Kernel of Truth

Phishing Link Clicked – NIST 800-61 Response

Here’s an example of how you might use NIST 800-61’s incident response lifecycle to handle a situation where a user allegedly clicks on a phishing link in an email. This is structured to show practical application across all four phases:

1. Preparation

  • User Awareness Training: The user had previously completed phishing awareness training and knew how to report suspicious emails.
  • Incident Response Plan (IRP): The organisation has a documented IRP that includes a phishing-specific playbook.
  • Tools in Place: Email security gateway, endpoint detection (e.g. CrowdStrike), and SIEM (e.g. Splunk) are configured to detect and alert on suspicious activity.

2. Detection and Analysis

  • Initial Alert: The user forwards the suspicious email to the security team and reports that they clicked on the link.
  • Log Correlation: The security analyst checks:
    • Email header analysis (to confirm spoofing/impersonation)
    • Firewall/DNS logs for outbound connections to the link
    • EDR logs to verify if any payload was delivered/executed
  • Verification: It’s confirmed that the link leads to a credential harvesting page.
  • Scope Assessment:
    • Was any data entered (e.g. credentials)?
    • Did the site deliver malware (drive-by download)?
    • Are other users targeted with the same email?

3. Containment, Eradication, and Recovery

  • Short-Term Containment:
    • Block the phishing domain at the firewall and email gateway
    • Force a password reset for the affected user
    • Isolate the endpoint if malware was delivered
  • Eradication:
    • Remove any persistent threats on the endpoint (if found)
    • Delete the phishing email from all affected mailboxes (using M365 eDiscovery or Gmail Vault)
  • Recovery:
    • Ensure the user’s account is no longer compromised
    • Restore any affected system components from backups if needed
    • Monitor the user’s account for signs of further misuse

4. Post-Incident Activity

  • Lessons Learned Meeting:
    • Review what went well and what didn’t (e.g. how quickly it was reported, how fast containment occurred)
  • Update Playbooks:
    • Refine the phishing response playbook if gaps were identified
  • User Feedback:
    • Thank the user for reporting it—this reinforces good behaviour
  • Metrics and Reporting:
    • Document incident timeline, impact, response actions
    • Report to regulatory bodies if credentials were exfiltrated and compliance requires it (e.g. GDPR, PCI-DSS)

✅ Summary

By following NIST 800-61, the response is structured, auditable, and improves over time. It ensures that both technical and procedural aspects of the phishing incident are addressed thoroughly and consistently.