Preparation

1 User part Identification

2 User part
Containment
3
Objective: Establish contacts, define Objective: Detect the incident, determine its Objective: Mitigate the attack’s effects on the
procedures, and gather information to save scope, and involve the appropriate parties. targeted environment.
time during an incident.
■ Phone call / someone you don't know calls
At this step, you should be pretty sure that you're
■ Raise user awareness and security policies you/your service, asking for detailed information.
dealing with a social engineering attack.

Never give any personal or corporate information to  If the contact works out of the company and
Actions for all employees:
an unidentified person. This could include user IDs, requests for information that could be valuable for a
passwords, account information, name, e-mail competitor, deny his requests and go to part 3. ■ Phone call
address, phone (mobile or landline) numbers,
address, social security number, job titles,
 If the contact pretends to be an employee of your
 If the attacker urges you to give a phone number,
company but the phone number is hidden or not
information on clients, organization or IT systems. follow these steps:
internal, propose that you call back to the declared
number in the directory. If the supposedly attacker  Use the “red phone line” from your
The goal of the social engineer is to steal human CERT/CSIRT, if existing.
agrees, call back to check. If he rejects this option,
resources, corporate secrets or customer/user data.
go to part 3.  Give him the number with an invented name.
 Immediately call your CERT/CSIRT team
Report any suspicious event to your manager, The attacker might use several techniques to entice his explaining what happened and the chosen
who will forward it to the CISO in order to have victim to speak (fear, curiosity, empathy ...). Do not invented name.
a centralized reporting. disclose information in any case.
Listen carefully to his requests and at the end ask for a  If the attacker stresses you too much and does not
phone number to call back or an email address to reply. let you time to find the Red Phone number, ask him
■ Have a defined process to redirect any “weird” Take notes and stay calm, even if the attacker is shouting to call you back later, pretending a meeting.
request to a “red” phone, if needed.
Red phone number must be clearly tagged as
or threatening, remember he tries to use human
weaknesses.
 If the attacker wants to reach someone, follow
these points :
“Social Engineering”. The phone number has to
be easy to identify in the global phone directory If you can go further, the following information will be  Place on hold the attacker and call
of your company but requests on reverse precious: CERT/CSIRT team and explain what
number should not be displayed. - the name of the correspondent, happened
Red phone line should always be recorded for
- requested information / people  Transfer the conversation of the attacker to
- accent, language skills, CERT/CSIRT team (do not give him the
evidence collecting purposes. - industry language and organizational knowledge,
number)
- background noises
■ Prepare to handle conversation with social
- time and duration of the call
engineers to identify which information could help
tracking the attacker and his goals. ■ E-mail / Someone you don't know requests detailed ■ E-mail
information.
  Forward to your security team all email including
■ Check your legal department to see which actions If the contact has an “out of the company” e-mail
headers (send as attached documents) for
are allowed and which reactions they can handle. address and requests information that could be
investigation purposes. It might help to track the
valuable for a competitor, go to part 3.
attacker.
 If the contact uses an internal e-mail address but is
asking for weird information, ask him some
explanations and use the company directory to get
his manager's name that you'll place as a copy.
■ Eventually notify top management to inform them
that an incident has been encountered relating to a
social engineering attack. They might understand
the goals depending on the context.
 Containment
3 Recovery 5 Incident Response Methodology
Actions for CERT or incident response team:
Objective: Restore the system to normal
■ Phone call operations.

 Resume the conversation with the attacker and use

Notify the top management of the actions and the
one of these techniques: IRM #10
 Impersonate the identity of the people whom decisions taken on the social engineering case.
the attacker is willing to speak
Social Engineering Incident
How to handle a social engineering incident (phone or e-mail)
 Slow down and make last the conversation
and entice the attacker to make mistake. ___________________________________________________
 Explain him that social engineering attack is IRM Author: CERT SG Team
forbidden by law, punished by sanctions and IRM version: 1.2
that lawyer team will handle the issue if it
continues E-Mail: [email protected]

 If the trap phone number has been used, prepare to

“burn it”, create another one and display it in the
Aftermath
6 Web: https://cert.societegenerale.com
Twitter: @CertSG

directory. Objective: Document the incident’s details,

discuss lessons learned, and adjust plans and
■ E-mail defences. Abstract
 Collect as much information as possible on the This Incident Response Methodology is a cheat sheet dedicated
to handlers investigating on a precise security issue.
email address: Inform your hierarchy and subsidiaries about the
Who should use IRM sheets?
 Analyze the email headers and try to locate the incident, this could help to avoid similar attacks  Administrators
source later.  Security Operation Center
 Search the e-mail address with Internet tools  CISOs and deputies
 Geolocalize the user behind the email address  CERTs (Computer Emergency Response Team)
Report
■ Aggregate all social engineering attacks to visualize Remember: If you face an incident, follow IRM, take notes
and do not panic. Contact your CERT immediately if
the scheme. An incident report should be written and made
needed.
available to all the actors of the incident.
Remediation
4 The following themes should be described:
■ Initial detection
Objective: Take actions to remove the threat
and avoid future incidents. ■ Actions and timelines Incident handling steps
■ What went right 6 steps are defined to handle security Incidents

Some possible remediation actions can be tried: ■ What went wrong  Preparation: get ready to handle the incident
■ Incident cost (direct and indirect losses)  Identification: detect the incident
 Containment: limit the impact of the incident
■ Alert the law enforcement and/or file a complaint,  Remediation: remove the threat
■ Discuss the problem in circles of trust to know if the Capitalize  Recovery: recover to a normal stage
 Aftermath: draw up and improve the process
company is facing this issue alone, Actions to improve the social engineering handling
■ Threaten the attacker with legal actions if he can be processes should be defined to capitalize on this IRM provides detailed information for each step.
identified experience, specially awareness.
This document is public use