INTRODUCTION
Most often, users are educated on how to better prevent cyber attacks from occurring, which is a highly important skill in all aspects. However, users tend to receive very little information about what to do when they are already hacked, and this lack of education often accounts for further damage to their privacy.
As users, it is never easy to deal with the fact that our personal information has been compromised. A cyber attack is a psychological nightmare; when a stranger takes control over a digital life, victims tend to feel helpless, powerless, and terrified. These sentiments may cause them to make bad decisions concerning how to regain their privacy. Hackers feed off of the human desperation that causes victims to pay money in ransomware attacks, or the social engineering that causes victims to click things they should not click out of panic (see our earlier post “How To Identify A Phishing Attack: Picking A Suspicious Message Apart Piece By Piece”).
Organizations experiencing a breech are less likely to emotionally react the same way. When an organization becomes compromised, they have teams of personnel who take a methodical approach in dealing with the crisis. There should be multiple levels of support, positions of specified responsibility, and usually an organizational figurehead who calmly presides over and advises employees.
In contrast, end-users are more isolated, and a cyber attack is something that they must go through alone. Since there is usually little direct communication or input from the party handling the situation, users often feel the need to take matters into their own hands, which can be an overwhelming task if they do not have the experience nor knowledge of where to start. In many ways, this makes an attack on an organization feel like a personal attack on the user themselves.
However, most of the time, an attack on an organization feels like a personal attack on the user themselves, and such stress causes them to make decisions that further negatively impact their security or well-being. This article therefore focuses on the “after” instead of the “before” of a cyber attack. In this piece, we are covering an opinionated approach of how a user can best deal with a cyber attack after it has already occurred.
HOW TO TELL IF YOU’VE BEEN HACKED
The most difficult part of dealing with a cyber attack is knowing whether one has already happened or not. Organizations themselves can go a long time (months, potentially years) without even realizing that they have been hacked. According to Rich Murphy’s article “Breach Discovery: How Long Does Detection Take?” from Cybershark.com, in 2018, Ponemon Institute conducted a “Cost of Data Breach” study that did interviews with 477 companies and calculated that the average time for each one to discover a breach was about 197 days (or about half of a year).
From the 2020 Verizon Data Breach Investigation Report, which is published every year by the company for other organizations to learn from their cybersecurity experience, it was found that two thirds of breaches are detected by an external third party (such as law enforcement, users, or other security monitoring agencies), rather than the organization detecting cyber attacks itself.
According to the article by Murphy, the best case scenario -which is the fastest time for organizations to discover a breach- is that they find an incident within 10 days of the breach occurring, and this still gives a malevolent hacker much time to do damage.
There are many reasons why organizations do not discover that a breach has occurred until a long period of time has passed. Depending on the level of technical savviness of the hacker, it is difficult to detect an adversary if they are particularly skilled at covering their tracks. Additionally, an organization may not be fully equipped with the resources to detect cyber attacks, such as reliable intrusion detection systems (IDS) or pentesting teams. While this may be an obvious reason, unfortunately, many organizations do not detect cyber attacks simply because they go unreported by employees or users. Even if something unusual is noticed, such as a slow network, anonymous emails, strange password activity, (etc.), such instances are less likely to be written up by employees or reported by clientele if they believe that the organization itself will be unwilling to solve the problem.
Paying attention to any unusual activity is highly imperative, for the issue that you will report has the chance of being a larger problem (otherwise known as a breach). Therefore, one of the best things that you can do as an individual user to detect cyber attacks is to always be alert for unusual activity occurring on your machine.
Always look for the following suspicious signs:
-Is your operating system (OS) running slower than usual?
-Is your network running slower than usual?
-Errors signifying that you have entered an incorrect password or username but you are certain that they are correct and have not been changed by you since
-If you receive a suspicious email or SMS message (view our earlier post “Phishing Attacks” to learn how to identify a phishing attack)
-Is your camera light on when you do not have a camera or video application open?
-Is your computer turning on after you shut it down?
-Do you notice that certain monetary amounts are missing from your bank account?
-Do you notice that your login history for certain websites or accounts has been active although you yourself were not logged in during that time?
As a user, if you have implemented security measures in order to detect if your personal information, your machine, or system has been compromised, this is also a way of identifying a cyber attack. It is always a good idea to have some antivirus or virus-detecting security software (such as Sophos, Norton, McAfee, etc.) that will alert you of an incident.
AN EXAMPLE OF HANDLING CYBER ATTACKS RESPONSIBLY
Marsha is a 32 year-old woman from Cardiff, Wales and is a member of “The Border Collie Group”; an organization that sells pure-bred border collies. The organization collects financial data, addresses, and other contact information for clientele to purchase their dogs, as well as to arrange “border collie get-togethers” with long-time members, like Marsha. One day, as she was logged into The Border Collie Group’s website, Marsha notices that the website is refraining her from changing her password or username in the security settings when she was easily able to do this before. Marsha realizes that there is something wrong with The Border Collie Group’s website, but she suspects that this may be due to a breach of the organization’s security. How should she handle the situation as a user?
DON’Ts
Following Marsha’s exemplary story, be sure to not perform these improper actions:
1. Do Not Panic
Although it may sound cliché, the first step of realizing that your personal information may have been breached is not to panic. Mary Corts, a psychology student at the University of Tampa, explains the psychological effects that a user experiences when reacting to a cyber attack:
“The brain would release cortisol (a stress hormone) which an abundance of can lead to a suffocating stressful feeling which causes the brain and nervous system to go into fight or flight. Because of that, rational decisions are much harder to make due to the body’s fear of being in danger. It is much more likely in that high stress environment that the person being hacked would start clicking whatever they can to try and fix it, but ultimately they would end up digging themselves deeper into a hole and making things worse.”
With this in mind, a user that is unable to remain under control of themselves is much more likely to perform a dangerous act to regain their privacy. This could involve paying a ransom, clicking further bad links, or messing with the malware on a machine to produce even worse effects. Therefore, as an exemplary user, Marsha knows that it is best to keep her impulses under control while dealing with this stressful situation. She does not try to immediately solve the problem, which may cause her to make grave errors.
2. Do Not Ignore The Issue
That being said, while Marsha -or any other exemplary user- knows it is a bad thing to panic in the event of a cyber attack, it is equally just as bad to ignore the problem. Corts explains that for users who choose not to panic, “it would be really easy to deny anything is wrong” and that they “might try to rationalize what is happening because the thought of an attack is scary”.
Although an exemplary user refrains themselves from performing hasty actions, that does not mean that they believe the issue at hand will simply go away with time. In this scenario, Marsha does not walk away from her computer to do other things. She stays online with the issue in front of her and prepares to react responsibly.
3. Do Not Mess With The Hacker’s Doings
It is understandable that a user who is wronged by a cyber attack will feel a personal need to avenge their privacy. This may involve trying to regain your privacy from the cybercriminal directly, but getting revenge in this situation is highly unrecommended. Regardless of whether you are skilled at ethical hacking or not, engaging with an adversary directly is highly dangerous and could ultimately end up increasing the damage already done. Even more so, by trying to regain your privacy yourself, you may accidentally ruin evidence from your case that could be used to identify the cybercriminal.
As a user, it may be difficult for you to trust the organization to handle the dilemma, but based on the amount of resources and teams of expertise (as well as some aid from law enforcement), you should realize that the organization is more capable and better equipped to take on a cybercriminal instead of you.
If you decidedly interfere in the official party’s incident-handling process, you ultimately make it more difficult for the official party to resolve the issue. There is also the possibility that you could end up facing legal charges for your inability to comply with their jurisdiction. Overall, it is easier and more effective to let the official party do their work. Contrary to what most believe, cybercriminals do get caught and they do get rightfully punished in official courts of law.
DO’S
In this portion of incident-handling as a user, it is highly recommended that users perform the main step of reporting the incident as soon as possible:
Immediately report the incident
As demonstrated by the list of suspicious signs above, there are many things that a user is bound to notice and consider as a possible cyber attack, but the most important point is to ensure that such suspicious activity gets reported and does not go unaddressed. Even if an error turns out to be a simple malfunction of the equipment itself, it is better to report such activity as the possibility of a cyber attack than to do nothing at all and later see your privacy compromised.
Furthermore, the act of reporting a possible cyber attack applies to the principle of being a good “cyber-samaritan”. A regular samaritan in the physical world is defined as “a charitable or helpful person” who shows virtue by lending a hand to any individual in need. Reporting a possible cyber attack is the presentation of such virtue. By reporting a breach, you are performing a service for the organization or individual involved. Since the time frame for incident-handling is rather tricky, organizations should be grateful that they are alerted immediately of the incident so that they can begin working to resolve it. Not to mention, by reporting a possible cyber attack, you could also be saving another user (or several) from falling victim to a cybercriminal’s scheme. Therefore, reporting the incident to the organization or individual is paramount, and it is crucial that upon noticing or being alerted of an issue, that you report it immediately to the official party.
Following the example of Marsha and the possible cyber attack against The Border Collie Group, Marsha does the following things as a responsible user:
1. She keeps the site window with the issue open.
Do not click out of the window where you can see the issue is apparent or to watch the process of the problem unfold. It is crucial that you do not lose your place in this area. It ultimately acts as your evidence of the claim to report.
2. Marsha opens a separate window to navigate to the official organization’s web-page.
When reporting a cyber attack, be sure to navigate to the official source of the organization or individual. You must be online the proper website that belongs to the official party in order to legitimately report a claim.
3. Marsha finds the legitimate contact information on The Border Collie Group’s website and performs either one or both acts: Calling the organization with a provided phone number, or leaving a civilized email message.
Depending on the type of contact information posted on a party’s site, most organizations have an official phone number for users to call or a provided email address/space to send a message. While it is good to email the official party about the issue, it is slightly more effective if you are able to talk to one of their employees in real-time. Reporting the incident via phone may result in a faster reaction time for the organization to deal with the problem, whereas an email may sit in an inbox for a few hours (or even days) before being opened. Since Marsha is aware of this possibility, she sends an email to The Border Collie Group explaining the incident, but also gets on the phone with one of their employees to explain the incident verbally.
4. The involved party (The Border Collie Group) reacts to Marsha’s claim
In this step of the process, the user now no longer has control of what actions can be performed. Marsha has done her job as a user to report the possibility of a cyber attack, but now she is vulnerable to how the organization chooses to respond. In one scenario, the organization will promise to look into the issue. They may launch an investigation with their security team, analyzing the problem of users not being able to change their usernames and passwords, and find that is just a problem with the website coding. This should be taken as good news for Marsha, and the organization. The problem is soon fixed, and both parties can go about their business.
However, if the issue turns out to be a cyber-attack, the organization will go into incident-handling mode in order to deal with the attack. Depending on how many other clients reported the same problem, the organization may tell Marsha that they are aware of the attack and can assure her that they are already working on it to fix it. If Marsha is the first user to report the incident, the organization may have her stay on hand to ask questions about the claim. They could just as well simply thank Marsha for reporting the incident, and assure her that they will handle it from there. Either way, a user should not further interfere with the handling of a cyber attack unless an organization legitimately needs them to be involved (either for information purposes, such as questioning, explanation, etc. but never direct action in regaining privacy).
For another scenario, let’s say that after reporting the incident to The Border Collie group, Marsha gets the feeling that the organization did not take her claim seriously, and she is led to believe that they will not do anything about the issue although they are aware of its existence. Hopefully, this event would be very rare, for whenever the words “cyber attack” are used in the same sentence as a company or individual’s name, the people involved should spring into action to find out whether this fearful claim is true.
While it may be the impulse of some users (being disgruntled after a party’s indifferent reaction) to take to social media and report the incident there, this can easily turn around to become disastrous for the user. Besides the storm of negative or positive reactions that would increase the stress of the situation, if your statement turns out to be false that an official party chose to do nothing about a known cyber attack, you could be sued for defamation.
Since no one would like a lawsuit on their hands, the appropriate thing to do in this scenario is to contact the national consumer protection and privacy agency for your country or state. Since Marsha lives in the U.K., she would report her incident to Action Fraud (actionfraud.police.uk); “the U.K.’s national reporting centre for fraud and cyber crime”.
The equivalent for the United States is the Federal Trade Commission (FTC). The FTC is a federal U.S. government agency that is committed to protecting America’s consumers and serves as an independent institution for privacy concerns to be reported. Most countries around the world have some sort of agency that is similar to Action Fraud or the FTC. You can either go online to search for the protection agency of your country or state, or you may be able to find your country in the list of national protection agencies listed by Europol.com:
Courtesy of Europol.com “Report Cybercrime Online”
CONCLUSION
Overall, handling a cyber-attack as a user is actually quite easy as long as you are able to control the impulses to act against the adversary, organization, and -ultimately- your own best interests. Reporting the possibility of a cyber attack as soon as possible is the most important thing that a user must do in an incident-handling situation. Although many of these points may seem obvious to enact or not enact, it is imperative that they are abided to. Remembering how often prevention techniques are elaborated on, it is hopeful that users become more prepared for when a cyber attack is bound to happen after it has already occurred.
SOURCES
U.S. Chamber of Commerce. “3 Things to Do Immediately If Your Business Is the Victim of a Cyberattack”. By Erik J. Martin.
Comments