- If 2020 was the year of the coronavirus pandemic, so far 2021 has been infected by a different viral scourge: ransomware – with a bevy of high-profile attacks on an energy pipeline, meat processor and even piggybacking off of an IT infrastructure software firm to infiltrate thousands of organizations.
- While many associate October with Halloween, sweet treats, werewolves and vampires, this month is also dedicated to “Cybersecurity Awareness,” lessons that can and should be remembered and reviewed year-round with human error the culprit behind more than 90 percent of successful virtual attacks.
- Meaning now is an ideal time to learn about Ransomware, as it has been doing is own version of sucking people dry – bank accounts mostly. Opportunistic organized crime groups have been able to lock up larger companies, healthcare firms, hospitals, law firms and more – reaping millions of dollars in crypto paydays.
By Yumi E. Suzuki, PhD, School of Criminal Justice Wichita State University and Sergio A. Salinas Monroy, PhD, Department of Electrical Engineering & Computer Science, Wichita State University
October 8, 2021
With edits and minor contents additions by ACFCS VP of Content, Brian Monroe
If 2020 was the year of the coronavirus pandemic, so far 2021 has been infected by a different viral scourge: ransomware – with a bevy of high-profile attacks on an energy pipeline, meat processor and even piggybacking off of an IT infrastructure software firm to infiltrate thousands of organizations.
While many associate October with Halloween, sweet treats, frightful costumes, ghosts, ghouls, werewolves and vampires, this month is also dedicated to “Cybersecurity Awareness,” lessons that can and should be remembered and reviewed year-round with human error the culprit behind more than 90 percent of successful virtual attacks.
Meaning now is an ideal time to learn about Ransomware, as it has been doing its own version of spreading fear, terrifying companies large and small and sucking people dry – bank accounts mostly.
While only one attack vector in an increasingly devious and devastating arsenal of cyberattack weaponry, ransomware, previously a relatively minor threat in the cybercrime landscape, has become a high-profile problem in recent years.
Opportunistic organized crime groups, and even lower level foreign players, have been able to lock up larger companies, healthcare firms, hospitals, law firms and even the very law enforcement officials charged with investigating these types of crimes.
At its heart, ransomware is a type of malicious software that encrypts users’ files or blocks access to their computer systems until the user ponies up funds to pay the criminal a fee to finally release them – typically paid in difficult-to-trace virtual currency, such as Bitcoin.
This type of exploitation scheme targets and takes advantage of both inherent human weaknesses and more arcane technical vulnerabilities, such as an unpatched computer system, antivirus program or leaky firewall.
The issue has risen to the highest levels of many governments around the globe, becoming a national security issue, as some attacks have targeted government intelligence and infrastructure, not just private sector corporations looking for a quick crypto buck.
Last week, the Biden Administration announced that top U.S. national security advisers will gather officials from 30 countries as soon as this month with plans to combat the growing threat of ransomware and other cybercrimes, according to media reports.
An online session hosted by the White House National Security Council will also be aimed at “improving law enforcement collaboration” on issues like “the illicit use of cryptocurrency,” Biden said in a statement.
The Biden administration has elevated the response to cybersercurity to the senior-most levels of the administration following a set of attacks this year that threatened to destabilize U.S. energy and food supplies, according to the report.
The meat producer JBS SA paid $11 million to end an attack on its systems that halted production and was believed to have originated from a criminal group with Russian origins.
Colonial Pipeline paid a hacker gang believed to be based in Eastern Europe nearly $5 million to regain access, some of which was later clawed back by U.S. law enforcement.
A historic breach uncovered at the tail end of 2020, in December, seemed to set the tone for a cyber-dampened 2021: The SolarWinds debacle.
What was it?
In short, it was a hacking campaign that used a U.S. tech company as a springboard to compromise a raft of U.S. government agencies.
How big a deal was it?
In February, Microsoft Corp. President Brad Smith called it, “the largest and most sophisticated attack the world has ever seen,” according to media reports.
The operation, reportedly orchestrated by Russia, breached software made by SolarWinds Corp., giving hackers access to thousands of companies and government offices that used its products, according to Reuters.
The hackers got access to emails at the U.S. Treasury, Justice and Commerce departments and other agencies.
The SolarWinds hack illustrated in a profound and concrete way the dangers of when a bad guy gets a viral payload into a formerly trusted piece of software, leading to a disastrous infection and intelligence infiltration many are calling the worst in the country’s history.
To ward off potential ransomware attack, be email, text savvy
Have you received an email from “Netflix” to update your account? How about emails supposedly from the CDC about the coronavirus?
We all know we shouldn’t click the link, but when the logos seem real and the curiosity gets the best of us, some of us find ourselves falling into the hands of phishers.
The FBI defines phishing as “the use of unsolicited email…purportedly from a legitimate company requesting personal, financial, and/or login credentials” (1, p. 28). The recent FBI’s Internet crime report (1) indicates that phishing is the most frequently reported Internet crime, costing victims more than $54 million in 2020.
But potentially one of the most insidious forms of this storm of miscreant malware is the Business Email Compromise (BEC) attack.
Why? This form of cyber-enabled fraud focuses on the weakest vulnerability in every seemingly unbreachable virtual vault: human error.
In many cases of BEC attacks, the scammer takes time to understand an organization and who controls the finances, even going so far to review a target’s social media accounts to better sound and act like them – or their bosses.
In the attack, the illicit entity doesn’t take a blunt, blunderbuss approach, but uses deception and impersonation to, say, spoof the email of a budget overlord or C-suite bigwig and then sends a seemingly innocuous message to the finance department.
“Hey, Mary, hope you had a great time at Disney World last week, I bet the kids had a blast. Anyhoo, can you change the wire instructions for Vandalay Industries and send $1 million by EOD? This is a priority to keep the client happy. And if you get this done in the next hour, there might something extra in the bonus department for you too!”
Once the money is sent, typically to a shell company in an offshore secrecy haven with weak counter-crime compliance defenses and gripped in graft, it is moved to a maze of foreign accounts, back to an operation controlled by the organized criminal group.
What’s worse, these types of BEC virtual fusillades are rising, with precision digital munitions targeting organizations that perform wire transfer payments costing individuals and companies approximately $1.8 billion in losses.
Phishing and Ransomware: Think before you link
Besides these monetary losses, phishing emails can be a vehicle for delivering malware as an attachment or an embedded URL.
Malware can take many forms and have varying degrees of virtual virulence. Some examples include:
- Spyware: This is, as the name implies, a specific malware used to covertly gather data on an unsuspecting user’s computer. In certain cases, the program is geared to look for bank passwords stored on your computer.
- Keylogger: A keylogger is a particularly persnickety kind of spyware that records keystrokes in order to steal passwords.
- Rootkit: software tools that give illicit actors control over a computer by gaining root access (administrator-level control).
- Remote Access Trojan: A remote access Trojan (RAT) is a malware program that includes a back door for administrative control over the target computer. RATs are usually downloaded invisibly with a user-requested program — such as a game — or sent as an email attachment.
- Malware downloader: A trojan-downloader is a type of trojan that installs itself to the system and waits until an Internet connection becomes available to connect to a remote server or website in order to download additional programs (usually malware) onto the infected computer.
- Adware: malware that forces your browser to redirect to web ads, which often seek to download even more malicious software.
- Ransomware: think Colonial Pipeline – malware that encrypts a hard drive’s files and demands payment in exchange for decryption key.
- Scareware: ransomware that claims to have taken control of your computer and demands a ransom, but actually is just using tricks like browser redirect loops to make it seem like a true ransomware attack.
- Cryptojacking: crypto mining malware infects your computer and uses your CPU cycles to mine Bitcoin for your attacker’s profit.
- Malvertising: use of legitimate ads to covertly deliver malware to unsuspecting users’ computers.(2).
According to Kratikal (3), a network security company, 97% of phishing emails received by its customers in 2020 contained ransomware.
On March 16, 2021, the FBI (4) sent an alert to cybersecurity professionals and system administrators about an increase in ransomware attacks, perpetrated in part by phishing emails, on educational institutions.
Other organizations have also been increasingly targeted by ransomware, which is initiated through phishing emails that exploit software or RDP (Remote Desktop Protocol) vulnerabilities (5).
In October 2020, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the U.S. Department of Health and Human Services advised healthcare organizations to be vigilant regarding increasing and imminent malicious ransomware attacks (6).
In that missive, the trio of U.S. government agencies detailed fresh warnings about the rising cyber-scourge of ransomware, stating they had intelligence that digital attackers were targeting the U.S. healthcare system, a callous and ill-timed attack that could have costed lives during an uptick at the time of coronavirus cases.
In the hefty and alarming alert, the FBI and other agencies stated they had “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers,” a warning made all the more dire as the country was still firmly in the grasp of the rampaging and ravenous COVID-19 pandemic.
The agencies were trying to warn hospitals, medical offices, outpatient facilities and every operation associated with the sector that illicit hacking collectives were looking to engage in “data theft and disruption” of services, including life-saving medical treatments, to lock down systems for multi-million dollar payments and pilfer data to open doors for further virtual fusillades or sell on darknet markets.
In recent years, the overall global costs and smoking virtual ruins left by ransomware attacks have soared, from an estimated $8 billion in 2018, to $20 billion in 2020, according to a 2017 report from Cybersecurity Ventures.
Two disturbing recent trends are data releases, resulting in double extortion, and the growth of Ransomware-as-a-Service options that are readily available for less skilled individuals with malicious intent (5).
Phishing and Identity Theft: Who can be more you than you? Them.
Perhaps a more well-known consequence of phishing is identity theft.
Verizon’s data breach report (7) and the U.S. Department of Justice press releases consistently indicate the involvement of organized crime groups in identity theft incidents.
The FBI (8), in its identity theft investigations, exclusively funnels its resources toward organized groups and criminal enterprises.
Although federal investigations and resources are warranted for combating criminal enterprises’ involvement in identity theft, more “ordinary” identity theft or other types of fraud have not received much attention from law enforcement.
Unfortunately, for even powerful federal investigative agencies, they can face hard choices about which cyber-enabled fraud or identity theft cases to tackle.
Is it one person who lost their identity? How much did the criminal group steal? Were other people involved? Is the same group tied to larger hack attacks or data breaches against larger corporations?
In discussions with federal investigators, they typically won’t take a criminal case unless the pilfered funds or assets amount to $500,000 or even $1 million – chiefly because any figure below that threshold will be scoffed at by harried and overworked prosecutors.
In that same vein, investigators must determine if the digital brigands are foreign or domestic.
If foreign, where are they located? Does that country have a working mutual legal assistance treaty (MLAT) or other agreement to share information on investigations with the United States?
In too many cases, say if the foreign attackers are from countries currently at odds with U.S. interests – such as Russia, China or even blacklisted regions like Iran and North Korea – a seemingly promising investigation into a ransomware gang can crumble.
This lack of focus, resources or reach among law enforcement may have created misconceptions about the severity and the actual impact of fraud and identity theft crimes (9).
One frightening report points out how easy it can be for phishers to steal victims’ credentials and PII (Personally Identifiable Information) even when anti-phishing mechanisms are in place.
Phishers typically have nearly nine hours until a fraudulent website is detected as malicious once the first victim visits the site, and an additional 12 hours until the last unsuspecting victim’s visit (10).
With such startling statistics and creative criminals working so hard to stack the odds in their favor, strategic efforts are needed to minimize the resulting fraud and damage to organizations’ assets – or, best of all, identify and evade their traps before falling prey in the first place.
The Situational Crime Prevention Approach: Tackling human, environmental cyber gaps simultaneously
What can users and organizations do to prevent phishing attacks and mitigate potential damage as phishers swim through the information infrastructure?
A well-established yet rarely utilized crime prevention approach can provide a checklist of countermeasures to minimize human and environmental vulnerabilities. The situational crime prevention approach attempts to limit opportunities to commit a crime by influencing decisions about offending (11).
For example, a store manager might install surveillance cameras at strategic places inside and outside the store to reduce opportunities for theft.
Similarly, a supervisor might assign multiple people to sign off on accessing financial data to prevent internal fraud. Such measures based on the situational crime prevention approach can make an environment less conducive to committing crimes.
Another helpful feature of the situational crime prevention approach is a crime script (12), whereby system administrators could assess appropriate safeguards as a security incident progresses.
A crime script for perpetrators of phishing emails could be described as follows:
- Searching for target: Obtain email addresses,
- Target acquired: Send phishing emails using phishing kits,
- Weapons free: Wait for URL clicks or an attachment to open,
- Enemy defenses broken: Collect credentials,
- Inside enemy territory: Enter target network and locate PII,
- Infiltrate, capture intelligence: Access and extract PII,
- Exfiltrate, mission successful: Lastly, exit the system.
Throughout this progression of events, users and system administrators have opportunities to mitigate the risk of further damage.
To present countermeasures that users and system administrators can implement, we have broadly categorized a phishing incident progression into three phrases: pre-phishing, after clicking on a URL or opening an attachment, and post-phishing.
It is relatively easy for anyone to locate someone’s name, age (or even birthday), and current residence on the Internet, thanks to data brokers.
Most likely, your PII is already floating on the Internet due to data breaches, such as the 2017 Equifax and 2018 Facebook incidents. Phishers may take advantage of these sources to obtain just enough information about you to send you realistic-looking emails.
You can proactively limit your cyber presence by asking data brokers to delete your personal information, refraining from posting private information (particularly related to your PII), and subscribing only to trusted websites for news alerts or other services.
You can also take advantage of the default email features, such as the automatic spam folder and junk or phishing email reporting, offered by most email providers.
Furthermore, you can check the sender’s address to see if you detect anything suspicious.
For example, the IRS is unlikely to send you an email with a domain name that ends with gmail.com; government agencies and some private organizations are more likely to use snail mail for official communications.
When in doubt, you can hover over a link with your mouse to see a URL; if you can’t decipher it, you might consider reporting the email to your system administrator or email provider.
Users also must work to create what many in the cyber defense, intelligence and security sectors call a “zero trust” mentality.
That means you give a jaundiced, suspicious eye to every email, regardless of where it originates, internally or externally, because fraudsters are infinitely creative in their malware attacks – even broad attacks that take little effort and can blanket an entire organization in nanoseconds.
What do we mean and what are some examples?
During tax time, criminal groups will send you diseased links saying something like: “Your tax return is ready, click here for more details.” Or, conversely, “You owe the IRS taxes, but we can be paid in iTunes gift cards.”
As the pandemic worsened and stimulus checks started wending their way to desperate, distracted and scared individuals around the world, scammers sent phishing emails stating they have N95 masks, full coronavirus cures – and later that your stimulus check was ready – just click this link.
But even before that, ransomware, BEC and related schemes and scams have been soaring in recent years.
Some of the prevalent and still-pervasive scam emails range from the obvious to the oblivious, comical to ironical.
Tell me if you have heard this one before: You have a fax message waiting, please click here to read it. Note to scamsters: No one uses fax machines. Not when they can use email.
You have a voice message waiting, click here to listen to it. Your paycheck is ready, click here to view it. Your colleagues have a Microsoft Teams message for you, click here to view it.
These may sound silly, even harmless, but they are not.
Even with bombastic email blasts, illicit groups can easily capture and weave in your full name, phone number, company name and even company logo – so at first blush, all of the basic data checks out for an email.
It’s usually only after a deeper inspection you find the address is off or the layout of the email is not similar enough to other interoffice missives.
The United Kingdom’s National Cyber Security Centre (13) encourages system administrators to assess the amount of publicly available information on the organization’s website and social media.
The Better Business Bureau (14) also recommends that both individual users and organizations should limit the posting of personal information, particularly contact information, online.
System administrators can proactively limit users’ cyber presence so that open-source intelligence used by phishers bears little fruit.
System administrators might consider using honey accounts to deflect phishers from accessing legitimate email accounts.
If compromised credentials are reported, associated accounts should be disabled immediately. As one of the threat vectors, users must be trained to distinguish phishing from legitimate emails.
One report on a cybersecurity awareness training effort (15) indicated that users could successfully distinguish phishing from legitimate emails even four months after the training.
System administrators might consider regularly offering or requiring users to complete cybersecurity awareness training to become familiar with policies governing organizational emails and credential disclosure.
To sustain enthusiasm, system administrators may provide award programs for users who engage in good email practice.
Rewarding them with a coveted parking space for a period of time or with other privileges may encourage users to remain vigilant.
Lastly, system administrators can provide situational reminders to users by implementing banner alerts for potential phishing emails from outside organizations. Flagging suspicious URLs in emails may further keep users from being caught in the phisher’s bait.
After Clicking on a URL or Opening an Attachment: From defense to damage control
Users should immediately change the password associated with any compromised email address or accounts.
If appropriate, report the incident to the system administrator so that the compromised credentials will be disabled. Make sure that your firewalls are on and that all operating systems and software are updated. Run antivirus and anti-malware programs if you have them.
In the meantime, you might consider placing a fraud alert or a security freeze on your credit reports to prevent attackers from fraudulently opening any new accounts in your name.
Note that a fraud alert on your credit report does not necessarily prevent identity thieves from opening new accounts in your name. A security freeze, therefore, is the best option.
In addition, check your credit reports periodically to see if you find any fraudulent activities or discrepancies.
Most major credit card companies offer credit monitoring free of charge, so you could indirectly monitor your credit reports via your credit card companies instead of directly checking in with the three major credit bureaus.
If you have noticed that your PII has been used fraudulently, report the incident to your financial institutions, the local police department, the Federal Trade Commission, and the FBI, if appropriate.
Whereas financial institutions can verify fraudulent activity in your account to resolve the case, local police departments do not have access to this information and are likely to require evidence of identity theft.
Be prepared to submit a copy of credit card statements, bank statements, returned checks, or loan applications as evidence of identity theft.
You might also consider reporting phishing emails to anti-phishing websites (e.g., apwg.org) to help authorities and other professionals seeking to investigate and prevent fraud.
Most of the major companies have their own dedicated fraud department for investigating phishing scams.
For example, UPS encourages customers who receive fraudulent emails appearing to have come from them to report to email@example.com. Similarly, anyone receiving fraudulent emails from Amazon can report to firstname.lastname@example.org.
Users may or may not be aware of falling prey to phishing schemes.
To detect any unauthorized intrusion or activities, system administrators should apply various detection techniques to prevent further damage. For example, they can provide cyber guardianship by tracking email replies.
Phishers may fill the “from” field in their realistic emails with a legitimate-looking address, which they often do not control.
Instead, phishers use the “reply to” field to receive emails from unsuspecting victims.
The discrepancies between the “from” and “reply to” addresses are signs of phishing, except in cases where someone, such as a personal assistant, sends an email on behalf of a legitimate account holder.
Additionally, system administrators can monitor IP addresses, which include the ISP (Internet Service Provider) and the identifiers for users.
Although the user identifiers change constantly, the ISP remains constant; system administrators can identify suspicious logins from different ISPs by monitoring the ISPs when users log in to their email accounts.
CISA (16) recommends using the SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mails) to detect unauthorized emails.
If the DMARC (Domain-based Message Authentication, Reporting and Conformance) reject policy is implemented, it “provides the strongest protection against spoofed email, ensuring that unauthenticated messages are rejected at the mail server” (16, p. 2).
As part of user authentication, system administrators can require users to devise strong passwords and multifactor authentication.
CISA (17) recommends multifactor authentication of knowledge (e.g., passwords), possession (e.g., a code), and inherence (e.g., fingerprints) related to users rather than two-factor authentication.
To control access by phishers, system administrators can provide privileged access only to those who need access to files and programs and can assign multiple people to sign off on access to sensitive data.
Restricting users’ access to local networks or VPNs may offer additional safeguards against phishers.
System administrators can also ensure that network segregation and firewalls are in place and can use intrusion detection/prevention systems to receive real-time alerts of unauthorized access and prevent malicious activity from occurring.
Confirming that data are encrypted and backed up, and that all operating systems and software are updated automatically, should provide additional defense for the organization’s infrastructure.
Post-Phishing Considerations: response, resilience and recovery
After an attack, you might take stock of your cybersecurity systems to see if any further investment is warranted.
For example, you might consider subscribing to an email provider with end-to-end encryption or a VPN for network security. Installing antivirus and anti-malware programs can provide additional safety to your data and the computer.
You might have more evidence of identity theft at this point; if so, report the information to appropriate authorities to help in preventing a similar incident from happening to you or someone else.
The National Institute of Standards and Technology (18) recommends considering both security and liability issues before disclosing the details of exploited vulnerabilities.
Disclosure of a malicious attachment, for example, might provide clues to phishers and other attackers to help them further exploit the vulnerabilities before security patches are in place.
Liability issues, such as a nondisclosure agreement and confidentiality surrounding certain data, may prevent system administrators from discussing the security event with the public.
Lastly, system administrators may encourage users to access the IT site via VPN for the latest security requirements or other information. Legitimate users verified by organizations should be the only people able to access specific security requirements for users or scheduled security patches.
The Bottom Line: Innovate to authenticate, delete distractions, disengaging phish hooks
- It’s a good practice to have a strong password, multifactor authentication, encrypted and backup data, and updated operating system and software.
- You can proactively institute any of the measures suggested for system administrators at any stage to reduce the risk of phishing attacks.
- Multitasking can distract your attention from being vigilant to phishing attacks. Try not to automatically click any questionable link or click “reply” and “send,” which could cause you to inadvertently engage the phishers.
- Remember, when in doubt, hover the mouse over the link. If it’s phishy, don’t take the bait.
(1) Federal Bureau of Investigation. (2021). Internet crime report 2020. https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf
(2) Proofpoint. (2021). 2021 State of the phish: An in-depth look at user awareness, vulnerability and resilience. https://www.proofpoint.com
(3) Kratikal. (2020). Staggering phishing statistics in 2020. https://www.kratikal.com/blog/Staggering-phishing-statistics-in-2020/
(4) Federal Bureau of Investigation. (2021, March 16). Increase in PYSA ransomware targeting education institutions. Alert number CP-000142-MW. https://www.ic3.gov/Media/News/2021/210316.pdf
(5) FortiGuard Labs. (2021, February). Global threat landscape report: A semiannual report by FortiGuard Labs.
(6) CISA, FBI, HHS. (2020, October 29). Joint cybersecurity advisory: Ransomware activity targeting the healthcare and public health sector. AA20-302A
(7) Verizon. (2020). Data breach investigations report. https://enterprise.verizon.com/resources/reports/2020/2020-data-breach-investigations-report.pdf
(8) Federal Bureau of Investigation. (2006). Financial crimes report to the public. U.S. Department of Justice. https://fbi.gov/file-repository/stats-services-publications-fcs_report2006-financial-crimes-report-to-the-public-2006-pdf/view
(9) Button, M., & Cross, C. (2017). Cyber frauds, scams and their victims. Routledge.
(10) Oest, A., Zhang, P., Wardman, B., Nunes, E., Burgis, J., Zand, A., Thomas, K., Doupe, A., & Ahn, G.J. (2020b). Sunrise to sunset: Analyzing the end-to-end life cycle and effectiveness of phishing attacks at scale. Proceedings of the 29th USENIX Security Symposium. https://www.usenix.org/conference/usenixsecurity20/presentation/oest-sunrise.
(11) Ekblom, P. (2017). Crime, situational prevention and technology: The nature of opportunity and how it evolves. In M. R. McGuire & T. J. Holt (Eds), The Routledge handbook of technology, crime and justice. (pp. 353-374). Routledge.
(12) Cornish, D. (1994). The procedural analysis of offending and its relevance for situational prevention. In R. Clarke (Ed), Crime prevention studies, vol. 3. (pp. 151-196). Criminal Justice Press.
(13) National Cyber Security Centre. (2018). Phishing attacks: Defending your organization. https://ncsc.gov.uk/guidance/phishing.
(14) Better Business Bureau. (2019, September). Is that email really from “the boss?” The explosion of business email compromise (BEC) scams. https://www.bbb.org/article/news-releases
(15) Reinheimer, B., Aldag, L., Mayer, P., Mossano, M., Duezguen, R., Lofthouse, B., von Landesberger, T., & Volkamer, M. (2020). An investigation of phishing awareness and education over time: When and how to best remind users. Proceedings of the 16th USENIX Symposium on Usable Privacy and Security. https://www.usenix.org/system/files/soups2020-reinheimer_0.pdf
(16) Cybersecurity & Infrastructure Security Agency. (n.d.). CISA Insights: Enhance email & web security. https://www.cisa.gov/sites/default/files/publications/CISAInsights-Cyber-EnhanceEmailandWebSecurity_S508C-a.pdf
(17) Cybersecurity & Infrastructure Security Agency. (2020). Cyber essentials toolkit chapter 4: Your surroundings. https://www.cisa.gov/sites/default/files/publications/cyber%20Essentials%20Toolkit%204%2020200818_508.pdf
(18) Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident handling guide: Recommendations of the National Institute of Standards and Technology. U.S. Department of Commerce. Special publication 800-61, Revision 2.