Incident Response
Statistically, it’s not a question of “if”, but “when”, you will become a victim of a cyberattack. In this digital age where nearly every business relies on connectivity in some form, even the most vigilant cybersecurity-conscious individuals will have to entrust their information in businesses that may be vulnerable to attack. Tools are getting more powerful and cybercriminals are getting smarter and more determined. So the question becomes, what do you do when an incident occurs?
Incident Response Life Cycle
The incident response life cycle is a framework for identifying, responding to, and recovering from a cybersecurity incident. It's a continuous loop that involves four phases:
Preparation
Detection and Analysis
Containment, Eradication and Recovery
Post-event Activity
Phase 1: Preparation
When it comes to incident response, taking swift and decisive action is crucial. A quick response can drastically reduce the time a bad actor has to do damage. Therefore, it’s imperative to make a plan. This plan should cover what to do before, during, and after an incident occurs. Your preparation will be specific to your needs, but you should consider doing the following:
Make a list of which accounts use which credentials so you’ll know which ones are impacted in the event of a breach.
Make sure all of your accounts have a recovery email associated with them. That way, if an account is compromised and a bad actor locks you out, you can regain access.
Make a list of who to contact in the event of an incident. When an incident occurs, the last thing you should be focused on is looking up contact information.
Back up your information regularly. In the event that you need to wipe a system, then everything won’t be lost. Also, if you are a victim of ransomware, you don’t have to pay for your files if you already have them backed up.
Know where your vulnerabilities are. This will be extremely beneficial when trying to pinpoint how the incident occurred.
Establish security protocols with all of your financial institutions. Require multiple approvals for any significant transfers or wires. This will limit the amount of financial damage a cyberattack can cause.
Set up alerts for all of your financial accounts. This will allow you to catch an incident early and intervene quickly.
Establish protocols with your family and friends so they can verify whether a communication from you is legitimate, especially if the communication is requesting money. Remember, with AI and deepfake technology, voices on the phone and even live video can seem authenticate. Establishing a passcode or secret phrase will help them distinguish you from a really good deepfake and stop a cyberattack in its tracks.
Phase 2: Detection & Analysis
After you confirm that an incident has occurred, you must identify the type of cyberthreat so you can determine the proper course of action. You should also determine the extent of the damage. Check for unusual activities such as unauthorized banking transactions, unsolicited credit card charges, or suspicious activities on your social media accounts. Be sure to check all of your accounts. Typically, once one account is compromised, it is used as a springboard to access your other accounts.
Phase 3: Containment, Eradication, & Recovery
Everything you do in response to an attack will revolve around containing the incident, eradicating the threat, and recovering from the attack.
When deciding on how best to contain the incident, you should consider:
Potential damage to and theft of resources
Need for evidence preservation
Service availability (e.g., network connectivity, services provided to external parties)
Time and resources needed to implement the strategy
Effectiveness of the strategy (e.g., partial containment, full containment)
Duration of the solution (e.g., an emergency workaround to be removed in four hours, a temporary workaround to be removed in two weeks, permanent solution).
While working through this phase, you should also gather as much evidence as possible about the attack. Document everything. Keep records of everything related to the incident, including the date and time it occurred and who you contacted for help. Records may include canceled checks, receipts , messages, emails, envelopes, brochures, phone bills, web pages, etc. It’s better to have too much evidence than too little.
You can also try to identify the attacker. This can be time-consuming and even impossible in some scenarios, so you’ll need to decide how much time and effort to put into identifying the attacker and whether or not it’s worth it.
When trying to eradicate the threat, the goal is to do whatever you need to in order to stop the attack. The first thing you should do is secure your digital environment. That could mean:
Disconnecting from the Wi-Fi and other networks to prevent further damage
Running a comprehensive anti-virus scan to find and remove malware
Updating your operating system and other software
Enabling strong passwords and, if possible, using a password manager to keep them safe
Addressing network vulnerabilities
Consulting with a data forensics team
The next steps you take to eradicate the threat will depend heavily on what type of incident you’re dealing with. You might consider:
Disabling breached accounts
Securing physical areas related to the incident
Scrubbing information that’s been posted online
Freezing your credit
Changing your login credentials
Contacting your financial institutions to stop payments, reverse charges, or request refunds for fraudulent charges
Having your compromised devices professionally cleaned
Checking your sent mail, drafts, and mail forwarding rules to see if your settings have been changed or fraudulent messages sent on your behalf
Many of these steps will be time-sensitive. Generally, the sooner you act, the better chance you have of getting a favorable outcome.
Once you have eradicated the breach, you can begin the recovery phase. During recovery, the goal is to get back on track. This could mean opening new (more secure) accounts or notifying people who may have been impacted by the incident. Depending on the extent of the damage, you may need to purchase new hardware or set up new network connections.
Eradication and recovery can take anywhere from days to months, depending on the size and scope of the incident. Therefore, it’s sometime beneficial to implement a phased approach, with the early phases focusing on increasing your overall security as quickly as possible and later phases focused on long-term changes and ongoing tasks to prevent future attacks.
Phase 4: Post-Incident Activities
Post-incident activities are things you do to prevent future incidents from occurring. You don’t have to wait until eradication and recovery activities are complete to begin the post-incident activities.
You should report the incident to the Federal Trade Commission (FTC), the FBI’s Internet Crime Complaint Center, your local authorities, and any other relevant agencies as soon as possible. Here is a list of some of the agencies you should contact for different types of incidents:
Computer or network vulnerabilities
US-CERT Hotline (1-888-282-0870) or website (www.us-cert.gov)
Phishing
Forward phishing emails or websites to phishing-report@us-cert.gov
Email reportphishing@apwg.org
Fraud
General fraud: FTC (www.ftc.gov/complaint), Internet Crime Complaint Center (https://www.ic3.gov/)
Social Security fraud: Social Security Administration’s (SSA) fraud hotline (1-800-269-0271) or website (ssa.gov/fraud or http://oig.ssa.gov/report-fraud-waste-or-abuse)
Credit Card fraud: FTC (reportfraud.ftc.gov)
Elder fraud - U.S. DOJ National Elder Fraud hotline (1-833-372-8311)
Identity theft
www.identitytheft.gov
General cybercrimes
FTC (www.ftc.gov/complaint)
Internet Crime Complaint Center (https://www.ic3.gov/)
Hacked account
staysafeonlne.org
Ransomware
secretservice.gov
Tax cybercrimes
Email IRS at phishing@irs.gov
Once you’re back on track, you should take some time to do a debrief of the incident. Reflect on what happened, how you can identify similar incidents in the future, and how you can stop them sooner. Consider the following questions:
What is the extent of the damage that was caused and what actions could you have taken to minimize the damage?
What changes should you make to your cybersecurity incident response plan to make it more effective in the future?
What trainings should you take to prevent a similar event from happening again?