How to Contain, Identify, and Minimize a Targeted Attack

An end-user is often the first person to recognize an attack or an attempted attack on a network. Employees are a common victim for information system penetration attempts on a company network. But what should you do if you think your network is under siege? This blog post was created to help communicate the actions you should take to help contain the attack or incident, how to identify a targeted attack, and what you should do after identifying that attack.

Steps to Correctly Manage an Attack

If you or another employee suspects the presence of malware or other unauthorized software on company devices, you or they must perform the following actions:

• Remove network connectivity. This is accomplished by removing the network cable from the machine, and then disabling wireless connection.
• Leave the machine powered on to facilitate later forensic efforts.
• Notify management or the IT staff of the attack immediately or as soon as practical.

Phishing as an Information System Attack

Phishing Is a common form of attack on users of an information system. These attempts are usually done using some form of deception (or social engineering). This deception may include phone or electronic contact by persons masquerading as a client, partner, or creditor in an attempt to obtain employee credentials or to illegitimately request a wire transfer. These attacks are categorized as “opportunistic” and “targeted”.

Phishing is a form of targeted attack. Targeted attacks are one of the most common ways a hacker tries to attack an end-user on a network.

How to Identify a Targeted (Phishing) Attack

Targeted attacks on an information system are common. However, they are often tricky to identify and have little difference from a legitimate email. These attempts get stronger and less noticeable in nature as time goes on. However, targeted attacks may be recognized by some of the following giveaways:

• Inclusion of information that is unique to the recipient beyond their name and title. This may include knowledge of the employee’s specific job functions, personal and/or business relationships, personal interests or other information that may be obtained from publicly available sources like social media or public record.
• Inclusion of information that is unique to the Company, including knowledge of products, key personnel, vendor or customer relationships, or upcoming events.
• A source email address that appears to be the legitimate email address of another employee or from an established vendor or customer.

What to do After Identifying a Targeted (Phishing) Attack

What you do after identifying a targeted attack is crucial. These are the steps you should take to inform your superiors of the attack:

• Use the snipping tool to capture the preview of the email, making sure to capture the sender’s email address, subject line, and as much of message as possible. (DO NOT OPEN THE EMAIL ITSELF).
• Generate a new email with a subject line along the lines of “TARGETED PHISH ATTEMPT” with the image of the attack attempt attached.
• Forward this email to your management or IT staff.

PlexTrac Author At PlexTrac, we bring together insights from a diverse range of voices. Our blog features contributions from industry experts, ethical hackers, CTOs, influencers, and PlexTrac team members—all sharing valuable perspectives on cybersecurity, pentesting, and risk management.