Prepare for the inevitable: Incident response plan to phishing attacks

If the latest news we’ve been reporting here on our TechGenix site is any indication, phishing attacks are on the rise everywhere. Phishing attacks are clearly getting more ingenious and harder to protect your business against, so anywhere one can get some good advice on how to deal with them is definitely welcome. And that’s exactly the kind of nugget I found in a new book I read recently titled “Protecting Information Assets and IT Infrastructure in the Cloud” (CRC Press, 2019). This useful book by Ravi Das and Preston de Guise focuses on cloud computing environments like Amazon Web

Services (AWS) that are increasingly popular with today’s businesses and how to protect these environments from all kinds of attacks. And the kinds of attacks faced nowadays by companies and organizations that use AWS or other cloud services are manifold and include ransomware, spear phishing, SQL injection, cross-site scripting, spyware, insider threats, and much, much more.

One type of threat frequently encountered by businesses is the phishing attack, an attempt by a malicious actor to gain access to sensitive business data like financial records and to personal information belonging to employees. And regardless of whether your company’s infrastructure is maintained locally or kept in the cloud, it can often be vulnerable to this kind of attack. Phishing usually employs email messages as an attack vector, though with other collaborating technologies like SMS messaging, shared workspaces, and social media now vying to replace email in business environments it probably won’t be long until phishing extends to these as well. And while in the past most phishing attacks have involved sending mass emails in the hope of having some careless user open a malicious attachment or divulge some bit of sensitive information, a rising trend in the last few years has been spear phishing, where specific individuals or groups are targeted in the organization.

The key strategic step your business needs to take to prepare for the inevitability of these kinds of attacks is to develop a proper incident response plan before such attacks happen. Incident response planning involves a combination of policies, practices and personnel that provide your business with a kind of playbook that can be walked through step by step in the event that an incident occurs at your company. A good incident response plan can also help prevent such attacks from actually occurring, though the primary purpose of such plans is to mitigate the damage that results when an attack has taken place.

Incident response planning for phishing attacks like this is one area where Ravi and Preston have provided some excellent guidance in their book. In chapter 3 (Risks to Cloud Infrastructure and Risk Mitigation Strategies), they outline the following five-step procedure for enabling your organization to respond effectively to an incident of a phishing attack.


Incident response plan

This is where an employee has detected what possibly may be a phishing email or other attempt at harvesting data from your organization. Employees need to be instructed on how to identify what might be suspicious messages based on such things as the sender’s email address, the subject line, the topic and style of writing in the message body, the presence of an unusual or unsolicited attachment, the presence of suspicious links, and so on. One great tip the authors present is to make sure your support team has set up an isolated workstation dedicated to examining possible phishing messages where suspicious attachments and links can be safely opened to determine whether the emails are valid or malicious in intent.


phishing attacks

After the identification step, the next stage of incident response is to perform a triage of the suspect message. You’ve determined that the message the user received is likely a form of phishing attack. But what kind of an attack? Is it an attempt at business email compromise? A spear phishing attack? Is the malicious attacker trying to “whale” your company i.e. target one of your C-level executives and try to get them to transfer funds or perform some other action? Do the links in the email try to suck you into opening a spoofed website? Is JavaScript being used to maliciously alter what’s visible in the address bar of your browser when you open a link? Once you’ve succeeded in nailing down exactly what kind or kinds of attack methods are being used, you can assign a level of priority that will determine where you proceed from there. For example, if you’ve discovered a new and unfamiliar type of phishing attack being perpetrated on your business, you will want to have IT further investigate it’s nature, and you will also want to inform employees generally to be on the watch for similar attacks in the future or what steps they need to take to remain safe while the current attack is being mitigated within your organization.


The third stage of your incident response plan will involve the careful examination of the phishing message by your IT department along with an assessment of the level of impact that has already occurred, if any. The authors get into the technical details of this in their book so I won’t describe them here but simply recommend you read what they have to say on the subject.


Remediation is where the fun starts because it involves taking concrete steps to contain the damage for your company to minimize the impact it has had upon your business and ward off any future possible impact. Some possible steps you may take depending upon the results of your investigation can include changing the passwords and even the user names of employees who were affected by the attack; changing login credentials or even resource identifiers for corpnet resources that have been compromised; refreshing workstations and performing remote wipes of mobile devices involved in the incident; and so on.

Risk avoidance

Incident response plan

There’s one final step that your incident response team should take once the effect of a phishing attack has been remediated, and that is to do whatever can be done to prevent the same kind of attack from succeeding again in the future. While user education is a key pillar here, sometimes it’s best to bring in outside help from cybersecurity consultants who can review the incident and your response plan and then provide you with actionable steps you can take to improve the security posture of your organization. Ravi and Preston go into some detail concerning this stage in their book and I highly recommend those involved in safeguarding your business or organization against cyberattacks of all kinds to get a copy of their book and go through it carefully to ensure your company is prepared for the inevitable attacks. And while the book is particularly oriented towards the security of businesses using the cloud — and Amazon’s cloud in particular — much of the book provides practical cybersecurity advice for all kinds of business and technical environments.

Featured image: Shutterstock

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top