Network Notification

Effective Incident Response

A Comprehensive Plan for Managing Critical Situations

Here is an in-depth incident response plan for business email compromise (BEC). BEC is a type of cybercrime where the attacker gains access to an organization’s email system and uses it to conduct fraudulent activities, such as wire transfer fraud or sensitive data exfiltration.
  1. Identification and Containment:
    First and foremost, it is essential to identify the incident as a BEC attack and contain it to prevent further damage. This can be done by monitoring your email system for suspicious activity, such as unauthorized access or messages sent from unfamiliar email addresses.
    Once the incident is identified, immediately change all email and network credentials, including passwords and security questions.

  2. Incident Analysis:
    Conduct a thorough analysis of the incident to determine the scope and severity of the attack. This includes identifying the affected email accounts and determining what information if any, may have been compromised.

  3. Notification and Reporting:
    Notify the appropriate parties within the organization, such as the IT department and senior management.
    Report the incident to law enforcement and other relevant authorities, such as the FBI’s Internet Crime Complaint Center (IC3).

  4. Remediation:
    Implement any necessary remediation measures, such as updating security software and protocols, to prevent future attacks.
    Conduct employee training and awareness programs to educate employees on how to spot and prevent BEC attacks.

  5. Review and Improvement:
    Review the incident response plan regularly and make any necessary improvements.
    Conduct regular security audits to identify vulnerabilities and address them accordingly.

  6. Data Backup:
    Ensure that all important data is backed up regularly and stored in a secure location. This will allow for the restoration of any data that may have been compromised during the attack.

  7. Communication Plan:
    Develop a communication plan that outlines who needs to be informed in the event of a BEC attack and how and when they will be informed. This includes employees, customers, and other stakeholders.

  8. Incident Response Team:
    Establish an incident response team that is responsible for managing and responding to BEC attacks. This team should include representatives from IT, security, legal, and senior management.

  9. Third-Party Vendors:
    Review and assess the security practices of any third-party vendors that have access to your email system. Ensure that they have appropriate security measures in place to protect against BEC attacks.

  10. Legal:
    Consult with legal counsel to understand the legal implications of a BEC attack and to ensure compliance with relevant laws and regulations.

  11. Cyber Insurance:
    Consider purchasing cyber insurance to protect the organization against financial losses resulting from a BEC attack.

  12. Post-Incident Review:
    Conduct a post-incident review to determine the root cause of the attack and identify areas for improvement.

  13. Monitoring:
    Implement continuous monitoring of your systems to detect and respond to any suspicious activity. Website, server, domain, and IP monitoring services can be beneficial and instantly notify you if your system is down. These types of services can mitigate risks. Checkout Network Notification for more information.

  14. Incident Response Training:
    Regularly train your incident response team members on how to respond to BEC attacks and how to use incident response tools.

  15. Public Relations:
    Develop a public relations plan to manage the organization’s reputation in the event of a BEC attack.

  16. Network segmentation:
    Consider segmenting your network to limit the scope of the attack and minimize the damage.

  17. Whitelisting:
    Implement whitelisting of email addresses, IP addresses, and domains to block known malicious sources.

  18. Email Authentication:
    Implement email authentication protocols such as SPF, DKIM, and DMARC to detect and block phishing and spoofing attempts.

  19. Multi-Factor Authentication:
    Implement multi-factor authentication (MFA) for email accounts to add an extra layer of security.

  20. Incident Response Drill:
    Regularly conduct incident response drills to test the effectiveness of the incident response plan and identify areas for improvement. This will also help to ensure that all team members are familiar with their roles and responsibilities.
    Please note that this is a general incident response plan, and it’s recommended to conduct a risk assessment and tailor it to your organization’s specific needs and requirements.

Difference between an incident and an event

In the context of a business email compromise (BEC), an incident refers to a specific situation or occurrence that poses a threat to an organization’s information security. It is a security breach or attack that has already occurred and has been identified. An incident typically involves unauthorized access or use of an organization’s email system, and it may result in the loss or theft of sensitive information.
An event, on the other hand, is any observable occurrence or action that has taken place within an organization’s IT environment. It can be something as simple as a user logging into their email account or an email being sent from an external source. Events can be both normal and abnormal and can be used to detect a potential incident.
In summary, an incident is an actual security breach that has occurred, whereas an event is an observable occurrence that may or may not lead to an incident. In the case of a BEC, an incident would be a successful attack on an organization’s email system, whereas an event could be a suspicious email that may or may not be part of a BEC attack.
Please note that this list of incident response steps is for educational purposes only and should not be considered as a guarantee against BEC attacks. Every organization’s IT environment is unique and may require a different approach to incident response. Additionally, cyber criminals are constantly finding new ways to circumvent security measures, and organizations must stay vigilant and continuously monitor and update their incident response plan to adapt to the new threat landscape.
It is important for organizations to consult with legal and cybersecurity experts to develop an incident response plan that is tailored to their specific needs and requirements.
Updated January 2023. Don’t become a victim of a cyber-attack. Start monitoring your network today.