No defence can block 100% of email attacks, so when malicious email get through admins need to react quickly. For many organisations security incident response is a slow, manual process, sometimes taking hours if not days to resolve - but this cumbersome process can't be avoided, as failing to complete the incident response process often results in the attack spreading further within the organisation, or even externally to customers and partners.
What does the incident response process involve?
The incident response process differs slightly depending on many factors like the initial threat itself, the point of entry and the number of affected users, but for most cases it will follow these three steps:
Detection & Analysis
The key focus of this step is the continuous monitoring of your environment to ensure any detected threats can be acted on as quickly as possible, which is improved significantly with active reporting from users to the IT team. Once a threat has been identified the server should be scanned to evaluate similar malicious messages and links to understand the scope of the impact - this is usually the stage when signs of account compromise and outbound spam are detected.
Containment, Eradication & Discovery
This is probably the most critical step of the incident response process, ensuring the threat is completely neutralised as fast as possible to avoid excess damage and reach. Internally, all identified malicious emails should be removed from user inboxes, with passwords re-set for any potentially compromised accounts, and any infected devices or systems wiped and restored appropriately.
Externally, an official statement should be released to any customers or business partners that may have been affected, whether that be by the attacker accessing confidential databases or the external spread of malicious emails through compromised employee accounts.
Once an incident has been completely stabilized the threat should be reviewed using insights gathered throughout the analysis and containment stages to influence future prevention methods. Depending on the specifics of the attack this might involve fixing discovered vulnerabilities, training employees on security awareness, or even implementing new technologies where needed.
- Despite heightened concerns over data breaches lately, 77% of IT professionals reported that their organisation does not have a formal cybersecurity incident response plan in place
- The average length of time it takes for an organisation to identify a data breach is 191 days, and the average time needed to fully contain a breach is 66 days.
- 50% of today's cyber attacks leverage "island hopping" - the intent to target not only your individual organisation, but anyone else on your supply chain.
- Around 3 in 10 businesses (32%) and charities (29%) have taken no post-incident action following their most disruptive breach.
Barracuda Forensics and Incident Response
Respond immediately to email-borne attacks
When malicious email is reported to IT, Barracuda Forensics and Incident Response lets you immediately search all delivered email, by sender or subject, to identify all internal users who have received it. Automated response lets you then remove all instances of the threat-bearing email, as well as deliver alerts to affected users that warn them about the threat or provide other instructions.
In addition to identifying who received the malicious email, Forensics and Incident Response lets you identify the users who actually clicked on a malicious link. It can then automatically deliver instructions to update passwords or take other actions to limit the spread of the attack. These users can also be assigned enhanced security awareness training to prevent future incidents.
Gain insights to prevent future attacks
Forensics and Incident Response has powerful analytic capabilities and real-time reporting, allowing you to use insights gathered from analysing reported threats to identify anomalies in emails already in your users' inboxes and patterns that could assist with the detection of future attacks.