From phishing emails to malware infections, this is a comprehensive guide on how to identify and respond to potential cyber threats.

‍

Determining whether a computer issue is an active cyber attack or not can be confusing. When your anti-virus catches malware or your bank remits a fraudulent wire it’s obvious there’s been an attack. But what about the unknowns? Who has the time to deal with false alarms? We’re here to help.

‍

IR-1 provides the expertise and resources you need to address these complex situations. Let’s start by looking at different types of attacks, and pinpoint when it is necessary to “activate” your incident response team, IR-1.

‍

You should activate IR-1 if…

• You see a Ransom Note with Financial Demand
• You Lose Access to an Online Account
• Your Firewall Logs a Surge in Unusual Outbound Traffic
• Your Corporate Files and/or Server are Encrypted
• You See Unexpected Login Activity from Strange Locations

‍

You should not activate IR-1 for normal IT issues. Over the course of your IR-1 subscription, look out for emails from us with REAL vulnerabilities we find in your environment that you can patch by following our action-oriented guides. We’re trying to make this easy, because no one wants an incident.

‍

When should I “activate” IR-1? 

Determining whether a computer issue is an active cyber attack or not can be confusing. When your anti-virus catches malware or your bank remits a fraudulent wire it’s obvious there’s been an attack. But what about the unknowns? 

‍

Especially for small and medium-sized businesses (SMBs) who are short on resources, who has the time to deal with false alarms? We’re here to help. IR-1 provides the expertise and resources you need to address these complex situations. 

‍

In this article, we will demystify the different types of attacks and make sure you understand when it is or isn’t time to activate IR-1. 

‍

Activate: the action taken when you click to report a live, confirmed incident. This redeems your one-time service fulfilled by Blackpanda investigations.

‍

You should not activate IR-1 in these cases:

Phishing emails

Simply receiving these emails is not an incident. Phishing can look like legitimate emails from a trusted source such as a bank, a government agency, or a well-known company. These emails often ask the recipient to click on a link or provide sensitive information, such as login credentials or financial information. Phishing emails may also contain attachments that, when opened, infect the recipient's computer with malware. Unless the reported incident sounds like someone downloaded and ran a malicious program from email, or input their password into a fake site - try to contain the concern with some proactive measures:

• Reset the user’s credentials and logout of all sessions
• Train employees to never click on suspicious links or download attachments that they were not expecting 

‍

Slow computer performance

This is a pain, but it is not usually malicious. Slow computer performance can be noticeable by a decrease in the speed and responsiveness of your computer. You may experience longer wait times for applications to open, programs to respond, or websites to load. If you notice that a system is running slowly:

• Check the system’s available memory and storage 
• Close any unnecessary applications. Apps all use resources and power to keep the state in memory, the visual windows open, and the connections alive. The more apps you have, the more free space you need available for them to run efficiently.
• Check for updates for your operating system and any installed applications
• Run a scan for malware using approved software

‍

Pop-up advertisements

Pop-up advertisements can appear as unexpected windows or banners that advertise products or services. Some pop-ups may contain malicious links or downloads that, when clicked, attempt to infect your computer with malware. Be sure to:

• Train employees to avoid falling victim to a pop-up scam, eg. do not click on any pop-ups that appear suspicious or that they were not expecting
• Browsers have a “disable pop-ups” feature built in! Ensure browsers are set to disable pop-up windows by default
• Run an anti-malware software or an EDR that will stop these from executing

‍

Social engineering

Social engineering uses psychological manipulation to trick individuals into revealing sensitive information or performing actions that can compromise their computer or network. This can include phone calls, emails, or in-person interactions that appear to be from a trusted source. To avoid falling victim to a social engineering attack, 

• Train users to be suspicious of unsolicited requests for sensitive information and verify the identity of the person making the request before providing any information
• Unless you have actively given out information to an attacker attempting social engineering, you are not experiencing an active incident.

‍

You should activate IR-1 in these cases

‍

You see a ransom note with financial demand

This pop-up page or note left on the desktop is almost certainly a sign of a live incident. Most likely the server or computer launched ransomware, a malicious program that locks up user files and freezes the system. The message may contain a deadline for payment and a specific payment method. Do not pay the ransom, as there is no guarantee that the attacker will actually provide the decryption key. Instead, immediately alert your IT department and activate your IR-1 incident response service.

‍

You lose access to an online account

When an employee can no longer access their account and notify IT there should be a coordinated effort to investigate that incident.

‍

Your firewall logs a surge in unusual outbound traffic

Unusual network activity can manifest as a sudden increase in network traffic or unauthorised access attempts. You may notice a slower internet connection or an increased number of error messages. If you notice any unusual network activity, immediately report it to your IT department and follow their recommended response procedures.

‍

Your corporate files and/or server are encrypted

When you discover that your corporate files and/or server have been encrypted, it is likely that you are dealing with a ransomware attack. Immediately alert your IT department or cyber security team about the incident. They will need to assess the situation and determine the extent of the compromise.

‍

You see unexpected login activity from strange locations

This could be a data breach or account compromise. A data breach can result in the exposure of sensitive information, such as login credentials, financial information, or personal information. You may notice unauthorised access to your personal or financial accounts, or receive notifications from organisations that your information was involved in a breach. If you believe that your data has been compromised, immediately change any passwords associated with the breached information and contact your IT department and activate your incident response service.

‍

Your anti-virus alerts you to malicious software downloads

Malicious software downloads can appear as legitimate software downloads or as software updates. They may be offered through pop-up advertisements, phishing emails, or as part of a software package. Once installed, the malicious software can compromise your computer and steal sensitive information. To avoid falling victim to a malicious software download, only download software from trusted sources and verify the legitimacy of the software before installation.

‍

Your network is taken down by a severe denial of service (DoS) attack

DoS attacks are attacks that flood a network, server, or website with a high volume of traffic, rendering it unavailable to users. Symptoms of a DoS attack can include slow performance, complete unavailability, or an error message indicating that the website or server is unable to handle the amount of traffic. If the site is taken down or blacklisted as a result of DoS remediation must occur.

‍

Your intellectual property is missing or you see indicators that someone is in the network

This could be a longer term, more advanced attack. Advanced Persistent Threat (APT) attacks are complex, long-term cyber attacks that are highly targeted and sophisticated, often conducted by nation-states or criminal organisations. APT attacks can be difficult to detect, as the attacker may remain undetected for extended periods of time while they gather information and gain access to systems and data. Symptoms of an APT attack can include slow performance, crashes, or the presence of unfamiliar or suspicious files or processes on a system. To protect against APT attacks, implement strong security measures, such as firewalls, intrusion detection systems, and antivirus software, and regularly assess the security of your systems and networks.

‍

Conclusion

By familiarising yourself with these potential cyber threats and following the recommended response procedures, you can better protect your computer and your sensitive information from cyber attacks.

‍

Activating Blackpanda support will speed up your containment. Our team has dealt with all of these and more. We care about reducing the impact of the attack with quick actions so you can get your business running smoothly again.