Jan 19 2024

New Microsoft Incident Response guides help security teams analyze suspicious activity

Category: Security Incidentdisc7 @ 12:58 pm

“Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for and uses daily to provide our customers with evidence of Threat Actor activity in their tenant.”

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Incident Response guide

Aug 08 2023


Category: Security Incidentdisc7 @ 1:06 pm


Incident response refers to the process followed by an organization to address and manage the aftermath of a security breach or cyber attack. The goal of incident response is to handle the situation in a way that limits damage, reduces recovery time and costs, and ensures that the incident is properly documented and reported to meet regulatory requirements.

In the simplest of terms, incident response is like a well-organized fire drill for cyber attacks. It’s a set of instructions that help IT staff and business owners identify, respond to, and recover from network security incidents. These instructions include steps to take when an attack is identified, who should be involved, how data should be collected and analyzed, and how to learn from the incident to prevent future attacks. See this detailed blog post for more background about incident response.



One of the primary reasons for having an incident response plan is to minimize the impact of attacks. Cyber attacks can lead to significant financial losses, especially for businesses that rely heavily on online transactions. An effective incident response plan can help businesses identify attacks early, contain them quickly, and minimize potential damage.

Moreover, incident response is not just about dealing with the attack itself but also about dealing with the aftermath of the attack. This includes notifying affected parties, managing public relations, and fulfilling any legal obligations. Having a plan in place ensures that these tasks are handled efficiently and effectively, reducing the overall impact of the attack.


Another critical aspect of incident response is recovery and restoration. After a cyber attack, it’s essential to restore systems and operations to normal as quickly as possible. Incident response teams work to eliminate the threat from the company’s systems, repair any damage, and restore data from backups.

The speed and efficiency of recovery can significantly impact a business’s bottom line. The longer it takes to recover, the more revenue is lost. Furthermore, prolonged recovery times can also damage a company’s reputation, leading to loss of customers and potential future business.


Cybersecurity incidents can have serious legal and regulatory implications for businesses. In many jurisdictions, businesses are required to report breaches to regulatory bodies and affected individuals. Failure to comply with these requirements can result in hefty fines and legal proceedings.

An incident response plan helps businesses meet their legal and regulatory obligations by ensuring that incidents are properly documented and reported. This includes keeping detailed records of the incident, the response actions taken, and the lessons learned. Such documentation can be crucial in defending against lawsuits or regulatory actions.


Downtime is costly for any business. It leads to lost productivity, lost revenue, and can damage a company’s reputation. A well-prepared incident response team can significantly reduce the amount of downtime a business experiences after a cyber attack.

By quickly identifying and containing an attack, the team can minimize the amount of time systems are down. Moreover, by having a plan for recovery and restoration, the team can ensure that systems are back up and running as quickly as possible.



Artificial intelligence (AI) and machine learning (ML) are changing the face of incident response. These technologies can automate many of the tasks involved in incident response, allowing teams to respond more quickly and effectively to attacks.

AI and ML can be used to detect anomalies in network traffic, identify malicious activity, and even predict future attacks. They can also automate the process of collecting and analyzing data, freeing up incident response teams to focus on more strategic tasks.


Extended Detection and Response (XDR) is another technology that is shaping the future of incident response. XDR is a security approach that integrates multiple security tools into a single platform. This allows incident response teams to have a more holistic view of their environment and respond more effectively to threats.

XDR platforms can collect data from a wide range of sources, including network traffic, endpoint devices, and cloud services. This data is then analyzed to detect threats and automate response actions.


Security Information and Event Management (SIEM) systems are another crucial tool in incident response. SIEM systems collect and analyze log data from various sources within an organization’s IT infrastructure. They provide real-time analysis of security alerts and can automate response actions.

By providing a centralized view of an organization’s security landscape, SIEM systems can help incident response teams identify, investigate, and respond to security incidents more efficiently.


Threat Intelligence Platforms (TIPs) provide incident response teams with information about known threats and threat actors. This information can help teams identify attacks more quickly and respond more effectively.

TIPs collect and analyze data from a variety of sources, including open-source intelligence, social media, and internal data. They provide actionable intelligence that can be used to enhance an organization’s security posture and improve incident response efforts.



The shift to remote work has had a significant impact on incident response. With more employees working from home, the attack surface for cyber criminals has expanded. This has made incident response more challenging, as teams must now deal with threats on a wide range of devices and networks.

In 2023, we can expect to see more tools and strategies aimed at dealing with the challenges posed by remote work. This may include increased use of cloud-based incident response tools, as well as strategies for securing remote devices and networks.


Traditionally, incident response has been a reactive process. Teams would wait for an attack to occur and then respond. However, this approach is no longer sufficient in today’s threat landscape.

In 2023, we can expect to see a shift towards more proactive incident response. This means identifying and addressing vulnerabilities before an attack occurs. It also means monitoring for signs of an attack and taking action before the attack has a chance to cause damage.


Another trend we can expect to see in 2023 is an increased emphasis on incident response testing and simulation. Testing and simulation are crucial for ensuring that an incident response plan is effective.

Through testing, teams can identify gaps in the plan and make necessary adjustments. Simulation exercises can also help teams practice their response to an attack, ensuring that they are prepared when a real attack occurs.


Finally, in 2023, we can expect to see greater regulatory scrutiny of incident response. As cyber attacks continue to increase in frequency and severity, regulators are becoming more interested in how businesses respond to these incidents.

This means that businesses will need to ensure that their incident response plans meet regulatory standards. They will also need to be prepared to provide documentation of their response efforts in the event of a regulatory investigation.


In conclusion, mastering incident response is crucial for businesses in today’s digital world. By understanding what incident response is, recognizing its importance, staying up-to-date with emerging technologies, and keeping an eye on key trends, businesses can protect their digital assets, minimize the impact of attacks, and comply with legal and regulatory requirements.

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: Incident Response

Jul 28 2022

ENISA provides data related to major telecom security incidents in 2021

Category: Information Security,Security IncidentDISC @ 8:36 am

ENISA published a report that includes anonymised and aggregated information about major telecom security incidents in 2021.

ENISA published a report that provides anonymized and aggregated information about major telecom security incidents in 2021.

Every European telecom operator that suffers a security incident, notifies its national authorities which share a summary of these reports to ENISA at the start of every calendar year.

The reporting of security incidents has been part of the EU’s regulatory framework for telecoms
since the 2009 reform of the telecoms package.

This year the report includes data related to reports of 168 incidents submitted by national authorities from 26 EU Member States (MS) and 2 EFTA countries.

The incident had a significant impact on the victim, the total user hours lost (resulted by
multiplying for each incident the number of users by the number of hours) was 5,106 million user
hours. Experts noticed a huge increase compared to 841 million user hours lost in 2020. The reason for this is the impact of a notable EU-wide incident that was reported separately by three MS. ENISA has published technical guidelines on incident reporting under the EECC1, including on thresholds and calculating hours lost.

Below are the takeaways from incidents that took place in 2021:

  • 4,16% of reported incidents in 2021 refer to OTT communication services, for this reason the European Agency required further attention for security incidents related to OTT services.
  • This is the first time that incidents concerning confidentiality and authenticity were reported.
  • The number of incidents labeled as malicious actions passed from 4% in 2020 to 8% in 2021.
  • System failures continue to dominate in terms of impact but the downward trend continues. System failures accounted for 363 million user hours lost compared to 419 million user hours in 2020.
  • The number of Incidents caused by human errors is the same as in 2020.
  • Only 22% of incidents were reported as being related to third-party failures compared to 29%

Let me suggest reading the full report for additional information:


ENISA Telecom Security Incidents 2021

DISC InfoSec

#InfoSecTools and #InfoSectraining



Ask DISC an InfoSec & compliance related question

Tags: telecom security incidents

Dec 10 2021

The Red Team Guide

Category: Information Security,Security IncidentDISC @ 12:54 pm
The Red Team Guide – by Peerlyst

Download a copy of The Red Team Guide

Rtfm: Red Team Field Manual

The Red Team Field Manual (RTFM) is a no fluff, but thorough reference guide for serious Red Team members who routinely find themselves on a mission without Google or the time to scan through a man page. The RTFM contains the basic syntax for commonly used Linux and Windows command line tools, but it also encapsulates unique use cases for powerful tools such as Python and Windows PowerShell. The RTFM will repeatedly save you time looking up the hard to remember Windows nuances such as Windows wmic and dsquery command line tools, key registry values, scheduled tasks syntax, startup locations and Windows scripting. More importantly, it should teach you some new red team techniques.

Download a copy of The Red Team Guide

Incident Response Management Foundation Training Course

Tags: Red team, Red Team Field Manual, Rtfm, The red team guide

Dec 04 2021

Cybersecurity Incident & vulnerability response playbooks

Category: Information Security,Security IncidentDISC @ 4:43 pm

Cybersecurity Incident & Vulnerability Response Playbooks – Audiobook

Cybersecurity Incident & Vulnerability Response Playbooks by [Cybersecurity and Infrastructure Security Agency]

Tags: Incident Response, vulnerability response

Nov 18 2021

CISA releases incident response plans for federal agencies

Category: Security IncidentDISC @ 10:16 am

The Cybersecurity and Infrastructure Security Agency (CISA) has released new cybersecurity response plans for federal civilian executive branch (FCEB) agencies (” Federal Government Cybersecurity Incident and Vulnerability Response Playbooks“).

The documents aim at developing a standard set of operational procedures (i.e., playbook) to be used in planning and conducting cybersecurity vulnerability and incident response activity for federal civilian agency information systems.

“The playbooks provide federal civilian executive branch (FCEB) agencies with operational procedures for planning and conducting cybersecurity incident and vulnerability response activities. The playbooks provide illustrated decision trees and detail each step for both incident and vulnerability response.” reads the announcement.

The definition and adoption of standardized IR procedures allow to drastically reduce the associated risks for impacted organizations.

The document released by CISA presents two playbooks, one for incident response and one for vulnerability response, both developed for FCEB agencies. CISA plans to extend these playbooks for organizations outside of the FCEB to promote a process of standardization of the incident response practices.

The Vulnerability Response Playbook applies to any flaw that is observed to be exploited by threat actors to gain compromise computer networks of the agencies. The playbook builds on CISA’s Binding Operational Directive 22-01 and standardizes the high-level process to address these vulnerabilities.

The playbooks will facilitate better coordination and effective response and enable tracking of cross-organizational successful actions.

“FCEB agencies should use the playbooks to shape their overall defensive cyber operations. The playbooks apply to information systems used or operated by an FCEB agency, a contractor of the agency, or another organization on behalf of the agency. CISA encourages agencies to review the playbooks and CISA’s webpage on EO 14028 for more information.” concludes CISA. “Although CISA created the playbooks for FCEB agencies, we encourage critical infrastructure entities; state, local, territorial, and tribal government organizations; and private sector organizations to review them to benchmark their own vulnerability and incident response practices.”

The incident response playbook has to be used in incidents that involve confirmed malicious cyber activity for which a major incident has been declared or not yet been reasonably ruled out (i.e. Incidents involving lateral movement, credential access, and exfiltration of data, and compromised administrator accounts).

incident response process

While aimed at federal agencies, CISA also encourages public and private sector partners, including critical infrastructure entities and state, local, territorial, and tribal (SLLT) government organizations, to review them to improve their incident and vulnerability response practices.


Nov 15 2021

ENISA – The need for Incident Response Capabilities in the health sector

Category: hipaa,Security IncidentDISC @ 10:43 am

The European Union Agency for Cybersecurity (ENISA) published an analysis of the current state of development of sectoral CSIRT capabilities in the health sector since the implementation of the NIS Directive.

An attack against a hospital can lead to physical damages and put the lives of patients at risk. The Agency remarks the need to set up solid Incident Response Capabilities (IRC) in the health sector. The document aims at offering insights on current incident response (IR) trends and providing recommendations about the development of IR capabilities in the health sector.

In 2020, the number of reports sent to ENISA about cybersecurity incidents saw an increase of 47% compared to the previous year.

The level of exposure to cyber threats is increasing to the adoption of emerging technologies such as the Internet of Things (IoT), Artificial Intelligence (AI), big data, and cloud computing.

Computer Security Incident Response Teams (CSIRTs) are tasked to develop the capabilities needed to address cyber threats and implement the provisions of the Directive on security of network and information systems (NIS Directive).

“Although dedicated health sector CSIRTs are still the exception in the Member States, sector specific CSIRT cooperation is developing.” reads the report. “The lack of sector-specific knowledge or capacity of national CSIRTs, lessons learned from past incidents and the implementation of the NIS Directive appear to be the main drivers of the creation of sector-specific incident response capabilities in the health sector.”

While the lifetime of healthcare equipment is about 15 years on average, the pace of updates that are released by the vendors but in many cases, the healthcare devices remain unpatched for long periods. Another challenge the healthcare sector is faced with is the complexity of systems due to the increased number of connected devices is enlarging the attack surface.

Below is the list of recommendations included in the report:

  1. Enhance and facilitate the creation of health sector CISRTs by allowing easy access to funding, promoting capacity building activities, etc.
  2. Capitalise on the expertise of the health CSIRTs for helping Operators of Essential Services (OES) develop their incident response capabilities by establishing sector-specific regulations, cooperation agreements, communication channels with OES, public-private partnerships, etc.
  3. Empower health CSIRTs to develop information sharing activities using threat intelligence, exchange of good practices and lessons learned, etc.

“The key force driving the development of incident response capabilities of CSIRTs is the information related to security requirements and responsibilities of organisations for each sector.” concludes the report. “Shared frameworks for incident classification and threat modelling, education activities and a network allowing communication between incident response actors constitute the main resources and tools currently supporting the development of incident response capabilities.”


Tags: ENISA, health sector, Incident Response

Aug 13 2021

3 Ways To Avoid Internet Hacking Incidents With Sports Related Ventures

Category: Hacking,Security IncidentDISC @ 9:49 am

Nowadays just as one cannot take enough safety measures when leaving their house of work to avoid running into problems and tribulations along the way, the exact same measures are to be taken into consideration when strolling around the wonderful world of the internet. It can be argued that the internet stands right up there as being one of the most important tools that recent technology has offered mankind to make lives easier. You can look for information, shop, wager on sporting events like pro football games through sites that focus on NFL predictions for games amongst other services and many other activities.

The internet has become the perfect tool for anyone and everyone to find absolutely everything they may want, need or anything in between, it’s become a staple of commodity and leisure, but it can also be a very dangerous tool if not handled properly. This tech tool has especially garnered fame and recognition amongst sports fans who flock to it in order to find all items related to their favorite teams, athletes and sports, but rest assured, one wrong move and dire consequences could be on the way

 Today though, let’s focus on one of sports fans’ favorite online activities, online sports betting and how to prevent hacking incidents from happening.

Table of Contents

Incident Response & Computer Forensics

Tags: NBA, NFL, Sports Related Ventures

Sep 08 2020

Hackers use legit tool to take over Docker, Kubernetes platforms

Category: Security Breach,Security IncidentDISC @ 3:08 pm

In a recent attack, cybercrime group TeamTNT relied on a legitimate tool to avoid deploying malicious code on compromised cloud infrastructure and still have a good grip on it.

Source: Hackers use legit tool to take over Docker, Kubernetes platforms

Misusing tool of the trade
Analyzing the attack, researchers at Intezer discovered that TeamTNT installed Weave Scope open-source tool to gain full control of the victim’s cloud infrastructure.

According to them, this may be the first time a legitimate third-party tool is abused to play the part of a backdoor in a cloud environment, also indicating the evolution of this particular group.

Weave Scope integrates seamlessly with Docker, Kubernetes, and the Distributed Cloud Operating System (DC/OS), and AWS Elastic Compute Cloud (ECS). It provides a complete map of processes, containers, and hosts on the server and control over installed applications.

“The attackers install this tool in order to map the cloud environment of their victim and execute system commands without deploying malicious code on the server,” Intezer notes in a report today.

Download a Security Risk Assessment Steps paper!

Security Risk assessment Quiz – Find Out How Your security risk assessment Stands Up!

DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles

Subscribe to DISC InfoSec blog by Email

👉 Download a Virtual CISO (#vCISO) and Security Advisory Fact Sheet & Cybersecurity Cheat Sheet

Jun 17 2019

U.S. Govt Achieves BlueKeep Remote Code Execution, Issues Alert

Category: Malware,Security IncidentDISC @ 8:57 am

The Cybersecurity and Infrastructure Security Agency (CISA) published an alert for Windows users to patch the critical severity Remote Desktop Services (RDS) RCE security flaw dubbed BlueKeep.

Source: U.S. Govt Achieves BlueKeep Remote Code Execution, Issues Alert

How to check if a target is vulnerable to the new RDP vulnerability (BlueKeep).

Enter your email address:

Delivered by FeedBurner

Tags: BlueKeep, RDP vulnerability, Remote Code Execution

Aug 11 2012

ISO 27001 Information Security Incident Management

Category: ISO 27k,Security IncidentDISC @ 10:37 pm

English: ISMS activities and their relationshi...

English: ISMS activities and their relationship with Risk Management (Photo credit: Wikipedia)

Section 13 of Annex A handle information security incident management. One of the important thing to know about this section is the difference between an event and an incident.

Information Securty Event: is an occurance of a system, service or netwrok state indicating a possible breach of information security policy or failure of safeguards.

Informtaion Security Incident: is indicated by a single or series of unwanted information security events that have a significant probability of compromising business operations.

IT Governance: An International Guide to Data Security and ISO27001/ISO27002

This video covers Section A.13 of ISO 27001. This refers to the reporting of information security events and weaknesses and the management of information security.

Tags: Information Security, Information Security Management System, ISO 27001 Lead Implementer, ISO/IEC 27001, Policy

Feb 13 2012

What Is a Security Incident and How to handle one

Category: Security IncidentDISC @ 2:13 pm

A security incident is a computer, network, or paper based activity which results (or may result) in misuse, damage, denial of service, compromise of integrity, or loss of confidentiality of a network, computer, application, or data; and threats, misrepresentations of identity, or harassment of or by individuals using these resources.

Examples of incidents may include but not limited to the followings:
• Root-level attacks on networking infrastructure, critical systems, or large, multi-purpose or dedicated servers
• Compromise of privileged accounts on computer systems
• Denial-of-service attacks on networking infrastructure and critical systems
• Attacks launched on others from within umn.edu
• Compromise of individual user accounts or desktop (single-user) systems
• Scans of University systems originating from the Internet
• Spam and mail forgery that originates from, or is relayed through umn.edu
• Viruses, Worms and Trojan Horses

Computer Security Incident Handling Guide