The First 48: You Clicked Through a Phishing Email. Now What?

Most of our daily work routines start out something like this: You stroll into your office building, walk by a few colleagues, give them a wave and a “good morning” with a friendly smile, assuming you got enough sleep the night before. You take a gulp of coffee, log in to your computer, and begin scrolling through Outlook to read and respond to emails. 

Now, imagine you click on a link or attachment in an email that appears to have come from accounting or another company you do business with asking you to review an invoice. Turns out, that email is a phishing attack. You spit out your coffee, your heart skips a beat, and your first thought is, $#!t, what do I do now?  

Unplug the computer and hope for the best? 

Tell your manager that you’re not feeling well and head home for the day? 

Both are terrible options. This happens to thousands of companies every day and employees are unsure and untrained in what to do next. The first 48 hours after identifying an attack are crucial, and the action taken during this time has a huge impact on the extent of data loss and recovery efforts. 

Recently, Microsoft’s security team reported a major spike in phishing email attacks, upwards of 250% between January and December of 2018. In fact, phishing is the most common cyberattack affecting the legal sector with nearly 80% of law firms reporting attempts last year. The number of phishing attempts that successfully made it through to end users increased by 25%. We predict that these numbers will continue to rise across the business community.

Here’s why:  

  • Phishing attacks are becoming more elaborate, and more convincing than ever. Many phishing emails appear to come directly from colleagues or business partners. And many times, this happens without the sender even knowing it. Phishing emails can look 100% legitimate, which allows them spread like wildfire. 
  • Due to the sophistication of these attacks and how simple it is to execute themit’s quite efficient for adversaries to use phishing emails as a primary tool to social engineer username and passwords from users and gain access to your network. 
  • Many organizations still think they are not a target and do little to protect themselves through training and hiring a well-equipped cybersecurity firm to help mitigate risk of their most valuable assets. 

So, you clicked on that email link (or attachment), now what? 

1) Notify

The first thing you need to do is notify your IT department or Managed Security Service Provider (MSSP). This is a crucial step and will put your incident response plan into motion. Don’t have an incident response plan? You should. The old saying goes: 

“There are only two types of companies: those that have been hacked and those that will be.” 

-Robert Mueller 

From here, your IT department or MSSP will take over. But wait, what if you don’t have either one of those? Don’t worry, read on. 

2) Contain and communicate 

It’s vital that the breach is contained as quickly as possible. If you need to, hire a third-party incident response team. 

Here is our shameless plug, Avalon Cyber has extensive experience in digital forensics and technology crime fighting and can help bring the cyberattack to a halt. 

While working to contain the breach, we recommend communicating the attack to fellow employees to help prevent it spreading or from happening again. 

3) Change your passwords 

This isn’t a cure-all, so don’t take this the wrong way and think you’re good after changing some passwords, but it’s better than leaving your passwords as-is. In fact, change your Outlook default settings and use Two-Factor Authentication (2FA) if you haven’t already. Do it. Do it now!

4) Launch a forensic investigation 

Once the network is sufficiently contained, your incident response team (we recommend us, of course) will launch a forensic investigation to determine the scope of the breach, which will lead to a plan of action and assist in the remediation of the incident. 

There are three primary questions a forensic investigation seeks to answer: 

  1. How did the attackers get in? Determine the cause of the breach and how and when it occurred. Was the breach the result of a negligent employee or an inside or outside actor? 
  2. Where did they go on the network? Adversaries will likely attempt to obtain credentials from users or administrator accounts to use within the network. By gaining sufficient access within a network, an adversary can create accounts for later use within the environment. 
  3. What did they take? Identify what data has been accessed or exfiltrated, as well as which businesses and individuals have been affected. 

Cybersecurity attacks typically leave behind evidence that is required to discover the type and amount of data that has been accessed and/or exfiltrated. Without a forensic investigation to collect and preserve this evidence within the first 48 hours after the breach, it would be nearly impossible to accurately determine what happened. This forensic data is imperative to establish what the corporate victims’ legal notification and disclosure obligations might be as a result of the incident. 

So, why Avalon Cyber? 

At Avalon Cyber, we’ve seen firsthand how cybercriminals operate. Our deep roots in crime fighting and experience mitigating network breaches allow us to provide a variety of services to enhance our clients’ security teams, investments, and overall posture. 

Our clients call us when they’re concerned about how a cyber breach could affect their business. Through our comprehensive security solutions, we enable them to focus on growing their business, while we focus on protecting it.

Want to test and train your employees to identify phishing attempts? Check out Avalon Cyber's BullPhish ID service. 

    Shares