Creating an Incident Response Plan for Email Attacks

Originally published by Abnormal Security.

Written by Mick Leach.

Since 2013, the FBI has identified nearly $51 billion in exposed losses due to business email compromise. Modern threat actors are constantly finding new tactics for bypassing traditional security methods to access sensitive data. From social engineering to generative AI, it seems like there is a new threat around every corner. That’s why it’s essential to stay a step ahead of attackers when possible.

If your business is the target of an attack, a good incident response plan is essential to minimizing the effects. What you do when you first discover the attack will decide how costly and far-reaching the damage is. To help you develop a successful incident response plan, here is an overview:

• Designate an incident response planning team
• Classify the type and extent of the incident
• Complete initial reporting
• Escalate the incident, as appropriate
• Inform affected individuals and vendors
• Investigate and collect evidence
• Mitigate further risks
• Execute recovery measures

Your incident response plan should be regularly reevaluated and updated as necessary. With existing threats continuously evolving and new threats appearing almost daily, you must be prepared to respond quickly to any attack.

Let’s explore each of these steps in more detail.

Designate an Incident Response Planning Team

Creating an effective incident response plan for email attacks begins with designating an incident response team. This team should be composed of IT and security professionals who possess the necessary skills for handling such incidents.

You’ll then want to establish a communication plan that keeps all members of the team informed and allows them to easily collaborate with each other. This could include regular meetings or video calls, as well as detailed emails or documents that provide everyone with information on what needs to be done and when it needs to be completed.

Classify the Type and Extent of the Incident

When a malicious email attack occurs, the first response should be to classify the type and extent of the incident. Determining the type of attack—whether it be phishing, malware, ransomware, vendor email compromise, or another form of advanced threat—is a necessary step to ensure your response is swift and effective.

Once you know what kind of attack you're dealing with, your next step is to assess its scope—how many people were affected by it, which systems or data were compromised, as well as when it started. Having a comprehensive understanding of an email attack allows your organization to respond quickly according to your preplanned incident response plan.

Complete Initial Reporting

Upon notifying the incident response team and classifying the nature of the incident, it’s vital that security teams keep thorough documentation to prevent future attacks. This includes gathering system logs and audit trails related to any affected systems or software applications.

It’s also important to preserve evidence and artifacts from affected systems, such as emails or documents that may have been targeted by the attacker. Having a full record of what happened during an attack can provide insight into how it occurred, helping your organization avoid similar incidents in the future.

Escalate the Incident, as Appropriate

Depending on the nature of the incident, sometimes it will be necessary for the response team to escalate to the proper channels.

First, they should assess the extent of any malicious activity and document all relevant details. If additional resources are required, then external organizations such as security vendors or law enforcement should be contacted immediately. Additionally, those affected by any breach in data security should be notified accordingly.

Inform Affected Individuals and Vendors

It is essential that security teams quickly inform any individuals or vendors affected by the attack.

To do this effectively, organizations should provide detailed instructions on how to respond to the attack and any additional security measures that can be taken. Additionally, records of communication should be kept for future reference and review.

Customers or stakeholders affected by an email attack should also be contacted so they can receive the necessary support. Your organization should also offer assistance in recovering lost data or credentials, as well as guidance on how best to protect themselves from further attacks.

Investigate and Collect Evidence

To carry out an effective investigation, your organization needs to make sure any collected evidence remains unaltered by safeguarding it in the correct environment. This could involve taking screenshots or pictures of suspicious emails or webpages as well as storing digital artifacts like system logs in a secure setting for future examination.

As part of the investigative process, it’s also essential to record each step taken along with the date on which it was completed. Not only will this help construct a case against potential attackers but having a timeline can ensure improved response plans should similar occurrences arise again in the future.

Mitigate Further Risks

Knowing the attack’s origin gives the email security analyst valuable information that can block future attacks from similar emails.

Origins, such as IP addresses, email addresses, server geographies, and domains, can all be used to block known bad attacks in the future. If there is an immediate and ongoing campaign being sent to an organization, the email security analyst will likely need to act quickly to mitigate the risks, and the quickest way to act while doing research is to remediate by email origin.

Execute Recovery Measures

When an email attack occurs, your organization must take swift action to protect your systems and data.

Executing recovery measures is a critical part of any incident response plan, as it allows your organization to review and update policies and procedures and assess additional tools or technologies that can be used for security purposes. It also presents an opportunity to analyze the effectiveness of existing security measures. With the right steps in place, your organization can ensure it’s prepared for any future email attacks and remain secure against cyber threats.

Adopt a Modern Solution

In addition to creating an effective response plan for email attacks, organizations should also be equipped with an email security solution that can detect and remediate today’s most sophisticated threats.

AI-based detection systems use AI to understand the signals of known good behavior, creating a baseline for each user and each organization and then blocking the emails that deviate from that—whether they are written by robots or by humans. This allows your security team to spend less time filtering through employee emails and more time preventing the attacks before they reach the inbox.

In addition, companies can take other preventative security measures like staying abreast of the latest attack vectors, utilizing multi-factor authentication, and implementing access control measures.