Five Critical Steps For Effective Email Security Incident Response


In the rapidly evolving digital space, few technologies have stood the test to time. Pagers, once the essential tool of the always-on business person of the 1980s, and more recently, the Blackberry phones, are today merely relics of times gone by.

But despite its decades-long history, emails stand firm and remain one of the most popular means of communication for professionals. Today, there are 4 billion daily email users – a number that is expected to soar to 4.6 billion by 2025. And even in the era of instant messaging, effortless video conferencing, cloud-based file sharing and other conveniences, nearly half (46 per cent) of smartphone users prefer to receive communications from businesses via email.

It’s no surprise that email has consistently ranked highest over the decades among the most popular threat vectors. Cybercriminals have exploited it to perpetrate a host of attacks, ranging from malware and phishing to spam and fraud. After all, in many cases, the only thing it takes is for one rogue message to be opened by a staff member and an entire IT infrastructure can become compromised.

During the past few years, with social-engineering techniques, attackers have become increasingly adept at creating emails that appear to have come from a trusted source. Users can easily be tricked by the apparent authenticity of these emails and persuaded into opening a malicious attachment or clicking on a link that downloads nefarious code.

No silver bullet

IT security specialists understand that no technology or tool is 100 per cent effective in preventing email attacks. They also know it only takes a single message to initiate a costly incident.

Having an effective email security architecture will go a long way in keeping successful attacks to a minimum. However, it is also important to have a strategy, to stop the spread of an attack, minimise the damage caused, and reinforce prevention and detection methods.

Experience shows that the aftermath of an email attack can consume an inordinate amount of IT resources. According to research conducted by Barracuda, manual incident response takes an average of three to five hours per incident. Given that typical IT teams in the region are already understaffed, this precious time detracts from other, more productive IT initiatives.

When it comes to effective email incident response, time is money. Not only can being inefficient consume precious IT resources, but it can also result in stolen data, financial loss, and brand damage.

Five-step checklist

Fortunately, having a robust and well-tested incident response strategy can go a long way toward minimising the effects of a potentially devastating email attack. One way to achieve this is to follow a five-step remediation checklist that can be used in case of an incident. The steps are

Prepare: Align technology, people, and processes

As a first step, an organisation should deploy API-based inbox defence technology to detect sophisticated email fraud as soon as it is received. Time should also be taken to securely back up sensitive data and retain a copy in a different location.

When it comes to people, it’s important to create a security culture across the organisation. This should be supported by continuous simulation and awareness training. All staff needs to know about the potential for attack and the signs that an email could be from a malicious source.

For processes, a good approach is documenting all actions that should be taken if and when an incident occurs. These processes must then be communicated to key players to understand their role in the response.

Escalate: Reduce monitoring time and escalate to an incident response platform

An incident response platform is a key resource that can help to monitor and prioritise threats that have been reported or discovered post-delivery. The platform will provide proactive threat hunting capabilities using a wide variety of classifiers, such as unusual locations and suspicious logins.

A fully featured incident response platform will also undertake automatic remediation of malicious content and support mailbox integration for single-click user reporting.

Identify: Understand the nature of the attack and its scope

In this step, it is time to understand the nature of the threat and its intended targets. It’s worth automating the task of incident creation and undertaking post-delivery detection of malicious content. This can be aided by using data gathered on potential incidents based on past threats.

The security team should also work to extract threat details from the malicious email and identify all affected users. All team members should coordinate with each other so everyone understands the status of the incident at all times.

Contain: Respond swiftly to minimize the spread of the attacks

The next task will be to remove the suspicious email from all affected user inboxes. Steps should also be taken to block access to malicious websites and alert all affected users. The security team should also enable continuous remediation to stop any future instances of the same attack.

Recover: Repair any system damage and recover lost data

The fifth step involves restoring any lost data from the earlier backups. The security team should also take this time to monitor the health of all endpoints to ensure that no malicious code remains.

It’s a good idea to reset all user passwords and update email security policies. Many organisations also use community-sourced threat intelligence reports to strengthen security further.

Following these five steps, Middle East organisations can recover as rapidly as possible should an email-based cyberattack occur. By taking the time to create a response plan carefully and then methodically follow it, the impact of any incident should be as minimised as possible.

If you liked reading this, you might like our other stories
Three Things Business Leaders Should Know About Security
Public Security And Identity In Modern-day Society