The Cybernews article discusses a groundbreaking cyberattack orchestrated by Israel’s Mossad using analog devices, such as pagers and walkie-talkies, to target Hezbollah members in Lebanon and Syria. The attacks occurred on September 17-18, 2024, resulting in over 4,000 injuries and nearly two dozen deaths. The devices were reportedly rigged with explosives and detonated remotely, marking the first time such devices were weaponized in a cyberattack. Hezbollah had previously switched to analog communication methods after Israel had infiltrated their mobile networks, but Mossad exploited this by using a supply chain strategy to distribute compromised devices through a fake company.
Mossad’s complex plan involved creating a shell company that supplied pagers and other devices to Hezbollah, which were secretly manufactured with explosives. The devices were later activated remotely, demonstrating the vulnerability of even low-tech solutions in modern warfare. This supply chain attack highlighted the risks of relying on unverified communication devices and prompted immediate security changes in Lebanon, such as a ban on pagers and walkie-talkies on flights. Iran’s Revolutionary Guard also stopped using communication devices in response to the incident.
Security experts predict that this attack will have far-reaching implications for global security, particularly in the West. The use of handheld devices as weapons could lead to stricter scrutiny of all electronic devices with batteries and communication links, especially in industries like healthcare, where pagers are still in use. Manufacturers are expected to strengthen their supply chain security to prevent such vulnerabilities from being exploited again. There is also concern that security measures in airports, government buildings, and other sensitive locations will be tightened, possibly leading to longer lines and more stringent screening processes.
The implications for security are profound, as this incident demonstrates the potential for even basic technology to be weaponized. Security systems and detection technologies may need to be enhanced to catch these types of attacks in the future. The use of analog devices in high-security environments, such as hospitals and government facilities, may also come under review, with industries either moving away from these tools or enforcing stricter security protocols. This attack underscores the evolving nature of cyber threats and the importance of securing both digital and physical supply chains to prevent similar incidents.
“Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for and uses daily to provide our customers with evidence of Threat Actor activity in their tenant.”
Incident response refers to the process followed by an organization to address and manage the aftermath of a security breach or cyber attack. The goal of incident response is to handle the situation in a way that limits damage, reduces recovery time and costs, and ensures that the incident is properly documented and reported to meet regulatory requirements.
In the simplest of terms, incident response is like a well-organized fire drill for cyber attacks. It’s a set of instructions that help IT staff and business owners identify, respond to, and recover from network security incidents. These instructions include steps to take when an attack is identified, who should be involved, how data should be collected and analyzed, and how to learn from the incident to prevent future attacks. See this detailed blog post for more background about incident response.
IMPORTANCE OF INCIDENT RESPONSE IN CYBERSECURITY
MINIMIZING IMPACT OF ATTACKS
One of the primary reasons for having an incident response plan is to minimize the impact of attacks. Cyber attacks can lead to significant financial losses, especially for businesses that rely heavily on online transactions. An effective incident response plan can help businesses identify attacks early, contain them quickly, and minimize potential damage.
Moreover, incident response is not just about dealing with the attack itself but also about dealing with the aftermath of the attack. This includes notifying affected parties, managing public relations, and fulfilling any legal obligations. Having a plan in place ensures that these tasks are handled efficiently and effectively, reducing the overall impact of the attack.
RECOVERY AND RESTORATION
Another critical aspect of incident response is recovery and restoration. After a cyber attack, it’s essential to restore systems and operations to normal as quickly as possible. Incident response teams work to eliminate the threat from the company’s systems, repair any damage, and restore data from backups.
The speed and efficiency of recovery can significantly impact a business’s bottom line. The longer it takes to recover, the more revenue is lost. Furthermore, prolonged recovery times can also damage a company’s reputation, leading to loss of customers and potential future business.
LEGAL AND REGULATORY COMPLIANCE
Cybersecurity incidents can have serious legal and regulatory implications for businesses. In many jurisdictions, businesses are required to report breaches to regulatory bodies and affected individuals. Failure to comply with these requirements can result in hefty fines and legal proceedings.
An incident response plan helps businesses meet their legal and regulatory obligations by ensuring that incidents are properly documented and reported. This includes keeping detailed records of the incident, the response actions taken, and the lessons learned. Such documentation can be crucial in defending against lawsuits or regulatory actions.
REDUCING DOWNTIME
Downtime is costly for any business. It leads to lost productivity, lost revenue, and can damage a company’s reputation. A well-prepared incident response team can significantly reduce the amount of downtime a business experiences after a cyber attack.
By quickly identifying and containing an attack, the team can minimize the amount of time systems are down. Moreover, by having a plan for recovery and restoration, the team can ensure that systems are back up and running as quickly as possible.
Artificial intelligence (AI) and machine learning (ML) are changing the face of incident response. These technologies can automate many of the tasks involved in incident response, allowing teams to respond more quickly and effectively to attacks.
AI and ML can be used to detect anomalies in network traffic, identify malicious activity, and even predict future attacks. They can also automate the process of collecting and analyzing data, freeing up incident response teams to focus on more strategic tasks.
EXTENDED DETECTION AND RESPONSE (XDR)
Extended Detection and Response (XDR) is another technology that is shaping the future of incident response. XDR is a security approach that integrates multiple security tools into a single platform. This allows incident response teams to have a more holistic view of their environment and respond more effectively to threats.
XDR platforms can collect data from a wide range of sources, including network traffic, endpoint devices, and cloud services. This data is then analyzed to detect threats and automate response actions.
SIEM
Security Information and Event Management (SIEM) systems are another crucial tool in incident response. SIEM systems collect and analyze log data from various sources within an organization’s IT infrastructure. They provide real-time analysis of security alerts and can automate response actions.
By providing a centralized view of an organization’s security landscape, SIEM systems can help incident response teams identify, investigate, and respond to security incidents more efficiently.
THREAT INTELLIGENCE PLATFORMS
Threat Intelligence Platforms (TIPs) provide incident response teams with information about known threats and threat actors. This information can help teams identify attacks more quickly and respond more effectively.
TIPs collect and analyze data from a variety of sources, including open-source intelligence, social media, and internal data. They provide actionable intelligence that can be used to enhance an organization’s security posture and improve incident response efforts.
KEY TRENDS IN INCIDENT RESPONSE FOR 2023
INCREASE IN REMOTE WORK AND ITS IMPACT ON INCIDENT RESPONSE
The shift to remote work has had a significant impact on incident response. With more employees working from home, the attack surface for cyber criminals has expanded. This has made incident response more challenging, as teams must now deal with threats on a wide range of devices and networks.
In 2023, we can expect to see more tools and strategies aimed at dealing with the challenges posed by remote work. This may include increased use of cloud-based incident response tools, as well as strategies for securing remote devices and networks.
SHIFT FROM REACTIVE TO PROACTIVE INCIDENT RESPONSE
Traditionally, incident response has been a reactive process. Teams would wait for an attack to occur and then respond. However, this approach is no longer sufficient in today’s threat landscape.
In 2023, we can expect to see a shift towards more proactive incident response. This means identifying and addressing vulnerabilities before an attack occurs. It also means monitoring for signs of an attack and taking action before the attack has a chance to cause damage.
EMPHASIS ON INCIDENT RESPONSE TESTING AND SIMULATION
Another trend we can expect to see in 2023 is an increased emphasis on incident response testing and simulation. Testing and simulation are crucial for ensuring that an incident response plan is effective.
Through testing, teams can identify gaps in the plan and make necessary adjustments. Simulation exercises can also help teams practice their response to an attack, ensuring that they are prepared when a real attack occurs.
GREATER REGULATORY SCRUTINY AND ITS IMPACT ON INCIDENT RESPONSE
Finally, in 2023, we can expect to see greater regulatory scrutiny of incident response. As cyber attacks continue to increase in frequency and severity, regulators are becoming more interested in how businesses respond to these incidents.
This means that businesses will need to ensure that their incident response plans meet regulatory standards. They will also need to be prepared to provide documentation of their response efforts in the event of a regulatory investigation.
CONCLUSION
In conclusion, mastering incident response is crucial for businesses in today’s digital world. By understanding what incident response is, recognizing its importance, staying up-to-date with emerging technologies, and keeping an eye on key trends, businesses can protect their digital assets, minimize the impact of attacks, and comply with legal and regulatory requirements.
ENISA published a report that includes anonymised and aggregated information about major telecom security incidents in 2021.
ENISA published a report that provides anonymized and aggregated information about major telecom security incidents in 2021.
Every European telecom operator that suffers a security incident, notifies its national authorities which share a summary of these reports to ENISA at the start of every calendar year.
The reporting of security incidents has been part of the EU’s regulatory framework for telecoms since the 2009 reform of the telecoms package.
This year the report includes data related to reports of 168 incidents submitted by national authorities from 26 EU Member States (MS) and 2 EFTA countries.
The incident had a significant impact on the victim, the total user hours lost (resulted by multiplying for each incident the number of users by the number of hours) was 5,106 million user hours. Experts noticed a huge increase compared to 841 million user hours lost in 2020. The reason for this is the impact of a notable EU-wide incident that was reported separately by three MS. ENISA has published technical guidelines on incident reporting under the EECC1, including on thresholds and calculating hours lost.
Below are the takeaways from incidents that took place in 2021:
4,16% of reported incidents in 2021 refer to OTT communication services, for this reason the European Agency required further attention for security incidents related to OTT services.
This is the first time that incidents concerning confidentiality and authenticity were reported.
The number of incidents labeled as malicious actions passed from 4% in 2020 to 8% in 2021.
System failures continue to dominate in terms of impact but the downward trend continues. System failures accounted for 363 million user hours lost compared to 419 million user hours in 2020.
The number of Incidents caused by human errors is the same as in 2020.
Only 22% of incidents were reported as being related to third-party failures compared to 29%
Let me suggest reading the full report for additional information:
The Red Team Field Manual (RTFM) is a no fluff, but thorough reference guide for serious Red Team members who routinely find themselves on a mission without Google or the time to scan through a man page. The RTFM contains the basic syntax for commonly used Linux and Windows command line tools, but it also encapsulates unique use cases for powerful tools such as Python and Windows PowerShell. The RTFM will repeatedly save you time looking up the hard to remember Windows nuances such as Windows wmic and dsquery command line tools, key registry values, scheduled tasks syntax, startup locations and Windows scripting. More importantly, it should teach you some new red team techniques.
The documents aim at developing a standard set of operational procedures (i.e., playbook) to be used in planning and conducting cybersecurity vulnerability and incident response activity for federal civilian agency information systems.
“The playbooks provide federal civilian executive branch (FCEB) agencies with operational procedures for planning and conducting cybersecurity incident and vulnerability response activities. The playbooks provide illustrated decision trees and detail each step for both incident and vulnerability response.” reads the announcement.
The definition and adoption of standardized IR procedures allow to drastically reduce the associated risks for impacted organizations.
The document released by CISA presents two playbooks, one for incident response and one for vulnerability response, both developed for FCEB agencies. CISA plans to extend these playbooks for organizations outside of the FCEB to promote a process of standardization of the incident response practices.
The Vulnerability Response Playbook applies to any flaw that is observed to be exploited by threat actors to gain compromise computer networks of the agencies. The playbook builds on CISA’s Binding Operational Directive 22-01 and standardizes the high-level process to address these vulnerabilities.
The playbooks will facilitate better coordination and effective response and enable tracking of cross-organizational successful actions.
“FCEB agencies should use the playbooks to shape their overall defensive cyber operations. The playbooks apply to information systems used or operated by an FCEB agency, a contractor of the agency, or another organization on behalf of the agency. CISA encourages agencies to review the playbooks and CISA’s webpage on EO 14028 for more information.” concludes CISA. “Although CISA created the playbooks for FCEB agencies, we encourage critical infrastructure entities; state, local, territorial, and tribal government organizations; and private sector organizations to review them to benchmark their own vulnerability and incident response practices.”
The incident response playbook has to be used in incidents that involve confirmed malicious cyber activity for which a major incident has been declared or not yet been reasonably ruled out (i.e. Incidents involving lateral movement, credential access, and exfiltration of data, and compromised administrator accounts).
While aimed at federal agencies, CISA also encourages public and private sector partners, including critical infrastructure entities and state, local, territorial, and tribal (SLLT) government organizations, to review them to improve their incident and vulnerability response practices.
The European Union Agency for Cybersecurity (ENISA) published an analysis of the current state of development of sectoral CSIRT capabilities in the health sector since the implementation of the NIS Directive.
An attack against a hospital can lead to physical damages and put the lives of patients at risk. The Agency remarks the need to set up solid Incident Response Capabilities (IRC) in the health sector. The document aims at offering insights on current incident response (IR) trends and providing recommendations about the development of IR capabilities in the health sector.
In 2020, the number of reports sent to ENISA about cybersecurity incidents saw an increase of 47% compared to the previous year.
The level of exposure to cyber threats is increasing to the adoption of emerging technologies such as the Internet of Things (IoT), Artificial Intelligence (AI), big data, and cloud computing.
Computer Security Incident Response Teams (CSIRTs) are tasked to develop the capabilities needed to address cyber threats and implement the provisions of the Directive on security of network and information systems (NIS Directive).
“Although dedicated health sector CSIRTs are still the exception in the Member States, sector specific CSIRT cooperation is developing.” reads the report. “The lack of sector-specific knowledge or capacity of national CSIRTs, lessons learned from past incidents and the implementation of the NIS Directive appear to be the main drivers of the creation of sector-specific incident response capabilities in the health sector.”
While the lifetime of healthcare equipment is about 15 years on average, the pace of updates that are released by the vendors but in many cases, the healthcare devices remain unpatched for long periods. Another challenge the healthcare sector is faced with is the complexity of systems due to the increased number of connected devices is enlarging the attack surface.
Below is the list of recommendations included in the report:
Enhance and facilitate the creation of health sector CISRTs by allowing easy access to funding, promoting capacity building activities, etc.
Capitalise on the expertise of the health CSIRTs for helping Operators of Essential Services (OES) develop their incident response capabilities by establishing sector-specific regulations, cooperation agreements, communication channels with OES, public-private partnerships, etc.
Empower health CSIRTs to develop information sharing activities using threat intelligence, exchange of good practices and lessons learned, etc.
“The key force driving the development of incident response capabilities of CSIRTs is the information related to security requirements and responsibilities of organisations for each sector.” concludes the report. “Shared frameworks for incident classification and threat modelling, education activities and a network allowing communication between incident response actors constitute the main resources and tools currently supporting the development of incident response capabilities.”
Nowadays just as one cannot take enough safety measures when leaving their house of work to avoid running into problems and tribulations along the way, the exact same measures are to be taken into consideration when strolling around the wonderful world of the internet. It can be argued that the internet stands right up there as being one of the most important tools that recent technology has offered mankind to make lives easier. You can look for information, shop, wager on sporting events like pro football games through sites that focus on NFL predictions for games amongst other services and many other activities.
The internet has become the perfect tool for anyone and everyone to find absolutely everything they may want, need or anything in between, it’s become a staple of commodity and leisure, but it can also be a very dangerous tool if not handled properly. This tech tool has especially garnered fame and recognition amongst sports fans who flock to it in order to find all items related to their favorite teams, athletes and sports, but rest assured, one wrong move and dire consequences could be on the way
Today though, let’s focus on one of sports fans’ favorite online activities, online sports betting and how to prevent hacking incidents from happening.
In a recent attack, cybercrime group TeamTNT relied on a legitimate tool to avoid deploying malicious code on compromised cloud infrastructure and still have a good grip on it.
Misusing tool of the trade
Analyzing the attack, researchers at Intezer discovered that TeamTNT installed Weave Scope open-source tool to gain full control of the victim’s cloud infrastructure.
According to them, this may be the first time a legitimate third-party tool is abused to play the part of a backdoor in a cloud environment, also indicating the evolution of this particular group.
Weave Scope integrates seamlessly with Docker, Kubernetes, and the Distributed Cloud Operating System (DC/OS), and AWS Elastic Compute Cloud (ECS). It provides a complete map of processes, containers, and hosts on the server and control over installed applications.
“The attackers install this tool in order to map the cloud environment of their victim and execute system commands without deploying malicious code on the server,” Intezer notes in a report today.
The Cybersecurity and Infrastructure Security Agency (CISA) published an alert for Windows users to patch the critical severity Remote Desktop Services (RDS) RCE security flaw dubbed BlueKeep.
English: ISMS activities and their relationship with Risk Management (Photo credit: Wikipedia)
Section 13 of Annex A handle information security incident management. One of the important thing to know about this section is the difference between an event and an incident.
Information Securty Event: is an occurance of a system, service or netwrok state indicating a possible breach of information security policy or failure of safeguards.
Informtaion Security Incident: is indicated by a single or series of unwanted information security events that have a significant probability of compromising business operations.
This video covers Section A.13 of ISO 27001. This refers to the reporting of information security events and weaknesses and the management of information security.
A security incident is a computer, network, or paper based activity which results (or may result) in misuse, damage, denial of service, compromise of integrity, or loss of confidentiality of a network, computer, application, or data; and threats, misrepresentations of identity, or harassment of or by individuals using these resources.
Examples of incidents may include but not limited to the followings:
• Root-level attacks on networking infrastructure, critical systems, or large, multi-purpose or dedicated servers
• Compromise of privileged accounts on computer systems
• Denial-of-service attacks on networking infrastructure and critical systems
• Attacks launched on others from within umn.edu
• Compromise of individual user accounts or desktop (single-user) systems
• Scans of University systems originating from the Internet
• Spam and mail forgery that originates from, or is relayed through umn.edu
• Viruses, Worms and Trojan Horses