BEC #6 – Recovery

A few weeks ago, we published the Business Email Compromise (BEC) Checklist. The question arose – what if you’re new to security, or your security program isn’t very mature?

Since the checklist is based on the NIST model, there’s a lot of information here to help your security program mature, as well as to help you mature as a security practitioner. MSI’s engineers have discussed a few ways to leverage the checklist as a growth mechanism.

Part 1 and Part 2 covered the first checkpoint in the list – Discover. Part 3 covered the next checkpoint – Protect. Part 4 continued the series – Detect. Part 5 addressed how to Respond.

Now we’ll move along to the final part of the checklist – Report. The incident has been triaged, the immediate crisis is past. What’s next?

  • Regardless of damages, please report the activity to the FBI at

Report, report, report. Data is important, data with correlation is invaluable. What may seem minor to you may add a nuance to existing campaign information for other vulnerable entities.

  • Prepare any reports and notifications required by regulation, law or policy and deliver as appropriate.

If you’re in a regulated industry, follow the protocols and guidelines that you need to do for your business. The topic is too broad and varied for me to address here.

  • Prepare lessons learned reports and socialize as appropriate according to your site’s incident response policies.

Lessons learned is probably THE most important thing you can do after an incident. This is NOT the time and place for blame, or for defensiveness. What happened? What controls worked well? What controls failed, and why? How can you prevent that going forward? What controls can you implement going forward?

  • Share incident details and lessons learned with appropriate management, board-level or committee level members.

Again, this isn’t a blame game, or a time for recriminations. Share the information at the appropriate level of detail. Use this information to generate buy-in for the objectives that you need to move forward, and prevent a repeat occurrence. Be open and transparent about what  you need, and why. And call out what your teams did well, both before and during the incident. No scapegoats, please.

  • Implement any additional controls to minimize the risk of future attacks.

Go back to step 1. Revisit the BEC checklist. Take the controls that came out of your lessons learned, implement then, and work back through the process.

How is your team handling BEC, both incidents and risks?

The entire series is as follows:

Part 1 – Identify

Part 2 – Identify, continued

Part 3 – Protect

Part 4 – Detect

Part 5 – Respond

Part 6 – Recovery

Questions? Comments? I’d love to hear from you –, or @TheTokenFemale on Twitter!

If you would like to know more about MicroSolved or its services please send an e-mail to or visit

This entry was posted in Awareness, Emerging Threats, General InfoSec, How To, incident response, Phishing by Lisa Wallace. Bookmark the permalink.

About Lisa Wallace

Lisa Wallace joined MSI in 2015 as a security focal and project manager, and became Technical Director in 2017. She is involved in internal and external penetration testing application assessments digital forensics threat intelligence incident response eDiscovery efforts She is responsible for scoping our efforts across all workstreams, as well as project and staff coordination and management. She has worked in a variety of fields, including utilities, financial services, telecommunications, and consulting in a number of ancillary industries.