A few weeks ago, we published the Business Email Compromise (BEC) Checklist. The question arose – what if you’re new to security, or your security program isn’t very mature?
Since the checklist is based on the NIST model, there’s a lot of information here to help your security program mature, as well as to help you mature as a security practitioner. MSI’s engineers have discussed a few ways to leverage the checklist as a growth mechanism.
Now we’ll move along to the final part of the checklist – Report. The incident has been triaged, the immediate crisis is past. What’s next?
- Regardless of damages, please report the activity to the FBI at http://www.ic3.gov.
Report, report, report. Data is important, data with correlation is invaluable. What may seem minor to you may add a nuance to existing campaign information for other vulnerable entities.
- Prepare any reports and notifications required by regulation, law or policy and deliver as appropriate.
If you’re in a regulated industry, follow the protocols and guidelines that you need to do for your business. The topic is too broad and varied for me to address here.
- Prepare lessons learned reports and socialize as appropriate according to your site’s incident response policies.
Lessons learned is probably THE most important thing you can do after an incident. This is NOT the time and place for blame, or for defensiveness. What happened? What controls worked well? What controls failed, and why? How can you prevent that going forward? What controls can you implement going forward?
- Share incident details and lessons learned with appropriate management, board-level or committee level members.
Again, this isn’t a blame game, or a time for recriminations. Share the information at the appropriate level of detail. Use this information to generate buy-in for the objectives that you need to move forward, and prevent a repeat occurrence. Be open and transparent about what you need, and why. And call out what your teams did well, both before and during the incident. No scapegoats, please.
- Implement any additional controls to minimize the risk of future attacks.
Go back to step 1. Revisit the BEC checklist. Take the controls that came out of your lessons learned, implement then, and work back through the process.
How is your team handling BEC, both incidents and risks?
The entire series is as follows:
Part 1 – Identify
Part 2 – Identify, continued
Part 3 – Protect
Part 4 – Detect
Part 5 – Respond
Part 6 – Recovery