When should I “activate” IR-1?
Determining whether a computer issue is an active cyber attack or not can be confusing. When your anti-virus catches malware or your bank remits a fraudulent wire it’s obvious there’s been an attack. But what about the unknowns?
Especially for small and medium-sized businesses (SMBs) who are short on resources, who has the time to deal with false alarms? We’re here to help. IR-1 provides the expertise and resources you need to address these complex situations.
In this article, we will demystify the different types of attacks and make sure you understand when it is or isn’t time to activate* IR-1.
Activate: the action taken when you click to report a live, confirmed incident. This redeems your one-time service fulfilled by Blackpanda.
Think twice before activating IR-1 for these reasons:
Phishing Emails: Simply receiving these emails is not an incident. Phishing can look like legitimate emails from a trusted source such as a bank, a government agency, or a well-known company. These emails often ask the recipient to click on a link or provide sensitive information, such as login credentials or financial information. Phishing emails may also contain attachments that, when opened, infect the recipient's computer with malware. Unless the reported incident sounds like someone downloaded and ran a malicious program from email, or input their password into a fake site - try to contain the concern with some proactive measures:
- Reset the user’s credentials and log out of all sessions.
- Train employees to never click on suspicious links or download attachments that they were not expecting.
Slow Computer Performance: This is a pain, but it is not usually malicious. Slow computer performance can be noticeable by a decrease in the speed and responsiveness of your computer. You may experience longer wait times for applications to open, programs to respond, or websites to load. If you notice that a system is running slowly:
- Check the system’s available memory and storage
- Close any unnecessary applications. Apps all use resources and power to keep the state in memory, the visual windows open, and the connections alive. The more apps you have, the more free space you need available for them to run efficiently.
- Check for updates for your operating system and any installed applications
- Run a scan for malware using approved software
Pop-up Advertisements: Pop-up advertisements can appear as unexpected windows or banners that advertise products or services. Some pop-ups may contain malicious links or downloads that, when clicked, attempt to infect your computer with malware. Be sure to:
- Train employees to avoid falling victim to a pop-up scam, eg. do not click on any pop-ups that appear suspicious or that they were not expecting
- Browsers have a “disable pop-ups” feature built in! Ensure browsers are set to disable pop-up windows by default
- Run an anti-malware software or an EDR that will stop these from executing
Social Engineering: Social engineering uses psychological manipulation to trick individuals into revealing sensitive information or performing actions that can compromise their computer or network. This can include phone calls, emails, or in-person interactions that appear to be from a trusted source. To avoid falling victim to a social engineering attack,
- Train users to be suspicious of unsolicited requests for sensitive information and verify the identity of the person making the request before providing any information
- Unless you have actively given out information to an attacker attempting social engineering, you are not experiencing an active incident.
You Should Activate IR-1 if...
Ransom Note: This pop-up page or note left on the desktop is almost certainly a sign of a live incident. Most likely the server or computer launched ransomware, a malicious program that locks up user files and freezes the system. The message may contain a deadline for payment and a specific payment method. Do not pay the ransom, as there is no guarantee that the attacker will actually provide the decryption key. Instead, immediately alert your IT department and activate your IR-1 incident response service.
Your Firewall Logs a Surge in Unusual Outbound Traffic: Unusual network activity can manifest as a sudden increase in network traffic or unauthorized access attempts. You may notice a slower internet connection or an increased number of error messages. If you notice any unusual network activity, immediately report it to your IT department and follow their recommended response procedures.
You See Unexpected Login Activity from Strange Locations: This could be a data breach or account compromise. A data breach can result in the exposure of sensitive information, such as login credentials, financial information, or personal information. You may notice unauthorized access to your personal or financial accounts, or receive notifications from organizations that your information was involved in a breach. If you believe that your data has been compromised, immediately change any passwords associated with the breached information and contact your IT department and activate your incident response service.
Your Anti-Virus Alerts you to Malicious Software Downloads: Malicious software downloads can appear as legitimate software downloads or as software updates. They may be offered through pop-up advertisements, phishing emails, or as part of a software package. Once installed, the malicious software can compromise your computer and steal sensitive information. To avoid falling victim to a malicious software download, only download software from trusted sources and verify the legitimacy of the software before installation.
Your Network is Taken Down by a Severe Denialf of Service (DoS) attack: DoS attacks are attacks that flood a network, server, or website with a high volume of traffic, rendering it unavailable to users. Symptoms of a DoS attack can include slow performance, complete unavailability, or an error message indicating that the website or server is unable to handle the amount of traffic. If the site is taken down or blacklisted as a result of DoS remediation must occur.
Your intellectual property is missing or you see indicators that someone is in the network: This could be a longer term, more advanced attack. Advanced Persistent Threat (APT) attacks are complex, long-term cyber attacks that are highly targeted and sophisticated, often conducted by nation-states or criminal organizations. APT attacks can be difficult to detect, as the attacker may remain undetected for extended periods of time while they gather information and gain access to systems and data. Symptoms of an APT attack can include slow performance, crashes, or the presence of unfamiliar or suspicious files or processes on a system. To protect against APT attacks, implement strong security measures, such as firewalls, intrusion detection systems, and antivirus software, and regularly assess the security of your systems and networks.
By familiarizing yourself with these potential cyber threats and following the recommended response procedures, you can better protect your computer and your sensitive information from cyber attacks.
Activating Blackpanda support will speed up your containment. Our team has dealt with all of these and more. We care about reducing the impact of the attack with quick actions so you can get your business running smoothly again.