Incident response

Creating your personal incident response plan

Fakhar Imam
May 29, 2019 by
Fakhar Imam

Introduction

What should you do if your computer behaves abnormally? Is malware running behind the screen? Has your Personally Identifiable Information (PII) or other financial data gone missing? If yes, your computer has been compromised and you need to initiate a personal incident response plan. It’s important to create one before the attack hits, as quick implementation is of vital importance.

The personal incident response plan is a set of some proactive measures created to handle security incidents that have occurred to your personal computer, laptop or mobile device. An effective personal incident response plan enables you to quickly and methodically identify the threat, mitigate the damage and reduce the cost of the cyberattack. The following sections will help you get a better understanding of personal incident response plans.

Learn Incident Response

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.

During specific attacks

In order to detect a malware attack, it’s important to be familiar with the symptoms of an attack. Some common symptoms include fake antivirus messages, unexpected software installs, your passwords not working as expected, frequent random popups, redirected Internet searches, unwanted browser toolbars, slower performance, computer programs open and running on their own, automatically duplicating files and denied access to files and folders.

In addition, your anti-malware software, Registry Editor or/and Task Manager may be disabled and can't be restarted. Under such circumstances, knowing how to detect these nasty intrusions will help you determine how to fix the problem. Below are some potential attack scenarios and the solutions to get rid of them with minimum or no damage at all.

Ransom message

Ransomware is becoming more common. In these cases, once your Personally Identifiable Information (PII) or other sensitive data is locked up or encrypted by cyberpests, you will receive a ransom message asking for money in order to provide access and decrypt the data. To hide their identity, cybercriminals usually demand money in virtual currency such as Bitcoin. WannaCry and CryptoLocker are notorious examples of ransomware.

Two common symptoms of ransomware include a splash screen upon startup that prevents you from using your PC and ask you to pay for ransom and missing or odd file extensions like .cryptor or .crypted due to the encryption made by ransomware. In this case, your files will display a blank icon. If you have a duplicate copy of your data in an external hard drive or in a cloud storage system, such as Dropbox or OneDrive, then you first need to disinfect your computer and then initiate a restore plan to recover your data.

If this is not the case, decide whether you are going to pay the ransom or not. The hackers will have already left payment instructions for you. For example, you can find some files like .txt or .html that begins with an underscore (_) followed by the clear language in all caps such as “_OPEN YOUR FILES,” “_DECRYPT ME,” or “_PAY RANSOM.”

The question of paying the ransom is rather controversial as many security experts suggest that you should not trust cybercriminals despite some experts saying otherwise. After all, you’re dealing with criminals, and there’s no guarantee that they’ll actually give you back your files. If you are confronted with a ransomware demand, CSO provides the following recommendations to remove ransomware:

  • Reboot your Windows to Safe Mode
  • Install any anti-malware software
  • Scan your system to find and remove the ransomware
  • Restore your computer to the previous state

Run a remote wipe if your device is a smartphone or tablet

Stolen devices can be serious security risks. Remote wipe is a security feature that allows you to send a command to the stolen device to remove data completely. However, what you achieve during the remote wipe depends on your mobile device’s operating system and Mobile Device Management Software (MDM).

Generally, a remote wipe feature can delete selected files or folders, overwrite sensitive data to avert forensic recovery or brick the device to make it useless for any future purpose. Though third parties provide MDM applications to perform remote wipe operations, some consumer-focused apps also offer this feature such as that of Apple’s Find My iPhone.

Monitoring financial data after the incident

Financial hacking or banking frauds are on the rise, and it’s more important than ever to be aware of symptoms that indicate that your account has been hacked. Doing so can mitigate the damage or even prevent any damage at all.

Soon after the incident, you must immediately notify your bank about the breach. Below is a list of some symptoms related to a compromised bank account:

  • Your card is empty or frozen by your bank
  • Your bank account has been closed altogether due to the detection of suspicious activity detected by your bank. In this case, the bank will notify you about the breach
  • Your bank has blocked your login account due to numerous failed login attempts made by hackers
  • If you receive a message of any unfamiliar purchase or transaction, your account may have been hacked

In the wake of the incident, you should immediately take the following measures:

  • Call your bank or credit bureau immediately
  • Block further transactions
  • Change your passwords and PINs. Always use unique passwords. In this case, if one account gets hacked, others will be still protected
  • Check your credit history
  • Run a malware scan
  • Enable two-factor authentication
  • Get your mobile messaging service enabled in order to receive messages of each activity related to your account

General attack tips

The previous sections elaborated attack scenarios and solutions related to a ransomware attack, financial breaches or attacks on mobile devices. However, in a general situation when you don’t know what type of attack has occurred, you should take the following measures:

Quarantine your personal computer

As soon as you realize that your PC has been compromised or Personally Identifiable Information (PII) has been stolen or lost, you should immediately unplug your PC from the network or disable your Wi-Fi. As long as your PC is connected to the Internet, the hackers can continue using their access to the device to pose further damage.

More importantly, make sure you have removed any USB flash drives. The infection may occur due to a malicious script or software introduced by an infected USB flash drive.

Turn off your computer

Since malware has already been injected into your PC, merely disconnecting from the Internet connection is not a complete solution. Therefore, you need to shut it down immediately to prevent further damage and prevent malware from operating.

After that, pull the hard drive out and install it as a secondary “slave” and non-bootable drive into another secure PC running an antispyware, antimalware and antivirus program. Setting the drive as “master” will reboot the other PC with the operating system of this infected drive. Doing so can have devastating consequences for the other PC as well.

Scan drive

Run security programs on other PCs to detect and remove viruses or malware from your hard drive. Once the drive is fixed, you can move it back to your old PC. Prior to this, you must ensure that the dip switches of a drive have been set back to “master.”

In case you don’t have another PC to scan your infected drive, then you can also try the following procedure:

  1. Enter “Safe Mode”
  2. Delete temporary files using disk cleanup utilities
  3. Download antivirus, anti-spyware and anti-malware scanners
  4. Fix your Web browser
  5. Keep your PC clean
  6. Run backup to restore your data
  7. Encrypt your critical files

Restore the data

You may have either a full-image backup of your hard drive or a copy of some sensitive files. Backups allow you to easily recover your confidential data or PII without any loss. However, the situation may be different if you have become a victim of a ransomware attack.

Under such circumstances, a copy of your data is under the control of cybercriminals who can disclose this information on the Internet. If you don’t have a backup copy at all, the situation can be even more devastating.

Create a backup plan

In the previous section, you saw the importance of a backup plan. A backup should be created on a regular basis to protect your data from damage, destruction, malware or from other viruses.

Several devices and services can be used to create a backup plan. These include a USB flash drive, external hard drive, CD/DVD, Network Attached Storage (NAS), cloud storage and file synchronization services, or any combination of these.

Below is a list of the type of data whose backup can be essential. These are in addition to obvious data such as academic documents, images, audio, videos, and so on.

  • Social networks: Though it’s weird to create a backup of something which isn’t on your hard drive, it’s vital due to the insecurity and trust deficit for social media networks such as Facebook and Twitter. In 2018, Facebook security issues exposed the sensitive information of 50 million users
  • Drivers: Instead of rummaging through the manufacturer’s website, you can create a backup of your device drivers. However, analysts recommend that it’s better to install digitally signed and up-to-date drivers from vendors’ websites
  • Emails: For a backup plan for email, you can use eM Client and Google Takeout for Outlook.com and Gmail respectively. Though both companies store emails on the cloud by default, you can’t always trust their security posture
  • Browsers: In many circumstances, you open multiple tabs of your browser and save them for future use. Many users also bookmark many sites for retrieval later. History records and add-ons are also essential tools to save. Therefore, having a backup copy of all these can save a great deal of time in the event of a system restore or installing a new operating system

To promote backup awareness, Maxtor (an HDD company) started World Backup Day on March 31st, 2019. You can find important information and stats on WorldBackupDay.com.

Determine the cause of the infection

You can determine the cause of infection by carefully reviewing the activities you have performed recently on your PC. They may include:

  • Installing unpatched software
  • Visiting torrent websites
  • Making a Bluetooth transfer
  • Booting up data from unknown disks
  • Clicking on unknown attachments or links
  • Downloading pirated or cracked software
  • Becoming a victim of a phishing attack
  • Visiting http:// links instead of https://

Always encrypt your data and devices

Using data encryption, you can safeguard your PII and other data on storage devices. Various types of encryption are available, including:

  • Full disk: Full disk or whole disk encryption is used to ensure protection against the operating system, its installed applications, and other locally stored data
  • Database encryption: This uses Database Management System (DBMS) software that includes native encryption features to integrate cryptography functions directly into your database program
  • Mobile device encryption: If you are using a mobile device, you can use mobile device encryption, both for software and hardware components, to safeguard data on your smartphone
  • Hardware-based encryption: In addition to software-based encryption, hardware-based encryption techniques to incorporate into your plan include hard drive encryption, USB flash drive encryption, Hardware Security Module (HSM) and Trusted Platform Module (TPM)

Learn lessons and prevent a repeat of the incident

We’ve delved into some suspicious activities that can pose a massive threat to your PC. You should be careful not to make the common mistakes that can lead to these problems; always keep your operating system and antivirus program up-to-date and perform regular backups.

Learn Incident Response

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.

 

Sources

  1. ****, my computer was hacked! 3 things you should do immediately, Prey Nation
  2. Remote Wipe, TechTarget
  3. Ransomware, TechTarget
  4. 12 signs you've been hacked -- and how to fight back, CSO
  5. 4 signs you're a victim of ransomware, ComputerWorld
  6. What is ransomware? How these attacks work and how to recover from them, CSO
  7. How to remove malware from your Windows PC, PCWorld
  8. World Backup Day 2019, Forbes
  9. Facebook Security Breach Exposes Accounts of 50 Million Users, The New York Times
  10. The Beginner's Guide to PC Backup, PCMag
  11. Some Common Sources of Computer Virus Infection, REVE Antivirus
  12. 711 bank accounts hacked in Dubai in 3 years, Khaleej Times
  13. Your bank account just got hacked — what do you do now?, News.com.au
  14. What should I do if my bank account is hacked?, Finder
Fakhar Imam
Fakhar Imam

Fakhar Imam is a professional writer with a master’s program in Masters of Sciences in Information Technology (MIT). To date, he has produced articles on a variety of topics including on Computer Forensics, CISSP, and on various other IT related tasks.