Guidelines to handle blackmail attempt

IRM author: CERT SG / Julien Touche
IRM version: 1.3

Preparation

1

Objective: Establish contacts, define procedures, and gather information to save time during an attack.

Contacts

  • Identify internal contacts (security team, incident response team, legal department etc.)
  • Identify external contacts who might be needed, mainly for investigation purposes like Law Enforcement.
  • Make sure that security incident escalation process is defined and the actors are clearly defined.
  • Be sure to have intelligence gathering capabilities (communities, contact, etc.) that might be involved in such incidents.

Awareness

  • Make sure that all the relevant employees are aware of blackmail issues. This can be part of the security awareness program.

Verify backup and incident response process is in place and up to date.

Identification

2

Objective: Detect the incident, determine its scope, and involve the appropriate parties.

  • Alert relevant people

  • Keep traces of any communications related to the incident (don’t send emails to trash; write down any phone contact with phone number and timestamp if available, fax, etc.)

    Try to get as much details as you can about the author (name, fax, postal address, etc.)

  • Examine possible courses of actions with your incident response team and legal team.

  • If internal data is concerned, check you have a safe backup of it and try to find out how it was gathered.

  • Include top management to inform them that blackmail is happening and is being handled according to a defined process.

Containment

3

Objective: Mitigate the attack’s effects on the targeted environment.

Determine how you can answer to the blackmail and the consequences and costs of ignoring, answering yes or no.

Most common threats tied with blackmail are:

  • Denial of service
  • Reveal sensitive data on Internet (credit card or other personal data from customers or internal worker/director, confidential company data, etc.)
  • Reveal sensitive private information about employees/VIPs
  • Block your data access (wiped or encrypted through ransomware for example 1)
  • Mass-mailing using the brand (spam, child pornography 2, bad rumours, etc.)

Check the background

  • Check if similar blackmailing attempts have taken place in the past. Check if other companies have been threatened as well.

  • All related technical data should be checked carefully and collected for investigation purposes;

  • Search if anyone would have any interest into threatening your company

    • Competitors
    • Ideologically-motivated groups
    • Former or current employees
  • Try to identify the attacker with the available pieces of information.

  • More generally, try to find how the attacker got into the system or got the object of the blackmail.

Contact local law enforcement to inform them.

Try to gain time and details from fraudster. Ask:

  • Proof of what he said: example data, intrusion proof, etc.
  • Time to get what fraudster wants (money, etc.)

  1. http://en.wikipedia.org/wiki/Ransomware_(malware) ↩︎

  2. Betting websites blackmailed with child pornography, 27/10/2004 http://software.silicon.com/malware/0,3800003100,39125346,00.htm ↩︎

Remediation

4

Objective: Take actions to remove the threat and avoid future incidents.

If a flaw has been identified on a technical asset or a process allowing the attacker to get access to the object of the blackmail, ask for IMMEDIATE fix in order to prevent another case.

  • After getting as much information as possible, ignore the blackmail and ensure appropriate watch is in place to detect and react accordingly on any new follow-ups.
  • Don’t take any remediation decision alone if strategic assets or human people are targeted. Involve appropriate departments

Remember that a positive answer to the fraudster is an open door for further blackmails.

Recovery

5

Objective: Restore the system to normal operations.

Notify the top management of the actions and the decision taken on the blackmail issue.

Aftermath

6

Objective: Document the incident’s details, discuss lessons learned, and adjust plans and defences.

If you don’t want to file a complaint, at least notify Law Enforcement as other organizations could be affected. At the same time, inform hierarchy and subsidiaries to have a unique position in case the fraudster tries to blackmail another internal department.

Report

An incident report should be written and made available to all of the actors of the incident.

The following themes should be described:

  • Initial detection
  • Actions and timelines
  • What went right
  • What went wrong
  • Incident cost

Capitalize

Actions to improve the blackmail handling processes should be defined to capitalize on this experience.