Personal Incident Response
In my daily work, I’m involved in cyber incident response planning and triage. This involves coordinating with many teams, experts and managers that all have their own vision on the best course of action. But the last time I had a data leak in my home network, it was just me and a friend that happened to be over for dinner and we did just fine.
After dinner, as we were talking about a work-related project, I pulled out my phone to show an email I had received earlier that day. But a different email caught my eye, one I had seemingly sent to myself. Now I do indeed sometimes send myself emails as reminders, but not with the title “ password is ”, I had been hacked.
During my daily work, I always tell my clients the first thing you need to do during every incident is; breathe. This short breath is meant to let the initial shock pass, this way you are ready to make appropriate and correct decisions.
I would like to say this is what I did, but it was not. In my initial disbelief, I skimmed through the email. All I cared about was that this attacker had breached my email account, and by proxy, all accounts linked to it. From what I could see my password was now public.
Know who to call
The only thing I could think of doing was quickly change my password and verify my bank account hadn’t been pillaged. Everything seemed to be there. But I wanted to be sure nothing had been done in the background and manually checking all my accounts would take ages. My friend, who was calmly researching the attack while I was assessing the impact, pointed out that Gmail keeps track of login history. Looking at this information I could see that all logins were from either my home, work or mobile addresses. So how did he use my own email address to send me this threatening email?
Cover your bases
As I sat there baffled at the situation, I finally had time think about what I was seeing, instead of the blind flurry of response I was performing. I decided to go back to start and follow the basic incident response steps; Identify, Contain, Eradicate. As I was trying to identify what the actual incident was, I took a closer look at the email and concluded that;
o The sender had been spoofed
o The technical threat was gibberish
o The password was correct
The conclusion; my email password had been leaked, but the attacker wasn’t aware the password was correct. My assumption is that somewhere online I used this email and password for an account that had been leaked and was now being used in a ransom phishing campaign. Changing my password had re-secured my email and resolved the incident.
I wasted a lot of time by panicking. Once I started covering the basics like I do during my work, I quickly realized this wasn’t as big of an issue as I initially thought. Lesson learned:
o Stay calm and breath before you start responding. No matter the size of the incident.
o Don’t use the same password for different accounts or this will happen again.