Scribd Logo
Upload

Welcome to Scribd!

  • 32 views

    IRM 10 SocialEngineering

    Uploaded by

    mohamed habi
    This document provides guidance on handling social engineering incidents through phone calls or email. It outlines 6 steps for incident response: 1) preparation, 2) identification, 3) containment, 4) remediation, 5) recovery, and 6) lessons learned. The containment section describes actions employees and incident response teams should take, such as using a designated "red phone" line or collecting information from email headers to identify the attacker. The document also lists possible remediation actions like alerting law enforcement or reporting abused email addresses.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    IRM 10 SocialEngineering

    Uploaded by

    mohamed habi
    32 views10 pages
    This document provides guidance on handling social engineering incidents through phone calls or email. It outlines 6 steps for incident response: 1) preparation, 2) identification, 3) containment, 4) remediation, 5) recovery, and 6) lessons learned. The containment section describes actions employees and incident response teams should take, such as using a designated "red phone" line or collecting information from email headers to identify the attacker. The document also lists possible remediation actions like alerting law enforcement or reporting abused email addresses.

    Original Title

    IRM-10-SocialEngineering

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document provides guidance on handling social engineering incidents through phone calls or email. It outlines 6 steps for incident response: 1) preparation, 2) identification, 3) containment, 4) remediation, 5) recovery, and 6) lessons learned. The containment section describes actions employees and incident response teams should take, such as using a designated "red phone" line or collecting information from email headers to identify the attacker. The document also lists possible remediation actions like alerting law enforcement or reporting abused email addresses.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    32 views10 pages

    IRM 10 SocialEngineering

    Uploaded by

    mohamed habi
    This document provides guidance on handling social engineering incidents through phone calls or email. It outlines 6 steps for incident response: 1) preparation, 2) identification, 3) containment, 4) remediation, 5) recovery, and 6) lessons learned. The containment section describes actions employees and incident response teams should take, such as using a designated "red phone" line or collecting information from email headers to identify the attacker. The document also lists possible remediation actions like alerting law enforcement or reporting abused email addresses.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 10

    TLP:CLEAR

    INCIDENT RESPONSE METHODOLOGY


    IRM #10
    SOCIAL
    ENGINEERING
    INCIDENT

    How to handle a social


    engineering incident (phone or
    e-mail)

    IRM Author: CERT SG


    Contributor: CERT aDvens
    IRM version: 2.0
    E-Mail: [email protected]
    Web: https://cert.societegenerale.com
    Twitter: @CertSG

    TLP:CLEAR
    TLP:CLEAR

    ABSTRACT

    This Incident Response Methodology is a cheat sheet dedicated to handlers investigating on a


    precise security issue.
    WHO SHOULD USE IRM SHEETS?
     Administrators
     Security Operation Center
     CISOs and deputies
     CERTs (Computer Emergency Response Team)
    Remember: If you face an incident, follow IRM, take notes. Keep calm and contact your
    business line’s Incident Response team or CERT immediately if needed.

    → IRM CERT SG: https://github.com/certsocietegenerale/IRM


    → IRM CERT aDvens (French version): https://github.com/cert-advens/IRM

    IRM #10 SOCIAL ENGINEERING


    2
    TLP:CLEAR
    TLP:CLEAR

    INCIDENT HANDLING STEPS

    6 STEPS ARE DEFINED TO HANDLE SECURITY INCIDENTS


    1. Preparation: get ready to handle the incident
    2. Identification: detect the incident
    3. Containment: limit the impact of the incident
    4. Remediation: remove the threat
    5. Recovery: recover to a normal stage
    6. Lessons learned: draw up and improve the process
    IRM provides detailed information for each step of the incident response process. The steps
    come from NIST Computer Security Incident Handling Guide.

    IRM #10 SOCIAL ENGINEERING


    3
    TLP:CLEAR
    TLP:CLEAR

    PREPARATION

    OBJECTIVE: ESTABLISH CONTACTS, DEFINE PROCEDURES, AND RED PHONE:


    GATHER INFORMATION TO SAVE TIME DURING AN INCIDENT. Red phone number must be
    clearly tagged as “Social
    Engineering”.
    ▪ Raise user awareness and security policies.
    The phone number must be easy
    to identify in the global phone
    Never give any personal or corporate information to an directory of your company but
    unidentified person. This could include user IDs, passwords, requests on reverse number
    account information, name, e-mail address, phone (mobile or should not be displayed.

    landline) numbers, address, social security number, job Red phone line should always be
    titles, information on clients, organization or IT systems. recorded for evidence collecting
    purposes.

    The goal of the social engineer is to steal human resources,


    corporate secrets or customer/user data.

    Report any suspicious event to your manager, who will forward it to


    the CISO in order to have a centralized reporting.

    ▪ Have a defined process to redirect any “weird” request to a “red”


    phone, if needed.

    ▪ Prepare to handle conversation with social engineers to identify


    which information could help tracking the attacker and his goals.

    ▪ Check your legal department to see which actions are allowed and
    which reactions they can handle.

    IRM #10 SOCIAL ENGINEERING


    4
    TLP:CLEAR
    TLP:CLEAR

    IDENTIFICATION

    OBJECTIVE: DETECT THE INCIDENT, DETERMINE ITS SCOPE, AND INVOLVE THE
    APPROPRIATE PARTIES.

    ▪ Phone call / someone you don't know calls you/your service, asking for detailed information.

    o If the contact works out of the company and requests for information that could be valuable for a
    competitor, deny his requests and go to part 3.
    o If the contact pretends to be an employee of your company but the phone number is hidden or not
    internal, propose that you call back to the declared number in the directory. If the supposedly
    attacker agrees, call back to check. If he rejects this option, go to part 3.

    The attacker might use several techniques to entice his victim to speak (fear, curiosity,
    empathy ...). Do not disclose information in any case.
    Listen carefully to his requests and at the end ask for a phone number to call back or an
    email address to reply.
    Take notes and stay calm, even if the attacker is shouting or threatening, remember he
    tries to use human weaknesses.

    If you can go further, the following information will be precious:


    ▪ the name of the correspondent
    ▪ requested information / people
    ▪ accent, language skills
    ▪ industry language and organizational knowledge
    ▪ background noises
    ▪ time and duration of the call

    ▪ E-mail / Someone you don't know requests detailed information:


    o If the contact has an “out of the company” e-mail address and requests information that could be
    valuable for a competitor, go to part 3.
    o If the contact uses an internal e-mail address but is asking for weird information, ask him some
    explanations and use the company directory to get his manager's name that you'll place as a copy.
    ▪ Eventually notify top management to inform them that an incident has been encountered relating to a
    social engineering attack. They might understand the goals depending on the context.

    IRM #10 SOCIAL ENGINEERING


    5
    TLP:CLEAR
    TLP:CLEAR

    CONTAINMENT

    OBJECTIVE: MITIGATE THE ATTACK’S EFFECTS ON THE TARGETED ENVIRONMENT.

    At this step, you should be pretty sure that you're dealing with a social engineering attack.

    Actions for all employees:


    ▪ Phone call
    If the attacker urges you to give a phone number, follow these steps:
    o Use the “red phone line” from your CERT/CSIRT, if existing.
    o Give him the number with an invented name.
    o Immediately call your CERT/CSIRT team explaining what happened and the chosen invented name.
    o If the attacker stresses you too much and does not let you time to find the Red Phone number, ask
    him to call you back later, pretending a meeting.
    If the attacker wants to reach someone, follow these points :
    o Place on hold the attacker and call CERT/CSIRT team and explain what happened.
    o Transfer the conversation of the attacker to CERT/CSIRT team (do not give him the number).
    ▪ E-mail
    Forward to your security team all email including headers (send as attached documents) for
    investigation purposes. It might help to track the attacker.

    IRM #10 SOCIAL ENGINEERING


    6
    TLP:CLEAR
    TLP:CLEAR

    CONTAINMENT

    Actions for CERT or incident response team:


    ▪ Phone call
    Resume the conversation with the attacker and use one of these techniques:
    o Impersonate the identity of the people whom the attacker is willing to speak
    o Slow down and make last the conversation and entice the attacker to make mistake
    o Explain him that social engineering attack is forbidden by law, punished by sanctions and that
    lawyer team will handle the issue if it continues
    If the trap phone number has been used, prepare to “burn it”, create another one and display it in the
    directory.

    ▪ E-mail
    o Collect as much information as possible on the email address
    o Analyze the email headers and try to locate the source
    o Search the e-mail address with Internet tools
    o Geolocalize the user behind the email address

    Aggregate all social engineering attacks to visualize the scheme.

    IRM #10 SOCIAL ENGINEERING


    7
    TLP:CLEAR
    TLP:CLEAR

    REMEDIATION

    OBJECTIVE: TAKE ACTIONS TO REMOVE THE THREAT AND AVOID FUTURE INCIDENTS.

    Some possible remediation actions can be tried:


    ▪ Alert the law enforcement and/or file a complaint
    ▪ Discuss the problem in circles of trust to know if the company is facing this issue alone
    ▪ Threaten the attacker with legal actions if he can be identified
    ▪ Report email addresses used by the attacker to the provider abuse teams

    IRM #10 SOCIAL ENGINEERING


    8
    TLP:CLEAR
    TLP:CLEAR

    RECOVERY

    OBJECTIVE: RESTORE THE SYSTEM TO NORMAL OPERATIONS.

    Notify the top management of the actions and the decisions taken on the social engineering case.

    For more details on authentication and infrastructure recovery, check the Large-scale malware compromise IRMXXX

    IRM #10 SOCIAL ENGINEERING


    9
    TLP:CLEAR
    TLP:CLEAR

    LESSONS LEARNED

    OBJECTIVE: DOCUMENT THE INCIDENT’S DETAILS, DISCUSS LESSONS LEARNED, AND


    ADJUST PLANS AND DEFENSES.

    Inform your hierarchy and subsidiaries about the incident, this could help to avoid similar attacks later.

    Report
    An incident report should be written and made available to all the actors of the incident.

    The following themes should be described:


    ▪ Initial cause of the infection
    ▪ Actions and timelines of every important event
    ▪ What went right
    ▪ What went wrong
    ▪ Incident cost (direct and indirect losses)
    ▪ Indicators of compromise

    Capitalize
    Actions to improve the social engineering handling processes should be defined to capitalize on this
    experience, especially awareness.

    IRM #10 SOCIAL ENGINEERING


    10
    TLP:CLEAR

    You might also like