrast to those who pursue targeted attacks which require a far greater investment. Adversaries who send targeted messages often have (geo)political motivations, and might use phishing as part of a wider hybrid campaign, which could also be directed at other NGOs. Investigating targeted messages can therefore often help uncover such broader campaigns.
⚠️ Remember, if you need additional help and do not feel confident that you are able to respond to the level of risk or analysis needs of a malicious message, reach out for help for instance to CiviCERT Members or through support providers listed at the Digital First Aid Kit.
⚠️ While considering or conducting an investigation, ensure you balance harm reduction needs and support any targets to implement timely harm reduction actions, such as those listed at Recover from possible account compromise (securityinabox.org).
Spend some time on the phishing quiz by Shira until you feel like you can comfortably pass the tests and accurately recognize phishing on several app categories.
Shira by Horizontal
FreeAn online quiz with sample emails, where the user must decide whether they are malicious
Phishing Quiz by Jigsaw
FreeAn online quiz with sample emails, where the user must decide whether they are malicious
6 Common phishing attacks and how to protect against them
FreeA summary of some common phishing attacks, which also includes some more sophisticated methods used by attackers
5 Common phishing techniques
FreeA look at some techniques attackers use to make phishing emails more convincing and occasionally escape detection
CiviCERT
FreeA network of civil society organizations and rapid response groups which focus on cyberattacks and similar threats
Digital First Aid Kit
FreeA comprehensive guide supporting digital protectors who deal with a variety of different issues
Recover from possible account compromise
FreeA guide on what immediate and long-term steps to take when an account has been compromised
Congratulations on finishing Module 1!
Mark the checkbox to confirm your completion and continue to the next module.
Marks the current module as completed and saves the progress for the user.
You've completed all modules in this learning path.