Phase 1: Threat Identification and Initial Access
- A phishing email is received, and an employee unknowingly clicks a malicious link or attachment
- Malware or a remote access script is deployed, and suspicious outbound traffic and unauthorized account access begin within minutes
Phase 2: Detection and Immediate Containment
- The IT department or managed security provider identifies unusual activity within 1–2 hours of the initial alert, OR if you do not have a dedicated IT department, the breach is generally discovered when one of your clients contacts you to let you know they got a “weird email from you.”
- If you’re working with an IT company, email and network accounts are suspended, and compromised devices are removed from the network and isolated for analysis. Staff are notified to avoid opening or responding to emails from the affected sender
- If you are not, now is the time to call that friend who knows “stuff about IT,” or really, it’s time to contact an expert
Phase 3: Breach Assessment
- If you’re working with an IT company, they will conduct a full system scan to detect persistence tools, backdoors, or additional infected files, logs and email headers are reviewed to determine the attack vector and scope of compromise, the final step is risk assessment, and reporting protocols are initiated
- If you are not working with an IT company, this is the time when you start to wonder, how bad is it? Is it your responsibility if someone opens up that “weird email”? If you ignore it, will it go away?
Phase 4: System Containment and Recovery
- If you’re working with an IT company, your systems are restored from the most recent uncompromised backup, security patches and updates are applied across servers and endpoints, all affected credentials (email, server, admin, third-party services) are reset, and finally, multi-Factor Authentication (MFA) and encryption protocols are implemented or verified
- If you are not working with an IT company, this is the part where you feel overwhelmed at how to fix it, or you are hoping the 6-pack you bought your second cousin will be payment enough to get you out of this jam
Phase 5: Communication and Notification
- If you’re working with an IT company, management and legal/compliance teams are notified within 24 hours, external partners or clients potentially affected are informed as required, and the incident summary and temporary mitigation measures are shared with staff
- If you are not working with an IT company, you still need to let your clients know that there’s been a breach and let your staff know how to move forward
Phase 6: Post‑Incident Remediation
- If you’re working with an IT company, a comprehensive threat purge and reinstall of affected systems is done if required, all network activity is monitored closely for 30–60 days post-incident, often end-user cybersecurity training is scheduled for staff, and systems are re‑audited to confirm there are no remaining security gaps
- If you are not working with an IT company, you probably think you finished at the last step
Phase 7: Preventative Measures
- If you’re working with an IT company, they will likely implement advanced email filtering and phishing detection tools, regularly update and test backup recovery procedures and conduct periodic cybersecurity audits and tabletop simulations
- If you are not working with an IT company, this is hopefully when you call one, so you don’t end up in the same situation down the road.
Find experience and expertise with the EvolveIT team. We simplify your IT. Period!