Skip to main content


Top 5 Most Common Incident Response Scenarios

Top 5 Most Common Incident Response Scenarios

Whether it is phishing, malicious network scanning, or ransomware, cyber incidents can be overwhelming experiences. If your organization has been fortunate enough to avoid being greatly affected by any of these scenarios, that might not always be the case. When it comes to Incident Response, it is important to understand how attackers operate and to be as informed as possible of potential incidents that can affect your organization. Being able to detect an incident and recognize a threat as one of these common attack types might be the difference in how successful your organization is in containing and eradicating a cyber attack before your organization becomes one of the many victims of cybercrime.

To help visualize what Incident Response looks like today, the Modern Incident Response Life Cycle diagram, pictured below, outlines the processes involved once a cybercrime threat is realized.


Modern Incident Response Life Cycle


The diagram starts on the left with the beginning of Incident Response: Prepare. The Prepare (or Preparation) phase involves putting controls in place to prevent incidents from occurring on your network or to your organization in the first place.

Next, notice how the arrows lead to the next step: Detect and Identify. During this time, the Observe, Orient, Decide, and Act (OODA) loop begins. Just because this cycle is only on this diagram once does not mean it will only be completed once during the detection phase of Incident Response. Every incident is different, meaning each incident should be treated independently.

From the OODA loop, Contain and Eradicate are next. These phases of the Life Cycle usually take longer than expected. If one thing can be learned from Incident Response, it is that setting a timeline or time limit on the amount of work that will be put into these two phases is unpredictable.

After Contain and Eradicate, Recovery is next. Recovery is the process of implementing mitigations against the incident that has taken place and making sure that the threat is fully eradicated.

Lessons Learned is the final step to the Incident Response Life Cycle, but this does not mean the work ends there. Be sure all employees and individuals know where the organization made improvements and why those improvements will help protect the network in the future. Notice how Lessons Learned links to the beginning of the Life Cycle diagram. There should be constant feedback between the end of one incident and the potential beginning of another.

Now that the process for a Modern Incident Response Life Cycle has been discussed, below you will find the 5 most common Incident Response scenarios, as well as how to Protect, Detect, and Respond to each scenario.


1. Phishing

Phishing is the #1 most common Incident Response scenario and is most likely the initial compromise for ALL of the following scenarios. Now is the time, more than ever, to be focusing on training employees to be vigilant of malicious emails by educating your people regularly and testing them with company-wide phishing campaigns.


  • Security Awareness Training & testing employees. Training will serve as a good learning opportunity for your employees. Your employees need to understand how to identify Social Engineering techniques and phishing emails, as well as the most common phishing scenarios used by attackers. Take their education a step further by testing employee’s Social Engineering and phishing awareness through a Social Engineering Assessment.
  • DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting & Conformance (DMARC). DMARC is an email authentication, policy and reporting protocol. DKIM is an email authentication method that identifies forged sender addresses in emails. SPF is also an email authentication method; however, it detects the forging of sender addresses during the email delivery. Implementing DKIM, SPF, and DMARC (all of which are free!) will help prevent phishing emails from becoming an incident response situation.
  • Email Sandboxing. Sandboxing methods, such as Mimecast, add an extra layer of protection against malicious emails. Emails containing links or attachments can be tested before they reach a mail server.
  • Multi-Factor Authentication (MFA). MFA is an authentication method in which a user is granted access to an application or system only after successfully presenting two or more pieces of evidence (or factors – often a test code) to an authentication mechanism. MFA will ensure an attacker cannot gain unauthorized access to any accounts that are in the network, even if the user provides those credentials through a phishing attack.


  • Unexpected emails from known or unknown individuals. If the person or conversation seems out-of-the-blue, be vigilant and confirm the email is legitimate.
  • Emails that contain links and/or attachments. Links and attachments can act as a “back door” to your network. Remember, the hacker cannot get in unless you give them an opening. Also, be on the lookout for spelling errors or unusual domains in emails you receive.
  • If any email is trying to persuade or rush you into doing an action, resist the urge. Phishing emails often prompt extreme feelings to push the user in the direction the malicious actor wants.


  • Quarantine the malicious email from all accounts on the system. Be sure no one can access the email from anywhere on your network until it is reviewed by an administrator.
  • If your organization uses a SIEM, check to see if there are any custom threat intelligence rules to add.
  • Watch network alerts for Indicators for Compromise- you can refer to SBS’ previous article on Indicators of Compromise (IoC) for more information.


2. Malware

Malware is a big umbrella for malicious software. Malware is mainly used to gain unauthorized system or network access to steal (exfiltrate) intelligence, data, or information.


  • Application Whitelisting. Whitelisting specific applications ensures a device will only allow pre-approved applications to be installed onto a device, therefore preventing malicious applications from being downloaded and installed onto your devices.
  • AV scans and Endpoint protection. Use a solution that has second-generation detection capabilities (behavioral analysis vs. detection by definition) that includes scripting control.
  • Multi-Factor Authentication (MFA). Same as in the Phishing scenario; MFA will ensure an attacker cannot gain unauthorized access to any accounts that are in the network.


  • Slow computer & Blue Screen of Death (BSOD). If your device seems to be running much slower or you receive an unexpected BSOD, these are common symptoms of malware on your device. Be sure to report such issues to your IT and IS staff.
  • Dwindling storage space. If you find that your device is suddenly (and unexpectedly) running out of storage, there may be malware hiding in your system.
  • Pop-ups or unwanted applications. Keep track of the applications installed on your device and pay attention if you get any confusing pop-ups. If you find any applications that you did not install on your system yourself, it could be malware camouflaging itself.



  • Key Risk Indicators. Refer to the article mentioned above on Indicators of Compromise (IoC) for more information on KRI.
  • Contain and eradicate. Disconnect the computer from the network, but don’t power the device off. Work through the system and eradicate any malicious files or applications.


3. Ransomware

Technically, ransomware is included under the malware umbrella we discussed above. However, due to its destructive nature, ransomware is deserving of its own category. Modern ransomware has taken a turn for the worse, and attackers are now dropping ransomware after being in a network for a while once they have gained the information and data. Ransomware covers an attacker’s tracks on their way out and distracts users while data is being exfiltrated.


  • AV scans and Endpoint protect. Once again, use a solution that has second-generation detection capabilities include scripting control.
  • Multi-Factor Authentication (MFA). MFA ensures a user would be notified if a malicious advisory tried to log into an account.
  • Be wary of email attachments. Ransomware can be masked in emails to look like safe attachments.


  • Unusual pop-ups on the device and encrypted files. Being the most obvious sign of detection, ransomware will more than likely notify the user on the device and encrypt all files your device can see and access on your network.
  • Firewall logs. Logs will show all activity of data being received and sent from outside of the network. Make sure your firewall logs are properly configured before an attack occurs, which will help with investigating where external traffic is coming and going, as well as when the attack occurred.
  • Define Key Risk Indicators, such as high disk usage on servers or workstations, and user account logins at strange times to help with the detection of a ransomware incident.


  • Detect a network intrusion before ransomware encrypts files. As mentioned above, modern ransomware is caused by attackers that are already in the network.
  • Monitor Key Risk Indicators and Indicators of Compromise vigilantly. It is important to know what normal looks like on your network. “Know your normal” will be reiterated throughout this article to reinstate how important it is. Anything outside your “normal” levels should raise red flags.
  • Containment is a top priority to any
  • Incident Response scenario. Creating an environment where nothing gets out of the network that is not approved, and nothing runs on a workstation or server that isn’t approved is key to eradiation.


4. Internet-Facing Vulnerabilities

Every device that’s connected to the internet can be scanned for vulnerabilities from outside sources. Hackers do not specifically look for one victim of their scans; they set up scripts and scan every port and device they can. Whatever devices are identified over the internet and can be exploited may become an attacker’s next victim.


  • AV Scans and Endpoint protect. Once again, use a solution that has second-generation detection capabilities include scripting control.
  • Only whitelist the scripts your web apps use and block everything else.
  • Implement a DMZ for anything you host locally that requires someone from the internet to access (like a website or an online banking platform). A DMZ is a separate, firewalled zone that protects the rest of your network from being accessed by internet traffic from the application or system you host.


  • Audit your webservers, routers, and firewalls with penetration tests and vulnerability assessments regularly. Vulnerability Assessments will identify any known external vulnerabilities, and Penetration Tests will determine if those vulnerabilities are exploitable, allowing an attacker to access your network from the outside.
  • Use a web application firewall (WAF). A WAF helps monitor and block HTTP traffic to and from web applications. A WAF makes it possible to filter the content of certain web applications & protect the device from any malicious content. Know your organization’s Key Risk Indicators (KRI), as mentioned previously.


  • Know your organization’s Indicators of Compromise (IOCs), as mentioned previously.
  • Contain and eradicate. If advisories gain access to your network due to known vulnerabilities, the organization is at risk. Be sure to disconnect compromised devices or network segments from the rest of your corporate network, as doing so will ensure no lateral network movement can be performed by the attacker. From there, eradicate those compromised devices or network segments, and be sure they are clear of any malware that is present.


5. Business Email Account Takeover

In case this incident is not familiar to you, Business Email Account Takeover occurs when a malicious user gains access to a legitimate user’s email account. For example, once an attacker gains access to the credentials from a phishing email that was sent out to employees, the attacker will then have access to that user’s email.


  • Multi-Factor Authentication (MFA). See previous descriptions of MFA.
  • Only enable external (outside your network) email access for the specific countries in which your employees work.


  • User Behavior Analytics (UEBA) in the SIEM. Look for user logins at strange times or strange user activity. Another good idea is to set alerts employees accessing their email accounts at strange times. Remember to ask yourself the same question - what does normal look like on your network?
  • Email logging. Look out for strange county code logins to cloud-based email accounts. Remember, Office 365 and G-suite do not log strange country code logins & cloud-based email accounts by default. Be sure your organization’s email platform is licensed properly.



  • Contain. Shut down the email account so that no users can access it.
  • Change passwords of all accounts and block email access from countries where employees won’t be logging in.
  • Examine what is in your email that got compromised. Keep in mind that you may need to file a breach report for PII that is exposed.



Key Incident Response Messages

Throughout this article, there were a few key terms that were stated multiple times, but the bottom line is this: “Know Your Normal.” If you’re not familiar with Key Risk Indicators and Indicators of Compromise that can help you identify when your network is not “normal,” please check out SBS’ previous article on Indicators of Compromise. Knowing when KRIs or IoCs arise in your devices or network is the first step of responding to an incident as it begins.

However, some organizations find themselves in a position where they cannot monitor or don’t know how to monitor their network. In this situation, it is best to invest in a platform that monitors your network. A SIEM supports threat detection, compliance, and security incident management through the collection and analysis of security events, which can also include UEBA (User Entity Behavior Analysis) and SOAR (Security Orchestration Automation Response). UEBA helps organizations notice abnormal behaviors, such as logins from unusual locations. SOAR assists with the actual response of CyberSecurity incidents. A SIEM can also automate actions that would usually need to be performed manually by an analyst.

Multi-Factor Authentication (MFA) is a reoccurring Protect control throughout this article, and it is one of the only factors that is proven to stop hackers from accessing accounts after obtaining a user’s credentials. Think of MFA as the hand-sanitizer of Protect controls – MFA prevents 99.9% of account compromises, according to Microsoft.


Keep In Mind

Knowing what is normal on your network and implementing MFA will help your organization decrease risk while being mindful of anything abnormal. Remember, the most common cause of all these incident scenarios is phishing attacks, so be sure employees are trained and tested accordingly. Implement controls to Prevent, Detect, and Respond to incidents, and continue to mature your security maturity to keep your organization and customer data safe.



Written by: 
Kelley Criddle
Information Security Consultant - SBS CyberSecurity, LLC 


SBS Resources: 
SBS CyberSecurity has been helping organizations identify and understand cybersecurity risks to make more informed business decisions since 2004. If your organization is looking to better understand your cyber risk; build, maintain, or test your cybersecurity program; and make smarter, more informed cybersecurity business decisions, SBS can help.

  • {Blog} Indicators of Compromise: If someone was in your network, would you know? If someone was sending your data out the back door of your network, could you tell? To answer these questions, you must first understand your networking environment, and what “normal” on that environment looks like. How do you start to figure out what “normal” looks like on your network? Here’s a start. Read blog. 
  • {Blog} 7 Steps to Building an Incident Response Playbook: Walk through the 7 steps to creating an Incident Response Playbook tailored to your organization. A playbook allows you to document ways to mitigate the most risk regarding the riskiest Incident Response threats to your organization. Identifying relevant threats that could be extremely impactful to your network and creating walkthrough scenarios on how to counteract those threats helps your Business Continuity and Incident Response teams focus on what needs to be addressed first. Read blog.
  • {Service} Incident Response Planning: An SBS consultant can assure your well-structured Incident Response Plan (IRP) will help mitigate the negative effects of a security breach, as well as demonstrate to examiners that your organization is properly prepared to handle such an event. Learn more.
  • Incident Response Assistance: If your organization needs immediate assistance with an active incident or security breach situation, call 605-923-8722 to speak to our Incident Response Team


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Incident Handler

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Thursday, July 16, 2020
Categories: Blog