Jan 19 2024
“Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for and uses daily to provide our customers with evidence of Threat Actor activity in their tenant.”
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Aug 08 2023
Incident response refers to the process followed by an organization to address and manage the aftermath of a security breach or cyber attack. The goal of incident response is to handle the situation in a way that limits damage, reduces recovery time and costs, and ensures that the incident is properly documented and reported to meet regulatory requirements.
In the simplest of terms, incident response is like a well-organized fire drill for cyber attacks. It’s a set of instructions that help IT staff and business owners identify, respond to, and recover from network security incidents. These instructions include steps to take when an attack is identified, who should be involved, how data should be collected and analyzed, and how to learn from the incident to prevent future attacks. See this detailed blog post for more background about incident response.
One of the primary reasons for having an incident response plan is to minimize the impact of attacks. Cyber attacks can lead to significant financial losses, especially for businesses that rely heavily on online transactions. An effective incident response plan can help businesses identify attacks early, contain them quickly, and minimize potential damage.
Moreover, incident response is not just about dealing with the attack itself but also about dealing with the aftermath of the attack. This includes notifying affected parties, managing public relations, and fulfilling any legal obligations. Having a plan in place ensures that these tasks are handled efficiently and effectively, reducing the overall impact of the attack.
Another critical aspect of incident response is recovery and restoration. After a cyber attack, it’s essential to restore systems and operations to normal as quickly as possible. Incident response teams work to eliminate the threat from the company’s systems, repair any damage, and restore data from backups.
The speed and efficiency of recovery can significantly impact a business’s bottom line. The longer it takes to recover, the more revenue is lost. Furthermore, prolonged recovery times can also damage a company’s reputation, leading to loss of customers and potential future business.
Cybersecurity incidents can have serious legal and regulatory implications for businesses. In many jurisdictions, businesses are required to report breaches to regulatory bodies and affected individuals. Failure to comply with these requirements can result in hefty fines and legal proceedings.
An incident response plan helps businesses meet their legal and regulatory obligations by ensuring that incidents are properly documented and reported. This includes keeping detailed records of the incident, the response actions taken, and the lessons learned. Such documentation can be crucial in defending against lawsuits or regulatory actions.
Downtime is costly for any business. It leads to lost productivity, lost revenue, and can damage a company’s reputation. A well-prepared incident response team can significantly reduce the amount of downtime a business experiences after a cyber attack.
By quickly identifying and containing an attack, the team can minimize the amount of time systems are down. Moreover, by having a plan for recovery and restoration, the team can ensure that systems are back up and running as quickly as possible.
Artificial intelligence (AI) and machine learning (ML) are changing the face of incident response. These technologies can automate many of the tasks involved in incident response, allowing teams to respond more quickly and effectively to attacks.
AI and ML can be used to detect anomalies in network traffic, identify malicious activity, and even predict future attacks. They can also automate the process of collecting and analyzing data, freeing up incident response teams to focus on more strategic tasks.
Extended Detection and Response (XDR) is another technology that is shaping the future of incident response. XDR is a security approach that integrates multiple security tools into a single platform. This allows incident response teams to have a more holistic view of their environment and respond more effectively to threats.
XDR platforms can collect data from a wide range of sources, including network traffic, endpoint devices, and cloud services. This data is then analyzed to detect threats and automate response actions.
Security Information and Event Management (SIEM) systems are another crucial tool in incident response. SIEM systems collect and analyze log data from various sources within an organization’s IT infrastructure. They provide real-time analysis of security alerts and can automate response actions.
By providing a centralized view of an organization’s security landscape, SIEM systems can help incident response teams identify, investigate, and respond to security incidents more efficiently.
Threat Intelligence Platforms (TIPs) provide incident response teams with information about known threats and threat actors. This information can help teams identify attacks more quickly and respond more effectively.
TIPs collect and analyze data from a variety of sources, including open-source intelligence, social media, and internal data. They provide actionable intelligence that can be used to enhance an organization’s security posture and improve incident response efforts.
The shift to remote work has had a significant impact on incident response. With more employees working from home, the attack surface for cyber criminals has expanded. This has made incident response more challenging, as teams must now deal with threats on a wide range of devices and networks.
In 2023, we can expect to see more tools and strategies aimed at dealing with the challenges posed by remote work. This may include increased use of cloud-based incident response tools, as well as strategies for securing remote devices and networks.
Traditionally, incident response has been a reactive process. Teams would wait for an attack to occur and then respond. However, this approach is no longer sufficient in today’s threat landscape.
In 2023, we can expect to see a shift towards more proactive incident response. This means identifying and addressing vulnerabilities before an attack occurs. It also means monitoring for signs of an attack and taking action before the attack has a chance to cause damage.
Another trend we can expect to see in 2023 is an increased emphasis on incident response testing and simulation. Testing and simulation are crucial for ensuring that an incident response plan is effective.
Through testing, teams can identify gaps in the plan and make necessary adjustments. Simulation exercises can also help teams practice their response to an attack, ensuring that they are prepared when a real attack occurs.
Finally, in 2023, we can expect to see greater regulatory scrutiny of incident response. As cyber attacks continue to increase in frequency and severity, regulators are becoming more interested in how businesses respond to these incidents.
This means that businesses will need to ensure that their incident response plans meet regulatory standards. They will also need to be prepared to provide documentation of their response efforts in the event of a regulatory investigation.
In conclusion, mastering incident response is crucial for businesses in today’s digital world. By understanding what incident response is, recognizing its importance, staying up-to-date with emerging technologies, and keeping an eye on key trends, businesses can protect their digital assets, minimize the impact of attacks, and comply with legal and regulatory requirements.
InfoSec tools | InfoSec services | InfoSec books
Jul 28 2022
ENISA published a report that provides anonymized and aggregated information about major telecom security incidents in 2021.
Every European telecom operator that suffers a security incident, notifies its national authorities which share a summary of these reports to ENISA at the start of every calendar year.
The reporting of security incidents has been part of the EU’s regulatory framework for telecoms
since the 2009 reform of the telecoms package.
This year the report includes data related to reports of 168 incidents submitted by national authorities from 26 EU Member States (MS) and 2 EFTA countries.
The incident had a significant impact on the victim, the total user hours lost (resulted by
multiplying for each incident the number of users by the number of hours) was 5,106 million user
hours. Experts noticed a huge increase compared to 841 million user hours lost in 2020. The reason for this is the impact of a notable EU-wide incident that was reported separately by three MS. ENISA has published technical guidelines on incident reporting under the EECC1, including on thresholds and calculating hours lost.
Below are the takeaways from incidents that took place in 2021:
Let me suggest reading the full report for additional information:
#InfoSecTools and #InfoSectraining
Ask DISC an InfoSec & compliance related question
Dec 10 2021
Download a copy of The Red Team Guide
The Red Team Field Manual (RTFM) is a no fluff, but thorough reference guide for serious Red Team members who routinely find themselves on a mission without Google or the time to scan through a man page. The RTFM contains the basic syntax for commonly used Linux and Windows command line tools, but it also encapsulates unique use cases for powerful tools such as Python and Windows PowerShell. The RTFM will repeatedly save you time looking up the hard to remember Windows nuances such as Windows wmic and dsquery command line tools, key registry values, scheduled tasks syntax, startup locations and Windows scripting. More importantly, it should teach you some new red team techniques.
Download a copy of The Red Team Guide
Incident Response Management Foundation Training Course
Dec 04 2021
Cybersecurity Incident & Vulnerability Response Playbooks – Audiobook
![Cybersecurity Incident & Vulnerability Response Playbooks by [Cybersecurity and Infrastructure Security Agency]](https://m.media-amazon.com/images/I/51QvXBL8MYL._SX260_.jpg)
Nov 18 2021
The Cybersecurity and Infrastructure Security Agency (CISA) has released new cybersecurity response plans for federal civilian executive branch (FCEB) agencies (” Federal Government Cybersecurity Incident and Vulnerability Response Playbooks“).
The documents aim at developing a standard set of operational procedures (i.e., playbook) to be used in planning and conducting cybersecurity vulnerability and incident response activity for federal civilian agency information systems.
“The playbooks provide federal civilian executive branch (FCEB) agencies with operational procedures for planning and conducting cybersecurity incident and vulnerability response activities. The playbooks provide illustrated decision trees and detail each step for both incident and vulnerability response.” reads the announcement.
The definition and adoption of standardized IR procedures allow to drastically reduce the associated risks for impacted organizations.
The document released by CISA presents two playbooks, one for incident response and one for vulnerability response, both developed for FCEB agencies. CISA plans to extend these playbooks for organizations outside of the FCEB to promote a process of standardization of the incident response practices.
The Vulnerability Response Playbook applies to any flaw that is observed to be exploited by threat actors to gain compromise computer networks of the agencies. The playbook builds on CISA’s Binding Operational Directive 22-01 and standardizes the high-level process to address these vulnerabilities.
The playbooks will facilitate better coordination and effective response and enable tracking of cross-organizational successful actions.
“FCEB agencies should use the playbooks to shape their overall defensive cyber operations. The playbooks apply to information systems used or operated by an FCEB agency, a contractor of the agency, or another organization on behalf of the agency. CISA encourages agencies to review the playbooks and CISA’s webpage on EO 14028 for more information.” concludes CISA. “Although CISA created the playbooks for FCEB agencies, we encourage critical infrastructure entities; state, local, territorial, and tribal government organizations; and private sector organizations to review them to benchmark their own vulnerability and incident response practices.”
The incident response playbook has to be used in incidents that involve confirmed malicious cyber activity for which a major incident has been declared or not yet been reasonably ruled out (i.e. Incidents involving lateral movement, credential access, and exfiltration of data, and compromised administrator accounts).
While aimed at federal agencies, CISA also encourages public and private sector partners, including critical infrastructure entities and state, local, territorial, and tribal (SLLT) government organizations, to review them to improve their incident and vulnerability response practices.
Nov 15 2021
The European Union Agency for Cybersecurity (ENISA) published an analysis of the current state of development of sectoral CSIRT capabilities in the health sector since the implementation of the NIS Directive.
An attack against a hospital can lead to physical damages and put the lives of patients at risk. The Agency remarks the need to set up solid Incident Response Capabilities (IRC) in the health sector. The document aims at offering insights on current incident response (IR) trends and providing recommendations about the development of IR capabilities in the health sector.
In 2020, the number of reports sent to ENISA about cybersecurity incidents saw an increase of 47% compared to the previous year.
The level of exposure to cyber threats is increasing to the adoption of emerging technologies such as the Internet of Things (IoT), Artificial Intelligence (AI), big data, and cloud computing.
Computer Security Incident Response Teams (CSIRTs) are tasked to develop the capabilities needed to address cyber threats and implement the provisions of the Directive on security of network and information systems (NIS Directive).
“Although dedicated health sector CSIRTs are still the exception in the Member States, sector specific CSIRT cooperation is developing.” reads the report. “The lack of sector-specific knowledge or capacity of national CSIRTs, lessons learned from past incidents and the implementation of the NIS Directive appear to be the main drivers of the creation of sector-specific incident response capabilities in the health sector.”
While the lifetime of healthcare equipment is about 15 years on average, the pace of updates that are released by the vendors but in many cases, the healthcare devices remain unpatched for long periods. Another challenge the healthcare sector is faced with is the complexity of systems due to the increased number of connected devices is enlarging the attack surface.
Below is the list of recommendations included in the report:
“The key force driving the development of incident response capabilities of CSIRTs is the information related to security requirements and responsibilities of organisations for each sector.” concludes the report. “Shared frameworks for incident classification and threat modelling, education activities and a network allowing communication between incident response actors constitute the main resources and tools currently supporting the development of incident response capabilities.”
https://www.enisa.europa.eu/publications/csirt-capabilities-in-healthcare-sector
Aug 13 2021
Nowadays just as one cannot take enough safety measures when leaving their house of work to avoid running into problems and tribulations along the way, the exact same measures are to be taken into consideration when strolling around the wonderful world of the internet. It can be argued that the internet stands right up there as being one of the most important tools that recent technology has offered mankind to make lives easier. You can look for information, shop, wager on sporting events like pro football games through sites that focus on NFL predictions for games amongst other services and many other activities.
The internet has become the perfect tool for anyone and everyone to find absolutely everything they may want, need or anything in between, it’s become a staple of commodity and leisure, but it can also be a very dangerous tool if not handled properly. This tech tool has especially garnered fame and recognition amongst sports fans who flock to it in order to find all items related to their favorite teams, athletes and sports, but rest assured, one wrong move and dire consequences could be on the way
Today though, let’s focus on one of sports fans’ favorite online activities, online sports betting and how to prevent hacking incidents from happening.
Table of Contents
Incident Response & Computer Forensics
Sep 08 2020
In a recent attack, cybercrime group TeamTNT relied on a legitimate tool to avoid deploying malicious code on compromised cloud infrastructure and still have a good grip on it.
Source: Hackers use legit tool to take over Docker, Kubernetes platforms
Misusing tool of the trade
Analyzing the attack, researchers at Intezer discovered that TeamTNT installed Weave Scope open-source tool to gain full control of the victim’s cloud infrastructure.
According to them, this may be the first time a legitimate third-party tool is abused to play the part of a backdoor in a cloud environment, also indicating the evolution of this particular group.
Weave Scope integrates seamlessly with Docker, Kubernetes, and the Distributed Cloud Operating System (DC/OS), and AWS Elastic Compute Cloud (ECS). It provides a complete map of processes, containers, and hosts on the server and control over installed applications.
“The attackers install this tool in order to map the cloud environment of their victim and execute system commands without deploying malicious code on the server,” Intezer notes in a report today.
Download a Security Risk Assessment Steps paper!
Security Risk assessment Quiz – Find Out How Your security risk assessment Stands Up!
DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles
Subscribe to DISC InfoSec blog by Email
👉Â Download a Virtual CISO (#vCISO) and Security Advisory Fact Sheet & Cybersecurity Cheat Sheet
Jun 17 2019
The Cybersecurity and Infrastructure Security Agency (CISA) published an alert for Windows users to patch the critical severity Remote Desktop Services (RDS) RCE security flaw dubbed BlueKeep.
Source: U.S. Govt Achieves BlueKeep Remote Code Execution, Issues Alert
How to check if a target is vulnerable to the new RDP vulnerability (BlueKeep).
Aug 11 2012
English: ISMS activities and their relationship with Risk Management (Photo credit: Wikipedia)
Section 13 of Annex A handle information security incident management. One of the important thing to know about this section is the difference between an event and an incident.
Information Securty Event: is an occurance of a system, service or netwrok state indicating a possible breach of information security policy or failure of safeguards.
Informtaion Security Incident: is indicated by a single or series of unwanted information security events that have a significant probability of compromising business operations.
IT Governance: An International Guide to Data Security and ISO27001/ISO27002
This video covers Section A.13 of ISO 27001. This refers to the reporting of information security events and weaknesses and the management of information security.
Feb 13 2012
A security incident is a computer, network, or paper based activity which results (or may result) in misuse, damage, denial of service, compromise of integrity, or loss of confidentiality of a network, computer, application, or data; and threats, misrepresentations of identity, or harassment of or by individuals using these resources.
Examples of incidents may include but not limited to the followings:
• Root-level attacks on networking infrastructure, critical systems, or large, multi-purpose or dedicated servers
• Compromise of privileged accounts on computer systems
• Denial-of-service attacks on networking infrastructure and critical systems
• Attacks launched on others from within umn.edu
• Compromise of individual user accounts or desktop (single-user) systems
• Scans of University systems originating from the Internet
• Spam and mail forgery that originates from, or is relayed through umn.edu
• Viruses, Worms and Trojan Horses
Computer Security Incident Handling Guide
