Process Document: Handling Suspected Third Party Mailbox Compromise
High-Level Summary
This process provides a structured approach to respond to a suspected compromise of a third party email mailbox. It involves detecting and assessing the issue, escalating internally, notifying the third party, implementing protective measures, evaluating the third party's response, resolving the incident, and maintaining ongoing monitoring. The goal is to mitigate risks, secure communications, and prevent future incidents through clear responsibilities and actionable steps.
Purpose
This document outlines the steps to be taken when a third party email mailbox is suspected to have been compromised, ensuring a timely, organized, and effective response to mitigate risks and maintain security.
Scope
This process applies to situations where an email mailbox owned by a third party (e.g., a partner, vendor, or client) is suspected of being compromised, potentially affecting communications or data shared with our organization.
Process Steps
1. Initial Detection and Assessment
- Objective: Confirm suspicion of a compromise and gather initial evidence.
- Actions:
- Document indicators of compromise (e.g., unusual email activity, phishing attempts, or unauthorized access alerts).
- Collect relevant details, such as the mailbox address, timestamps, and any suspicious emails or attachments.
- Notify the internal security team or incident response coordinator.
- Responsible Party: IT/Security Analyst or employee who detected the issue.
- Tools: Email logs, SIEM system, or threat intelligence platforms.
2. Internal Escalation
- Objective: Ensure appropriate stakeholders are informed and engaged.
- Actions:
- Escalate the issue to the Information Security Officer or Incident Response Team Lead.
- Provide a summary of findings, including evidence and potential impact (e.g., sensitive data exposure).
- Determine if immediate protective measures (e.g., email filtering or blocking) are needed.
- Responsible Party: Incident Response Coordinator.
- Tools: Incident tracking system, internal communication channels (e.g., Slack, email).
3. Third Party Notification
- Objective: Inform the third party of the suspected compromise and request information.
- Actions:
- Draft and send a formal letter to the third party, including:
- Description of the suspected compromise.
- Request for confirmation and details (e.g., what occurred, timeline, actions taken).
- Specific questions about incident response, mailbox security, and willingness to share incident reports or IOCs.
- Use a professional and urgent tone, specifying a response deadline (e.g., 5 business days).
- Log the communication in the incident tracking system.
- Responsible Party: Information Security Officer or designated communications lead.
- Tools: Email client, incident tracking system, letter template (see referenced HTML letter).
4. Implement Interim Protective Measures
- Objective: Mitigate risks while awaiting third party response.
- Actions:
- Flag or quarantine emails from the suspected mailbox to prevent further exposure.
- Review and update email security rules (e.g., spam filters, DKIM/SPF checks).
- Notify internal users to avoid interacting with emails from the suspected mailbox until cleared.
- Assess shared data or systems linked to the third party for potential compromise.
- Responsible Party: IT/Security Team.
- Tools: Email security gateway, endpoint detection tools.
5. Third Party Response Evaluation
- Objective: Assess the third party’s response and determine next steps.
- Actions:
- Review the third party’s response for completeness (e.g., confirmation of compromise, remediation steps, IOCs).
- Validate any provided IOCs against internal systems to identify related threats.
- If the response is inadequate or unclear, follow up with additional questions or escalate to senior management for further action.
- Update the incident log with findings and decisions.
- Responsible Party: Information Security Officer and Incident Response Team.
- Tools: Threat intelligence platform, incident tracking system.
6. Remediation and Closure
- Objective: Ensure the issue is resolved and lessons are documented.
- Actions:
- Confirm with the third party that the mailbox is secure and no further risks remain.
- Remove interim protective measures (e.g., email filters) if appropriate.
- Conduct a post-incident review to identify gaps in detection or response.
- Update security policies, training, or third party agreements as needed.
- Archive the incident report and related communications.
- Responsible Party: Incident Response Team Lead.
- Tools: Incident tracking system, knowledge base.
7. Ongoing Monitoring
- Objective: Prevent recurrence and maintain vigilance.
- Actions:
- Monitor for similar indicators of compromise in communications with the third party.
- Periodically review third party security practices (e.g., during contract renewals).
- Share relevant IOCs with internal teams and, if appropriate, industry threat-sharing groups.
- Responsible Party: IT/Security Team.
- Tools: SIEM system, threat intelligence feeds.
Roles and Responsibilities
- IT/Security Analyst: Detects and reports initial indicators of compromise.
- Incident Response Coordinator: Manages escalation and coordinates response efforts.
- Information Security Officer: Oversees communication with the third party and evaluates responses.
- IT/Security Team: Implements technical protective measures and monitors systems.
- Senior Management: Approves escalations or actions involving significant business impact.
References
- Letter template for third party notification.
- Incident response plan and organizational security policies.
Approval
This process is approved by [Approver Name], [Approver Title], on [Approval Date].