Loading...

Cyber Awareness & Best Practices

How to detect & react to cyber incidents

Common incidents

Key information about the most common incidents, based on CIRCL's statistics


Suspicious e-mail

The ability to detect suspicious and malicious e-mails is key to combating cyber threats: e-mail is one of the most favourite means of communication of cybercriminals.

Suspicious e-mail

The ability to detect suspicious and malicious e-mails is key to combating cyber threats: e-mail is one of the most favourite means of communication of cybercriminals.

Unsolicited or irrelevant e-mail messages sent over the Internet for advertising, phishing, spreading malware, etc.

306.4 billion e-mails were sent and received daily in 2020.

Phishing is a form of cybercrime where cybercriminals obtain personal information such as usernames, passwords, and credit card details from their victims.

Phishing attacks account for more than 80% of reported security incidents.

Malware is the abbreviation for ‘Malicious Software’: any software that is intended to cause harm to your system or network. 94% of malware is delivered via e-mail.

How to detect a malicious e-mail – the signs to watch out for

  • Messages with misspellings and typos, multiple fonts or oddly-placed accents.
  • Messages that claim to have your password attached. You should never receive your password in an attachment.
  • Mismatched links. Hover over a link and make sure the link goes to the place shown in the e-mail.
  • Messages asking for your personal information.
  • Messages claiming that your account will be deleted or blocked unless you take immediate action.

How to react - the reflexes to adopt

  • Do not respond to suspicious e-mails.
  • Do not click on links in suspicious e-mails. Check the target address of the link to verify its legitimacy.
  • Do not click on or download images and attachments.
  • Do not trust offers that seem to be too good to be true.
  • Do not blindly trust the sender information in the e-mail to avoid being a victim of e-mail spoofing.
  • Use tools like SPAMBEE to handle suspicious e-mails and notify experts in case of doubt.


Infected computer

No matter how careful we are, our computer may become infected. How to detect it and what to do once the problem happened?

Infected computer

No matter how careful we are, our computer may become infected. How to detect it and what to do once the problem happened?

How to detect – the signs to watch out for

  • Your computer becomes extremely slow and unresponsive
  • Your computer crashes
  • You get unwanted, unexpected and recurring pop-ups
  • Programs open and close automatically
  • Internet traffic suspiciously increases
  • You notice unjustified, weird, and unnecessary traffic patterns
  • Your antivirus software stopped working or disabled

How to react - the reflexes to adopt

  • Remove the machine from the network
  • Make sure your antivirus software is up-to-date
  • Reboot your computer into safe-mode
  • Download and install an anti-spyware program
  • Disinfection by antivirus may delete infected system files: The system should then be repaired using an installation disk, or the operating system may need a complete reinstall.

Before performing a reinstall:

  • Change passwords
  • Make sure your data files are backed up
  • If you have a backup, try to restore it.
  • Do not forget to reinstall all the necessary updates after the system restore.


Compromised Data

Your data is compromised if your data is accessed, copied, modified, damaged, destroyed, deleted, distributed or transmitted by a third party in any way.

Compromised Data

Your data is compromised if your data is accessed, copied, modified, damaged, destroyed, deleted, distributed or transmitted by a third party in any way.

How to detect - the signs to watch out for

  • Check data breach websites Enter your e-mail into one of the data breach websites (HaveIbeenPwned? , Dehashed, Firefox Monitor, etc.) that track breaches and verify them as genuine.
  • Watch out for fake antivirus messages If you get unexpected and fake antivirus messages, you most likely were part of a data breach.
  • Change your passwords Keeping the same passwords for years makes you an easy target. Follow the basic guidelines streamlined in the ‘What you need to know - Password’ site.
  • Monitor your e-mail-, bank-, and other accounts If you notice any change that you did not initiate, find out what may have happened.

How to react - the reflexes to adopt

  • Immediately change the password for the account in question.
  • If the same password has been used for more than one account, change the passwords for all those accounts.
  • Notify the account administrator that your log-in data has been compromised or published on the Internet.
  • If a criminal has already changed your password, immediately notify your account administrator so they can block access to the account in question.
  • Make a list of the information that is accessible on your account: if any information grants access to other accounts, take steps to protect them.

Make sure to never use the same password for multiple accounts: if one service you use is breached, you should consider all the accounts using the same password as compromised.


DDoS Attack

A distributed denial-of-service (DDoS) attack is a cyberattack to disrupt the normal traffic of a targeted server, service or network by overwhelming the target IT infrastructure with a flood of Internet traffic.

DDoS Attack

A distributed denial-of-service (DDoS) attack is a cyberattack to disrupt the normal traffic of a targeted server, service or network by overwhelming the target IT infrastructure with a flood of Internet traffic.

How to detect - the signs to watch out for

  • The problem is that there are no tell-tale signs or warnings.
  • You can monitor your traffic and server load, but usually, customer complaints show that something went wrong.
  • In the server logs, you can see a spike in traffic.
  • Your server responds with a 503-error message due to service outages.
  • The TTL (time to live) on a ping request times out.
  • If you use the same connection internally, your employees will notice slowness.

How to react - the reflexes to adopt

  • The best reaction is prevention.
  • Schedule alerts to a 503 event in the Event Viewer to send a notification e-mail to the system administrators.
  • Automate ping alerts: if the ping time becomes too long or times out, the service sends an alert to your team, so they can start using mitigation techniques and troubleshoot the issue.
  • Use log management systems, so you can identify an ongoing attack and send alerts to your administrators.
  • Try to filter out the malicious traffic requests by setting alerts based on a combination of events and traffic spikes.
  • Work with the company you bought your domain from and change TTL to 1 hour.
  • Move your site to a DDoS mitigations service.
  • Follow CIRCL’s recommendations to mitigate the attack (see below).

content2

content2

Management of cybersecurity incidents: first reflexes

An incident is any adverse event whereby some aspect of security could be threatened.


Prepare for the inevitable

Prepare for the inevitable

Set and share with your employees an IT Security Policy

IT security policies aim to address security threats and implement strategies to reduce IT security vulnerabilities. All employees must be familiar with and comply with the content of this document.

Practice, test, fail, learn

SECURITYMADEIN.LU’s mission is to help companies and organisations of all sizes grow their cybersecurity maturity. The agency’s three departments provide extensive guidance from awareness to cyber incident management. Gaining experience plays a key role in adopting the right reflexes. See all our training here.


How to survive a crisis

How to survive a crisis

  • remain cyber vigilant at all times,
  • make simple decisions,
  • regularly review the crisis management plan,
  • master the impact analysis, and
  • communicate


Report an incident

Report an incident

Contact CIRCL, via:

Recommendations:

  • CIRCL should be contacted as soon as an incident has been detected
  • When reporting, please be specific about time and time-zone
  • Share your contact details, including phone numbers or PGP keys if available.

Once reported the incident:

  • Every action you perform should be noted and should aim to preserve evidence
  • Instead of turning off a system, unplug the computer from the network
  • Software, applications, files, data or logs should not be installed, reinstalled, copied, moved or deleted from the impacted system/services
  • No actions other than those dedicated to containing the incident should be performed