InTegriLogic Blog
What to Include in Your Incident Response Plan
A security incident can topple an organization's reputation and revenue in a short amount of time. As billionaire Warren Buffet once said, "it takes 20 years to develop a reputation and five minutes to ruin it." Keeping that in mind, it’s ideal to have an incident response plan in place before a security breach occurs.
An incident response plan is a set of instructions intended to facilitate an organization in detecting, responding to and recovering from network security incidents such as cybercrime, data loss and service disruptions. Having a plan in place contributes to the development of cybersecurity as well as overall organizational resilience.
Since most small and medium-sized businesses (SMBs) have limited resources and funds, incident response is usually given less attention. However, failing to respond swiftly and effectively when a cyberattack occurs can cost far more than putting an incident response plan in place.
Essential Elements of an Incident Response Plan
Every incident response plan should include the following five key elements in order to successfully address the wide range of security issues that an organization can face:
Incident Identification and Rapid Response
It’s critical to evaluate the threat effectively and decide whether to implement the incident response plan. This requires two prerequisites:
- An authorized person to initiate the plan
- An online/offline place for the incident response team to meet and discuss
Resources
In case of a cyber event, an incident response team will usually have emergency kits on hand and have the following resources to help navigate through the event:
- Tools to take all machines offline after forensic analysis
- Solutions to regulate access to the organization’s IT environment and keep hackers out of the network
- Measures to employ standby machines to ensure operational continuity
Roles and Responsibilities
An incident could occur in the middle of the night or at an unexpected time. That’s why it’s critical to establish the roles and responsibilities of your incident response team members. They could be called in at any time. You must also have a reserve team in case any of the primary contacts are unavailable.
In the event of a cyber incident, time is critical and everyone must know what to do.
Detection and Analysis
This is, without a doubt, one of the most crucial elements of an incident response plan. It emphasizes documenting everything, from how an incident is detected to how to report, analyze and contain the threat. The aim is to create a playbook that includes approaches for detecting and analyzing a wide range of risks.
Containment, Eradication and Recovery
- Containment specifies the methods for restricting the incident's scope. A ransomware attack, for example, must be tackled very differently compared to an insider threat.
- Eradication is all about techniques to eliminate a threat from all affected systems.
- Because incidents cannot always be prevented, recovery efforts concentrate on reducing potential harm and resuming operations as quickly as possible.
Considerations for an Incident Response Plan
An incident response plan must address any concerns that arise from an evolving threat landscape. Before you start crafting your plan, there are several considerations to be made, including:
- Building an incident response plan should not be a one-off exercise. It should be reviewed on a regular basis to ensure that it considers the most recent technical and environmental changes that may influence your organization.
- Your incident response plan and the team working on it must be supported and guided by top management.
- It's critical to document the contact information of key personnel for emergency communication.
- Every person in the incident response team must maintain accountability.
- Deploy the appropriate tools and procedures to improve the effectiveness of the incident response.
- Your security, backup and compliance postures must all be given the same attention.
Trying to develop and deploy an incident response plan on your own might be more than you can handle while running an organization. Partnering with a specialist like us can take the load off your shoulders and give you the advantage of having an expert on your side. Contact us today to schedule a no-obligation consultation.
Federal Bureau of Investigation (FBI)
https://www.washingtonpost.com/nation/2021/11/14/fbi-hack-email-cyberattack/
Exploit: Account TakeoverFederal Bureau of Investigation (FBI): Federal Government Agency

Risk to Business: 1.417= Severe
A shocking email security breach at the US Federal Bureau of Investigation (FBI) led to the takeover of a user account. The cybercriminals that accomplished the feat were able to use that compromised email account to send tens of thousands of fraudulent emails warning recipients of impending cyberattacks. Messages reached celebrities like Jay Z and journalists including investigative reporter Brian Krebs. The Bureau later confirmed that its Law Enforcement Enterprise Portal (LEEP) was compromised in a cyberattack Friday. FBI officials were quick to stress the fact that the malicious emails originated from an FBI-operated server that was solely dedicated to pushing notifications for LEEP and not part of the FBI’s corporate email service.
Customers Impacted: Unknown
How It Could Affect Your Business: This incident shows that no organization is immune to a cyberattack, and even the best defenses can fail.
West Virginia Parkways Authority
Exploit: RansomwareWest Virginia Parkways Authority: State Government Agency

Risk to Business: 1.822=Severe
A suspected ransomware attack snarled operations at the West Virginia Parkways Authority last Friday. Officials announced that a cyberattack had hit the agency’s internal computer systems, knocking out email, telephones, and various non-critical applications for several hours. According to the statement, no data was extracted or exposed in the incident which only impacted operational technology. Systems have since been restored and the incident is under investigation.
Customers Impacted: Unknown
How It Could Affect Your Business: Using ransomware against infrastructure targets to shut down their operations has become much more common.
Robinhood
Exploit: Phishing (Vishing)Robinhood: Financial Services Platform

Risk to Business: 1.542=Extreme
Financial services platform Robinhood is in the news again after disclosing a data breach on 11/03. The company blamed the security incident on vishing. Threat actors obtained access to the organization’s customer support systems by obtaining systems access over the phone. This is the same technique that proved successful in the 2020 Twitter hack. According to reports, after accessing the data, the cybercriminals then demanded an extortion payment to keep the data safe. No word on the amount of this demand. The incident is under investigation.

Individual Risk: 1.312=Extreme
The company disclosed that it estimates a total of seven million users are apparently affected by this breach. Threat actors accessed email addresses for five million customers and a separate list of full names for two million customers. Robinhood says that the bad guys gained access to varying levels of user information including in-depth PII including full names, date of birth and zip code for around 310 users, and extensive records for a subset of 10 users.
How It Could Affect Your Business: Vishing threats are popping up more frequently as cybercriminals look to vary their approach to obtaining credentials in unexpected ways.
Hewlett Packer Enterprise (HPE)
https://splash247.com/greek-shipowners-cyber-tricked-over-halloween-weekend/
Exploit: Credential CompromiseHewlett Packer Enterprise: Business Technology Services

Risk to Business: 1.615= Severe
Hewlett Packer Enterprise (HPE) just informed customers that use its Aruba networking unit that their information may have been exposed in a cyberattack on its Aruba Central cloud environment in late October. The company outlined the incident in a statement to the press “On 2 November, HPE discovered that an access key to data related to the network analytics and contact-tracing features of Aruba Central, our cloud-based network management and monitoring solution, was compromised and used by an external actor to access the environment over a period of 18 days between 9 and 27 October 2021.” HPE went on to specify that the data in question included “identifying device media access control (MAC) addresses, IP addresses, device operating systems type and hostnames, and user names for Wi-FI networks where authentication is used, as well as dates, times, and physical Wi-Fi access points (APs) to which devices connected.” The incident is under investigation
Customers Impacted: Unknown
How it Could Affect Your Business: Cybercriminals will do anything to obtain a legitimate user credential because it gives them the keys to the kingdom, enabling them to do massive damage quickly.
United Kingdom – Simplify Group
Exploit: HackingSimplify Group: Conveyancing & Property Services

Risk to Business: 1.512= Severe
UK property services giant Simplify Group has been experiencing a cyberattack that impacted operations at many of its divisions. The company operates brands like Premier Property Lawyers, My Home Move and DC Law. The outage was a spanner in the works for new and prospective homebuyers, including some that were mid-move, and they were quick to take to social media. Some systems have been restored and the incident is under investigation.
Customers Impacted: Unknown
How it Could Affect Your Business: Operational disruption from a ransomware attack is just as likely as data theft and sometimes even more damaging.
Spain – S.A. Damm
https://gadgets.ndtv.com/internet/news/cyberattack-damm-beer-barcelona-estrella-brewery-shut-down-llobregat-2609233Exploit: Ransomware
S.A. Damm: Brewing

Risk to Business: 1.595 = Extreme
Operations went flat at Spanish brewer S.A. Damm after a ransomware attack crippled production. The company disclosed that the cyberattack hit the brewery on Tuesday night and for a few hours the plant in El Prat de Llobregat, which produces 7 million hectolitres of beer a year, was “entirely paralyzed”. Operations were partially restored quickly and the rest of the recovery is expected to be completed soon.
How it Could Affect Your Business: Ransomware gangs have been stopping production in factories rather than stealing data in the hopes of scoring a quick ransom from desperate businesses.
Federal Bureau of Investigation (FBI)
https://www.washingtonpost.com/nation/2021/11/14/fbi-hack-email-cyberattack/
Exploit: Account TakeoverFederal Bureau of Investigation (FBI): Federal Government Agency

Risk to Business: 1.417= Severe
A shocking email security breach at the US Federal Bureau of Investigation (FBI) led to the takeover of a user account. The cybercriminals that accomplished the feat were able to use that compromised email account to send tens of thousands of fraudulent emails warning recipients of impending cyberattacks. Messages reached celebrities like Jay Z and journalists including investigative reporter Brian Krebs. The Bureau later confirmed that its Law Enforcement Enterprise Portal (LEEP) was compromised in a cyberattack Friday. FBI officials were quick to stress the fact that the malicious emails originated from an FBI-operated server that was solely dedicated to pushing notifications for LEEP and not part of the FBI’s corporate email service.
Customers Impacted: Unknown
How It Could Affect Your Business: This incident shows that no organization is immune to a cyberattack, and even the best defenses can fail.
West Virginia Parkways Authority
Exploit: RansomwareWest Virginia Parkways Authority: State Government Agency

Risk to Business: 1.822=Severe
A suspected ransomware attack snarled operations at the West Virginia Parkways Authority last Friday. Officials announced that a cyberattack had hit the agency’s internal computer systems, knocking out email, telephones, and various non-critical applications for several hours. According to the statement, no data was extracted or exposed in the incident which only impacted operational technology. Systems have since been restored and the incident is under investigation.
Customers Impacted: Unknown
How It Could Affect Your Business: Using ransomware against infrastructure targets to shut down their operations has become much more common.
Robinhood
Exploit: Phishing (Vishing)Robinhood: Financial Services Platform

Risk to Business: 1.542=Extreme
Financial services platform Robinhood is in the news again after disclosing a data breach on 11/03. The company blamed the security incident on vishing. Threat actors obtained access to the organization’s customer support systems by obtaining systems access over the phone. This is the same technique that proved successful in the 2020 Twitter hack. According to reports, after accessing the data, the cybercriminals then demanded an extortion payment to keep the data safe. No word on the amount of this demand. The incident is under investigation.

Individual Risk: 1.312=Extreme
The company disclosed that it estimates a total of seven million users are apparently affected by this breach. Threat actors accessed email addresses for five million customers and a separate list of full names for two million customers. Robinhood says that the bad guys gained access to varying levels of user information including in-depth PII including full names, date of birth and zip code for around 310 users, and extensive records for a subset of 10 users.
How It Could Affect Your Business: Vishing threats are popping up more frequently as cybercriminals look to vary their approach to obtaining credentials in unexpected ways.
Hewlett Packer Enterprise (HPE)
https://splash247.com/greek-shipowners-cyber-tricked-over-halloween-weekend/
Exploit: Credential CompromiseHewlett Packer Enterprise: Business Technology Services

Risk to Business: 1.615= Severe
Hewlett Packer Enterprise (HPE) just informed customers that use its Aruba networking unit that their information may have been exposed in a cyberattack on its Aruba Central cloud environment in late October. The company outlined the incident in a statement to the press “On 2 November, HPE discovered that an access key to data related to the network analytics and contact-tracing features of Aruba Central, our cloud-based network management and monitoring solution, was compromised and used by an external actor to access the environment over a period of 18 days between 9 and 27 October 2021.” HPE went on to specify that the data in question included “identifying device media access control (MAC) addresses, IP addresses, device operating systems type and hostnames, and user names for Wi-FI networks where authentication is used, as well as dates, times, and physical Wi-Fi access points (APs) to which devices connected.” The incident is under investigation
Customers Impacted: Unknown
How it Could Affect Your Business: Cybercriminals will do anything to obtain a legitimate user credential because it gives them the keys to the kingdom, enabling them to do massive damage quickly.
United Kingdom – Simplify Group
Exploit: HackingSimplify Group: Conveyancing & Property Services

Risk to Business: 1.512= Severe
UK property services giant Simplify Group has been experiencing a cyberattack that impacted operations at many of its divisions. The company operates brands like Premier Property Lawyers, My Home Move and DC Law. The outage was a spanner in the works for new and prospective homebuyers, including some that were mid-move, and they were quick to take to social media. Some systems have been restored and the incident is under investigation.
Customers Impacted: Unknown
How it Could Affect Your Business: Operational disruption from a ransomware attack is just as likely as data theft and sometimes even more damaging.
Spain – S.A. Damm
https://gadgets.ndtv.com/internet/news/cyberattack-damm-beer-barcelona-estrella-brewery-shut-down-llobregat-2609233Exploit: Ransomware
S.A. Damm: Brewing

Risk to Business: 1.595 = Extreme
Operations went flat at Spanish brewer S.A. Damm after a ransomware attack crippled production. The company disclosed that the cyberattack hit the brewery on Tuesday night and for a few hours the plant in El Prat de Llobregat, which produces 7 million hectolitres of beer a year, was “entirely paralyzed”. Operations were partially restored quickly and the rest of the recovery is expected to be completed soon.
How it Could Affect Your Business: Ransomware gangs have been stopping production in factories rather than stealing data in the hopes of scoring a quick ransom from desperate businesses.
Diamond Comic Distributors
https://bleedingcool.com/comics/diamond-comic-distributors-targeted-by-ransomware-attack/
Exploit: RansomwareDiamond Comic Distributors: Periodical Distributor

Risk to Business: 1.417= Severe
It’s a bird, it’s a plane, it’s a ransomware attack at Diamond Comic Distributors. The Baltimore-based company, the exclusive distributor of DC and Image Comics and a publishing outlet for dozens of small-press comics publishers, suffered a ransomware attack last Friday that took down the company’s website and customer service platforms all weekend into Monday. Diamond said in a statement that it did not anticipate that any customer financial data had been impacted by this event. Investigation and recovery is underway with some functions already restored.
Customers Impacted: Unknown
How It Could Affect Your Business: Ransomware can cost companies a fortune from operational disruption alone even if no data is snatched, not to mention incident response costs.
Electronic Warfare Associates (EWA)
Exploit: PhishingElectronic Warfare Associates (EWA): Defense Contractor

Risk to Business: 1.822=Severe
A phishing attack that snared an employee is the suspected cause of a breach at defense contractor Electronic Warfare Associates (EWA). The company is a major provider of specialized software for the US defense establishment including the Pentagon, the Department of Defense (DoD), the Department of Justice (DoJ) and the Department of Homeland Security (DHS). EWA’s investigation determined that an attacker broke into an EWA email account in August 2021 after a phishing operation. The intrusion was uncovered when the attacker attempted a wire transfer. Employee PII was exposed and concern remains that sensitive defense information may also have been exposed.

Individual Risk: 1.703=Severe
EWA has admitted that the attackers snatched files with certain personal information including name and Social Security Number and/or drivers’ license number for an undisclosed number of EWA employees, but no further information was given.
How It Could Affect Your Business: Phishing is an equal opportunity offender and no less likely to be successful against the presumably cybersecurity savvy employees of a tech company as any other business.
Newfoundland and Labrador Health
https://www.securitymagazine.com/articles/96481-canadian-healthcare-system-suffered-cyberattack
Exploit: RansomwareNewfoundland and Labrador Health: Healthcare System

Risk to Business: 1.442=Extreme
What may be the largest cyberattack in Canadian history crippled the healthcare system of the province of Newfoundland and Labrador on October 30th. The suspected ransomware attack hit scheduling and payment systems, causing widespread interruptions in patient care including the cancellation of all non-urgent imaging and medical appointments well as a reduction in chemotherapy sessions and significant complications the province’s COVID-19 response. Eastern Health reported that their payment systems to suppliers and vendors were also targeted by the attack. Email and telephone capability has been restored in some locations and an investigation is ongoing.
Customers Impacted: Unknown
How It Could Affect Your Business: Healthcare has been beleaguered by cyberattacks, especially ransomware, since the start of the global pandemic.
Greece – Danaos Management Consultants
https://splash247.com/greek-shipowners-cyber-tricked-over-halloween-weekend/
Exploit: HackingDanaos Management Consultants: Maritime IT

Risk to Business: 1.615= Severe
Maritime clients who use the communication systems of Danaos Management Consultants found themselves without some communications capability after a cyberattack blocked their communication with ships, suppliers, agents, charterers and suppliers. Several Greek shipping companies were impacted. The incident also resulted in the loss of an unspecified amount of files and correspondence for the impacted shipping firms.
Customers Impacted: Unknown
How it Could Affect Your Business: Cyberattacks have rocked the maritime world in 2021, with major attacks against the world’s four biggest shippers complicating the world’s supply chain woes.
Germany – Media Markt
https://www.bleepingcomputer.com/news/security/mediamarkt-hit-by-hive-ransomware-initial-240-million-ransom/Exploit: Ransomware
Media Markt: Electronics Retailer

Risk to Business: 1.512= Severe
Electronics retailer MediaMarkt has suffered a ransomware attack that caused the company to shut down some IT systems, impacting store operations in Netherlands and Germany. While cash registers and payment card systems in brick-and-mortar locations were disrupted, online sales were not impacted. The attack was purportedly carried out by the Hive ransomware outfit who initially demanded $240 million in ransom.
Customers Impacted: Unknown
How it Could Affect Your Business: Operational disruption from a ransomware attack is just as likely as data theft and sometimes even more damaging.
Australia – mySA Gov
https://securityaffairs.co/wordpress/123861/cyber-crime/cream-finance-cyber-heist-130m.htmlExploit: Hacking
mySA Gov: Government Services Platform

Risk to Business: 1.595 = Extreme
South Australia’s Department for Infrastructure and Transport confirmed that mySA Gov accounts were compromised through a cyber attack. Officials went on to say that the hackers gained access to several mySA Gov accounts that were secured with recycled passwords. The department went on to say that there was no evidence of any unauthorized transactions on the impacted accounts while encouraging users to update their passwords.

Individual Risk: 1.595 = Extreme
A report from ABC says that 2,601 mySA Gov accounts were accessed in the attack, with 2,008 of them containing registration and licensing information. It is unclear if any information was exfiltrated.
How it Could Affect Your Business: Cybercriminals are always hungry for PII, especially identification card or passport data that can help them commit identity theft.
Diamond Comic Distributors
https://bleedingcool.com/comics/diamond-comic-distributors-targeted-by-ransomware-attack/
Exploit: RansomwareDiamond Comic Distributors: Periodical Distributor

Risk to Business: 1.417= Severe
It’s a bird, it’s a plane, it’s a ransomware attack at Diamond Comic Distributors. The Baltimore-based company, the exclusive distributor of DC and Image Comics and a publishing outlet for dozens of small-press comics publishers, suffered a ransomware attack last Friday that took down the company’s website and customer service platforms all weekend into Monday. Diamond said in a statement that it did not anticipate that any customer financial data had been impacted by this event. Investigation and recovery is underway with some functions already restored.
Customers Impacted: Unknown
How It Could Affect Your Business: Ransomware can cost companies a fortune from operational disruption alone even if no data is snatched, not to mention incident response costs.
Electronic Warfare Associates (EWA)
Exploit: PhishingElectronic Warfare Associates (EWA): Defense Contractor

Risk to Business: 1.822=Severe
A phishing attack that snared an employee is the suspected cause of a breach at defense contractor Electronic Warfare Associates (EWA). The company is a major provider of specialized software for the US defense establishment including the Pentagon, the Department of Defense (DoD), the Department of Justice (DoJ) and the Department of Homeland Security (DHS). EWA’s investigation determined that an attacker broke into an EWA email account in August 2021 after a phishing operation. The intrusion was uncovered when the attacker attempted a wire transfer. Employee PII was exposed and concern remains that sensitive defense information may also have been exposed.

Individual Risk: 1.703=Severe
EWA has admitted that the attackers snatched files with certain personal information including name and Social Security Number and/or drivers’ license number for an undisclosed number of EWA employees, but no further information was given.
How It Could Affect Your Business: Phishing is an equal opportunity offender and no less likely to be successful against the presumably cybersecurity savvy employees of a tech company as any other business.
Newfoundland and Labrador Health
https://www.securitymagazine.com/articles/96481-canadian-healthcare-system-suffered-cyberattack
Exploit: RansomwareNewfoundland and Labrador Health: Healthcare System

Risk to Business: 1.442=Extreme
What may be the largest cyberattack in Canadian history crippled the healthcare system of the province of Newfoundland and Labrador on October 30th. The suspected ransomware attack hit scheduling and payment systems, causing widespread interruptions in patient care including the cancellation of all non-urgent imaging and medical appointments well as a reduction in chemotherapy sessions and significant complications the province’s COVID-19 response. Eastern Health reported that their payment systems to suppliers and vendors were also targeted by the attack. Email and telephone capability has been restored in some locations and an investigation is ongoing.
Customers Impacted: Unknown
How It Could Affect Your Business: Healthcare has been beleaguered by cyberattacks, especially ransomware, since the start of the global pandemic.
Greece – Danaos Management Consultants
https://splash247.com/greek-shipowners-cyber-tricked-over-halloween-weekend/
Exploit: HackingDanaos Management Consultants: Maritime IT

Risk to Business: 1.615= Severe
Maritime clients who use the communication systems of Danaos Management Consultants found themselves without some communications capability after a cyberattack blocked their communication with ships, suppliers, agents, charterers and suppliers. Several Greek shipping companies were impacted. The incident also resulted in the loss of an unspecified amount of files and correspondence for the impacted shipping firms.
Customers Impacted: Unknown
How it Could Affect Your Business: Cyberattacks have rocked the maritime world in 2021, with major attacks against the world’s four biggest shippers complicating the world’s supply chain woes.
Germany – Media Markt
https://www.bleepingcomputer.com/news/security/mediamarkt-hit-by-hive-ransomware-initial-240-million-ransom/Exploit: Ransomware
Media Markt: Electronics Retailer

Risk to Business: 1.512= Severe
Electronics retailer MediaMarkt has suffered a ransomware attack that caused the company to shut down some IT systems, impacting store operations in Netherlands and Germany. While cash registers and payment card systems in brick-and-mortar locations were disrupted, online sales were not impacted. The attack was purportedly carried out by the Hive ransomware outfit who initially demanded $240 million in ransom.
Customers Impacted: Unknown
How it Could Affect Your Business: Operational disruption from a ransomware attack is just as likely as data theft and sometimes even more damaging.
Australia – mySA Gov
https://securityaffairs.co/wordpress/123861/cyber-crime/cream-finance-cyber-heist-130m.htmlExploit: Hacking
mySA Gov: Government Services Platform

Risk to Business: 1.595 = Extreme
South Australia’s Department for Infrastructure and Transport confirmed that mySA Gov accounts were compromised through a cyber attack. Officials went on to say that the hackers gained access to several mySA Gov accounts that were secured with recycled passwords. The department went on to say that there was no evidence of any unauthorized transactions on the impacted accounts while encouraging users to update their passwords.

Individual Risk: 1.595 = Extreme
A report from ABC says that 2,601 mySA Gov accounts were accessed in the attack, with 2,008 of them containing registration and licensing information. It is unclear if any information was exfiltrated.
How it Could Affect Your Business: Cybercriminals are always hungry for PII, especially identification card or passport data that can help them commit identity theft.