Playbook for Incident Response to Threats Against Phishing Attack

Action Steps for Threats against Phishing Attack

Description of Crisis

Objective

To efficiently respond to and mitigate the effects of a phishing attack.

Trigger

This playbook is triggered when a user reports a suspected phishing email or an email security system flags a potential phishing attempt.

Action Steps

Pre-Crisis

Preparation

Regularly update anti-phishing training for all employees.
Ensure all systems have the latest security patches.

During-Crisis

Identification

Confirm the phishing attempt:

Verify sender information.
Check for suspicious links or attachments.
Analyze for urgency or pressure tactics in the email content.

Containment

If a phishing email is identified:

Instruct the affected user to not interact with the email.
Isolate the affected user’s account from the network if interaction has occurred.

Eradication

Remove phishing emails from all user inboxes.
If any systems were compromised, initiate a password reset and malware scan.

Recovery

Monitor the affected systems to ensure they return to normal operational status.
Conduct a review to confirm that the threat has been entirely eradicated.

Post-Crisis

Post-Incident Activity

Record the incident’s details for future reference.
Update defence mechanisms based on the attack’s nature.
Provide additional training if necessary.

Communication

Inform the IT security team and stakeholders about the incident.
Communicate transparently with affected parties as appropriate.

Review

Hold a post-incident meeting to discuss what was learned and how to prevent similar incidents.
Update the playbook with any new findings.

More Information About Crisis Management Courses

To learn more about the course and schedule, click the buttons below for the CM-300 Crisis Management Implementer [CM-3] and the CM-5000 Crisis Management Expert Implementer [CM-5].