Five steps to ensuring effective security incident response

In today’s highly connected world, email has become both a useful tool and a curse for many businesses.

On one hand, it’s remained a dependable means of rapid communication for decades. It connects businesses with everyone from customers and prospects to suppliers and partners.

On the other, however, it’s become a popular and effective vector for cybercriminals intent on causing losses or disruption. All it takes is for one rogue message to be opened by a staff member and an entire IT infrastructure can become compromised.

During the past few years, attackers have become very adept at creating emails that appear to have come from a trusted source. Users can easily be tricked into opening an attachment or clicking on a link that downloads malicious code.

No silver bullet

IT security specialists understand that there is no technology or tool that is 100% effective at preventing email attacks. They also know that it only takes a single message to initiate a costly incident.

Having an effective email security architecture will go a long way to keeping successful attacks to a minimum. However, it is also important to have a strategy to stop the spread of an attack, minimise the damage caused, and reinforce prevention and detection methods.

Experience shows that the aftermath of an email attack can consume an inordinate amount of IT resources. According to research conducted by Barracuda[1], manual incident response takes an average of three to five hours per incident.

When it comes to effective email incident response, time is money. Not only can being inefficient consume precious IT resources, it can also result in stolen data, financial loss, and brand damage.

Five-step checklist

Having an incident response strategy can go a long way to minimising the effects of a potentially devastating email attack. One way to achieve this is to follow a five-step remediation checklist that can be used should an incident occur. The steps are:

  1. Prepare: Align technology, people, and processes
    As a first step, an organisation should deploy API-based inbox defence technology to detect sophisticated email fraud as soon as it is received. Time should also be taken to securely back up sensitive data and retain a copy in a different location.

    When it comes to people, it’s important to create a security culture across the organisation. This should be supported by continuous simulation and awareness training. All staff need to know about the potential for attack and the signs that an email could be from a malicious source.

    For processes, a good approach is to document all actions that should be taken if and when an incident occurs. These processes then need to be clearly communicated to key players so that they understand their role in the response.

  2. Escalate: Reduce monitoring time and escalate to an incident response platform:
    An incident response platform is a key resource that can help to monitor and prioritise threats that have been reported or discovered post-delivery. The platform will provide proactive threat hunting capabilities using a wide variety of classifiers, such as unusual locations and suspicious logins.

    A fully featured incident response platform will also undertake automatic remediation of malicious content and support mailbox integration for single-click user reporting.

  3. Identify: Understand the nature of the attack and its scope
    In this step it is time to gain an understanding of the nature of the threat and its intended targets. It’s worth automating the task of incident creation and undertaking post-delivery detection of malicious content. This can be aided by using data gathered on potential incidents based on past threats.

    The security team should also work to extract threat details from the malicious email and identify all affected users. All team members should coordinate with each other so everyone understands the status of the incident at all times.

  4. Contain: Respond swiftly to minimize the spread of the attacks
    The next task will be to remove the suspicious email from all affected user inboxes. Steps should also be taken to block access to malicious websites and alert all affected users. The security team should also enable continuous remediation to stop any future instances of the same attack.
  5. Recover: Repair any system damage and recover lost data
    The fifth step involves restoring any lost data from the backups created earlier. The security team should also take this time to monitor the health of all endpoints to ensure that no malicious code remains.

    It’s a good idea to reset all user passwords and update email security policies. Many organisations also make use of community-sourced threat intelligence reports to further strengthen security.

By following these five steps, an organisation can recover as rapidly as possible should an email-based cyberattack occur. By taking the time to carefully create a response plan and then methodically follow it, the impact of any incident should be as minimised as possible.

[1] https://blog.barracuda.com/2019/09/26/threat-spotlight-inefficient-incident-response/

Mark Lukie is a Sales Engineer Manager for Asia Pacific and Japan at Barracuda Networks. He has 20 years’ IT industry experience with deep skills in networking, cybersecurity, backup/disaster recovery, public cloud platforms and systems integration. Mark has been with Barracuda for more than nine years and has extensive knowledge on the company’s entire solution portfolio, including security, application delivery and data protection solutions. He is a member of the Barracuda Global Cloud Security Team, which focuses on security solutions for public cloud platforms such as Microsoft Azure, Amazon Web Services, VMware vCloud Air and Google Cloud Platform. Mark’s qualifications include: Microsoft Certified Systems Engineer/Administrator (MCSE/MCSA), Certified Novel Administrator (CNA), Barracuda Application Delivery & Security Expert (ADSX) and Barracuda Certified Technician & Expert for NextGen Firewalls.