[BreachExchange] Responding in the Wake of a Cyberattack

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jan 23 10:43:57 EST 2018


With cyber threats, it’s only a matter of when and not if you’re going to
be impacted. Some attacks are within your control, and some aren’t, so you
need to be prepared on what to do when you do become a victim.
Understanding the method of threats you face can hopefully help you
identify any hack or compromise before it becomes a major incident.

Following Your Company Incident Response Plan

If your company computer or device becomes infected, you should follow your
company’s incident response plan and report the cyber incident as quickly
as possible to the appropriate person. Many companies have corporate IT
policies that define acceptable use, password policies, rules and in some
cases, incident response procedures. Every employee should be familiar with
these procedures because rapid responses tend to reduce problems or damage
from the incident.

These days, some companies have established cyber ambassadors within each
department. These people are typically trained and IT knowledgeable and are
first-line responders when something suspicious occurs. This approach helps
companies quickly review suspicious occurrences or issues and act
accordingly — much like emergency responders.

Given the frequency and evolving nature of cyber threats, every company
should establish a well-defined and well-planned incident response process.
It can mean the difference between surviving a cyberattack or losing all
your data with catastrophic consequences.

Reacting to Ransomware Incidents

If you experience a ransomware message, quickly disconnect and isolate your
computer from the network to protect against spreading it to other devices
in your network. Remove the network cable, turn off Wi-Fi, and power off
the infected device. If the message occurs on a corporate computer, follow
your company’s incident response plan for the appropriate restore process.

After a ransomware attack has succeeded, you have limited options for how
to respond:

» Restore your system and files from a backup.

» Start again with a fresh operating system installation and accept that
your files are gone forever.

» Pay the ransom amount, but there’s no guarantee you’ll receive a key to
restore your files, so I do not recommend this option!

» Hope security researchers or law enforcement can provide alternative ways
to get the encryption key to restore your files — this rarely happens.

Obviously, the best action is to prevent this type of attack by not
clicking on unknown links.

Fixing Your Personal Devices

If a personal device, such as a laptop, tablet, or cellphone has been
infected with malware, seek expert advice from the IT department where you
work or from a computer services firm. In many cases, you may need to
connect the hard drive of your device to another system that can then scan
the file system for a virus or malware. This will also enable you to back
up your critical and important files to another removable hard drive so you
can conduct a complete reinstallation of the operating system. You should
scan your backup files for any sign of the malware and only then restore

Assume that any data stored on an infected device has been stolen and is
now in the hands of a cybercriminal. You should also assume that any USB
devices you may have used with this device are also infected, and they
should all be scanned for any sign of the malware.

Be aware that any Internet services you accessed using the infected device
have also been compromised, including the passwords for account access to
your bank, financial details, email accounts, and social media accounts,
including your social logins that connect you with other Internet accounts.

Changing Passwords, Two-Factor Authentication, and More

To minimize the risk that your personal or business accounts will be abused
by cybercriminals after an incident, immediately reset the passwords of all
your critical and sensitive accounts. Start with your bank, email, and
social media accounts. When resetting your passwords, make sure to perform
this from a private network and not via public Wi-Fi.

At the same time, review your security settings to enable two-factor
authentication and review your password manager (if you have one):

» Two-factor authentication (2FA): Many password-required accounts also
have the ability to enable 2FA, which combines your password with an
additional factor required to log on. This factor is typically a PIN or
token that’s generated via an SMS text message or mobile phone
authenticator app.

» Password manager: A password manager helps you in generating strong,
long, and complex unique passwords for each account you have. Consider
using free password manager software that helps you create these passwords.
This security process reduces cyber fatigue and makes it easier to protect
your accounts with a password vault. Some password managers allow you to
check for the age of passwords, duplicate passwords, and weak passwords.

Notifying Your Boss, Friends, and Colleagues

Notify your family, friends, and your company that you have been the victim
of cybercrime and alert them to check their systems and accounts for any
signs of suspicious messages or emails coming from your accounts that could
be spreading malware. Be aware of the warning signs and review your
security settings.

While some people may be reluctant to share or report that they’ve been
victimised in a cyberattack, it’s important to report a cyber incident as
soon as possible. A malware infection from a simple email with an
attachment could be the first step to a major cyber incident. If
unreported, the infection could escalate and impact critical infrastructure
or services such as a community power supply, logistics and supply chains,
or even hospitals and emergency services that could result in severe damage
and possibly loss of life.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180123/3ffe71c1/attachment.html>

More information about the BreachExchange mailing list