How ACME Co. Survived their First Cyber-Attack [Part I]
/For Cybersecurity Awareness Month, Affinity Technology Partners presents a four-part series on cybersecurity for small businesses. Written by Affinity’s Chief Information Security Officer, Bart Holzer, the series follows a fictitious small business suffering its first cyber-attack.
Week 1: Why Me?
It’s Week 1 of Cybersecurity Awareness Month. This week, we’re introduced to ACME Co., a fictitious small business that misplaced $50,000.
Happy Tuesday! Joanna set the desk as she did every morning, docking her laptop, and placing her phone and coffee beside the keyboard. She settled into her desk chair to go through her calendar and to-do list for the week. As the owner of ACME Co., the small family business would navigate the next quarter in her direction. What made this Monday more daunting was that she had taken a long weekend, and vacations usually meant a lot of catching up upon her return.
Before Joanna could start combing through her waiting inbox, ACME’s “finance guy” poked his head into her office. Fred had been with the company for years and was the person responsible for accounts receivable and payable, although Joanna still insisted upon signing every check that went out. Fred was a trusted employee, someone Joanna relied upon. He was timely and accurate and protected the company’s money as his own – perhaps the perfect finance person.
The update Fred gave Joanna first thing Monday morning would’ve been totally normal, but what he said caught her off guard. “I sent that wire you asked me about,” he said with a hint of pride. “It should have made the deadline on Thursday.” They both registered surprise when Joanna’s urgent response was, “What wire?”
“You emailed me and asked to send $50,000 to Ne’er-Do-Well Investments,” Fred said, then his voice trailed off as he followed with, “You said it was urgent and that you would fill me in on Monday.”
WELCOME TO YOUR FIRST HACK
Getting hacked for the first time is traumatic. As with any major life event that causes anguish, one finds themselves in the stages of grief: denial, anger, bargaining, depression, and acceptance. The folks at ACME have just realized something is off. They will initially suspect a simple mistake has been made. Each will wishfully think, “Everything is fine... we just have a small miscommunication.” But, things are most certainly not fine. And, decisions they make in the next few hours will be critical.
“But You Said It Was Urgent!” After they both realized something wasn’t quite right, Fred and Joanna had a rapid-fire exchange. Joanna was on vacation and tried her best to unplug. She did not send an email to Fred. But, an email – from her actual email address – went to Fred about a wire. Trying to respect her vacation time, Fred did not call her. The pair looked at the email Fred had received. It appeared to have been written by Joanna, herself – the tone and signature lines all matched. Fred knew the wire transfer was an unusual request, but he also knew that Joanna was looking into investment opportunities. They had talked about that before her departure. So, nothing seemed wrong at the time.
The more the two talked, the more it became apparent: someone had hacked into Joanna’s email account. To them, there was no other explanation. The email came from Joanna’s account, but Joanna had NOT sent the email!
Neither Joanna nor Fred knew who to call first. Fred knew his neighbor did some kind of security for a living, so Fred placed the first call. To his relief, Fred’s neighbor answered and gave him sound advice on how to get started.
Fred’s neighbor happened to be a good person to know. His first question to Fred was about ACME’s Incident Response Plan. Since ACME did not have one, they had to make a plan on the fly.
Here’s the plan Joanna and Fred developed with help from the neighbor:
Assign Incident Commander. This is the person who will serve as the hub of information.
Create a War Room to serve as the central location for the team.
Do no assume a breach has occurred. Let the evidence prove it out. Don’t use the “B-word” until your lawyer concurs.
Start a “case file” and take contemporaneous notes. This could be a simple spreadsheet or in an actual notebook. Do not assume you’ll remember everything later and write it down.
Start a Contact List on its own page.
Start a basic timeline of events on its own page(s).
Consider email as potentially compromised and do not use it during incident response. Switch to text messages and phone calls, for now.
Have your IT person check the email system for indicators of compromise (IOCs) in Joanna’s account and take lots of screenshots. IOCs could include:
Logins from strange locations (ex. outside the Unites States, in the case of ACME)
Email Forwards
Email Rules
Unrecognized “connected devices”
Call your bank. Ask for the Fraud Department. Ask them to open their own case. Provide them with as much detail as possible about the wire.
Call your lawyer.
Call you insurance broker.
Call law enforcement.
Executing the Plan
Joanna decided to use a paper notebook, seeking to avoid computers for the moment. As she wrote “Incident” and the date at the top of the first page, the seriousness started to sink in. Her company just lost a lot of money, perhaps more than they could afford. It was all she could do not to start worrying about payroll and all the other expenses she knew were coming due. Fred was already wringing his hands, so she knew he was sharing the same concerns.
On the second page, she wrote “Contacts” and asked Fred to track down the bank’s information. She made additional entries and took out her cell phone to find contacts she thought might be in her address book. As the pages started to fill, she felt some control for the first time since Fred stopped by with the news.
Join Us Next Week
Joanna and Fred are just beginning to respond to their incident. Next week, we’ll see how they handle themselves in responding to the hack.
Disclaim: This story is 100% fictional and does not represent any person or company in any way.