By: Nihad Hassan
January 19, 2022
Steps In Handling Cybersecurity Incidents
By: Nihad Hassan
January 19, 2022
As the digital transformation accelerates, an organization's dependence on digital technologies expects to increase before long. Nowadays, most organizations, regardless of their type or industry, are leveraging digital technologies in one way or another to support their core business functions.
The increased reliance on technology and computer networks brings numerous advantages to organizations, such as: reducing operational costs, increasing customer satisfaction through better customer services, and increasing competitive advantages, to name only a few. However, the increased dependence on technology makes businesses susceptible to many threats originating from cyberspace. These threats can cause severe damage to businesses, especially if confidential data, such as customers' information and trade secrets, are compromised.
Other than the cost of cyberattacks, downtime is another cost that occurs if technology fails for any reason. For example, according to a 2014 Gartner study, the average cost for a network outage could reach $5,600 per minute. If we examine more recent statistics, the number of losses is more significant. According to ITIC, 34% of organizations reported the costs of a critical server outage exceeded $1 million per hour during downtime.
This article will define the term cyber security incident, discuss incident types, and list several recent cybersecurity incidents. Finally, we will suggest a process or methodology that responds to cybersecurity-related incidents.
Defining Cybersecurity Incidents
A cybersecurity incident is any action that compromises an organization's stored data and IT systems. Security incidents occur when a failure in defense measures allows an outsider or insider threat actor to gain unauthorized access, threatening the confidentiality, integrity, and availability of information assets.
Security Incident vs. Security Event
A security event is any occurrence that can lead to a security incident. For example, receiving a phishing email containing a link to a malicious website is a security event. Another example is detecting a port scanning activity. A typical organization may receive thousands of security events each day; however, most of these events are handled automatically via automated security solutions, such as firewalls, antispam, antivirus, IDS/IPS, and SIEM.
In contrast, a security incident is considered the second step of a security event. It is a security event that leads to a security issue. For example, if a user clicks on a malicious link within a phishing email and unknowingly installs ransomware on their device, this is considered a security incident.
It is worth noting that not all security incidents lead to a data breach. For example, erroneous attempts to sign into a secure work account are considered a security incident. However, it does not result in a data breach or cease any ongoing business operations.
Incident Types - Not All Incidents Are IT Related
Not all incidents occurring in the IT environment are caused by a cyberattack, meaning they are not IT-related. The following incidents may threaten or prevent the organization's sensitive data from operating normally; they are not stemming from malicious attacks:
- Power outage
- Misconfigured critical server or IT solution
- Defect in IT infrastructure devices – such as networking devices or servers
- Sensitive data sent to an incorrect recipient
- Theft of computing devices containing sensitive work files
- Losing work papers containing sensitive information
The Information Commissioner's Office (ICO) published a report in Q4 2019 stating that the number of non-cyber incidents superseded the number of cyber-related incidents.
Cybersecurity incidents can take many forms, such as:
Malware attacks such as ransomware, trojans, keyloggers, spyware, and any malicious software
Denial of service attack (DoS).
Social engineering-based attacks such as phishing.
Man in the middle attack (MITM).
Notable Recent Cybersecurity Incidents
Cybersecurity incidents are inevitable for any organization utilizing digital technologies. Listed below are some recent critical cybersecurity incidents:
The Colonial Pipeline cyber incident, which resulted in ceasing fuel supplies across the East Coast in 2021, was caused by a compromised VPN account.
In July 2020, Twitter suffered from a spear-phishing attack, which accessed 130 accounts of the most recognized users worldwide.
The REvil hacker group targeted the Taiwanese computer manufacturer Acer with ransomware and locked its primary financial documents and spreadsheets. Attackers demanded Acer to pay a ransom of $50 million by March 28th to handle the decryption key, which is considered the highest recorded ransom since the introduction of the ransomware attack model.
Responding to Cybersecurity Incidents
Based on the suggested response steps defined by the NIST Computer Security Incident Handling Guide (SP 800-61), it is advisable to follow these phases to respond to cyber attacks efficiently.
Bring Your Team Together
This phase begins before the incident has occurred. In this phase, the organization must assemble a team with varying technical expertise. Each team member must have their roles and responsibilities clearly defined before an incident occurs. The team should designate a team manager or commander who will coordinate their activities during the incident; to prevent duplicating tasks conducted by multiple team members. The presence of an incident manager is essential to communicate with all affected stockholders, including top management, in case the incident is critical and requires stopping the entire system and ceasing normal business operations.
Some organizations may not have the resources to have a local incident response team. Another option is outsourcing the incident response (IR) job to a managed security provider.
When an incident occurs, the incident team must assemble quickly. For example, if the incident is critical, it results in a data breach that can cause legal litigation (e.g., breaching GDPR terms). Other departments must be notified, such as the public relations and legal departments.
Detect and Recognize The Incident Source
After assembling the IR team, the first task is to detect and recognize the source of the incident and work to contain it expeditiously if the incident still occurs.
There are different indicators the incident response team can use to detect the incident, such as:
SIEM and other security solutions logs files.
Data loss prevention (DLP) triggers warnings about attempts to leak sensitive data.
File integrity monitoring solution signals an alert when malware tries to modify critical files (such as ransomware initiating its encryption routine).
For no specific reason, slow network traffic or network congestion could be an indicator of an attack.
Abnormal network activity going to a particular endpoint device (i.e., laptops).
Antivirus and anti-malware solutions installed on the network perimeter signal a security alert.
Containment and Recovery Phases
After the incident source is defined, the IR team must contain the risk and begin the recovery process. Some containment measures include the following:
- Reset all compromised user accounts if the incident resulted in stolen credentials.
- Disable all user accounts if the incident resulted from an insider actor.
- Disconnect the infected network segment if malware is detected.
- Isolate malware-infected endpoint devices to prevent spreading the infection to other network devices
The initial recovery steps may include the following measures:
- Patching outdated operating systems for both endpoints and servers.
- Recover data from backup, if the incident resulted in encrypting critical business data.
Assess Incident Severity
After containment, the IR team should check the amount of damage caused by the incident. Organizations have a severity scale to measure the damage of an incident. For example, if the incident breached customer data, which is critical, the IR team must respond accordingly. Sometimes, you must contact and inform the authorities and seek help from various third-party security consultants. An internal investigation is necessary if the attack resulted from an insider actor.
If the incident is considered major and breaches confidential customer information, the affected organization should immediately inform the affected customers. The organization must report the incident to regulatory compliance entities such as GDPR, HIPAA, and PCI DSS. This ensures that the organization avoids paying any fines. Sometimes, an organization would post a public breach notification letter on its affected websites to increase visibility.
Preventing Incident Re-occurrence
Once the incident is resolved, document all steps that occurred. Beginning from its discovery and reaching to resolution. The IR team must identify lessons learned from the incident and how they responded. This will prevent the organization from experiencing the same incident in the future. Examples of lessons learned could be:
- Educate end-users about phishing attacks if the incident is attributable to a phishing email.
- Patching all outdated operating systems and applications if the incident exploited obsolete software.
- Install Data Loss Prevention (DLP) solution if an insider threat caused the attack.
Security incidents cannot be avoidable by any organization. By having a robust incident response methodology, an organization will respond instantly to different types of incidents and restore its regular operations. Also, an incident response plan helps organizations detect similar future incidents and increase the organization's resiliency against the rising number of cyberattacks.
- NIST, "Computer Security Incident Handling Guide", Accessed 2022-01-14 https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final
- Security Metrics, "6 Phases in the Incident Response Plan", Accessed 2022-01-14 https://www.securitymetrics.com/blog/6-phases-incident-response-plan
- Simplicable, "Security event vs Security incident", Accessed 2022-01-14 https://simplicable.com/new/security-event-vs-security-incident