What Is a Cyber Security Incident, and How To Respond to It?

In recent years, the number of cyber attacks has been rapidly increasing. Moreover, there have been many new methods of carrying them out – viruses, ransomware, rootkits, spyware, user data cryptologists, and more. Cyber attackers have also become more subtle and increasingly target supply chains and company partners they try to harm. However, there is a way out of this situation to save face. Let’s look at how to solve cyber security incidents. 

What Is an Incident Response

Cyber security incident response is a specific term that describes methods of handling phishing, data leakage, and other cyber attacks. After all, the primary goal is to limit the direct and collateral damage (time, costs, brand reputation, etc.) 

Established businesses need to have a precise plan on how to solve these issues. It should determine the impact of the incident on the organisation and all steps to emerge from the existing situation with minimal losses. Furthermore, it’s imperative to specify who will manage the whole situation. It should be a clear list of teams or employees with established roles when an incident occurs. 

Who Is Responsible for Solving Cyber Security Incidents

Generally, every company or organisation has a specific cyber incident response team called a computer incident response team (CIRT). It usually consists of IT and security employees and legal, HR, and PR staff. According to the Gartner definition, CIRT is responsible for identifying viruses, data breaches, ransomware and other intrusions that significantly affect the company’s security. It comprises the experts who deal with particular threats and guide the company’s leaders on adequate communication due to such incidents. 

How to Effectively Respond to Cyber Attacks: 6 Essential Steps

Experts of the SANS Institute specify six basic cyber security incident response plan steps. Let’s learn them in more detail. 

Preparation

First, every organisation must be prepared for an unavoidable attack. Namely, companies need to determine how their technical specialists will react in the case of a security breach. The preparation stage involves the elaboration of the following aspects:

• policy;
• response strategy;
• duties of CIRT staff;
• appropriate tools;
• communication;
• access control;
• supporting documentation.

That’s why this step is placed first in the cyber security incident action checklist. Apparently, no project may have an effect without due preparation.

Identification

During this phase, the CIRT members detect the incident. Ideally, it should be done in the shortest possible time to save money and limit damages. IT employees monitor the whole situation, from error notifications and firewalls to intrusion detection systems. This approach helps to identify the scope of the cyber attack. 

Containment

Once what can cause a cyber incident is detected, employees try to contain it. Why is it paramount? The primary purpose of the containment step is to hold the current level of damage and prevent further detriment. As mentioned before, the earlier CIRT members identify the attack, the sooner it can be contained to prevent more significant damage. 

This phase comprises three crucial steps:

1. short-term actions;
2. backupping;
3. long-term actions.

It should be especially noted that IT and other staff must follow all the necessary steps to prevent the leakage of any evidence that may help identify the perpetrators and convict them. 

Eradication

This stage implies that technical employees will remove the danger and restore the system to stable functioning (with as minimum data losses as possible). Further, CIRT members should ensure that all the proper measures have been taken. For instance, the malicious content must be removed, and the attacked systems should be spotless. IT employees should follow their re-entry plan as quickly as possible.

Recovery

The cyber security incident response team tests, monitors, and validates all the affected systems when it comes to this phase. The reason is simple: IT staff should ensure that systems are no more compromised. Another essential step is decision-making when restoring all operations and monitoring for suspicious activity. 

Lessons Learned

Once the incident has been resolved, the CIRT members should analyse and update future threat response policy. The organisation must create a cyber security incident report that provides all the necessary information for future cyber attacks during this stage. It will be used during training sessions for new employees and performance evaluation. 

🔵 Last year we reviewed the cyber security mash method as one of the current technology trends. Check this article to find out more!

Top 3 Well-known Cyber Security Incidents and Lessons To Learn From Them

Phishing technique is used in 80% of all cyber attacks, according to the 2021 Verizon Data Breach Investigations Report. Moreover, about 40% of data leakages are concerned with ransomware and other malicious apps. Many financial and IT companies were victims of cyber intrusions. Let’s analyse the best-known incidents and lessons learned. 

Twitter

In Summer 2020, Twitter became a victim of severe phishing activity. Cybercriminals compromised the control panel, took over dozens of private and corporate Twitter accounts (mostly are related to public figures), and organised a scam BTC giveaway in their names. 

Furthermore, hackers contacted several Twitter employees disguised as their technical staff and asked for their work account login details. They helped cybercriminals take over the admin panel, empty accounts of famous people and post fake links. 

Creating a comprehensive cyber security policy is imperative, but it may not be the only measure. Companies should also organise regular training sessions to check if their employees follow the basic digital security rules. For example, who is responsible for resetting passwords. 

Moreover, some users’ accounts need additional protection since they have access to vital systems and information. If cybercriminals have access to privileged accounts, it may harm the brand’s reputation and security. That’s why it is essential to provide multifactor authentication and continuous monitoring of all system activities for a better cyber security incident containment.

Microsoft

Another significant example of a cyber security incident and threat management is a financial fraud made by a Microsoft testing team employee. The attacker worked as a software developer for e-commerce projects and cheated the company out of $10 million in cryptocurrency. He used scam store accounts and test accounts of his associates to make fictitious payments and withdraw money.

Microsoft Store blocked most of the real goods orders, but digital gift cards were successfully stolen. Later they were sold through online marketplaces. 

Analysing this case, we can indicate different approaches to provide top-notch security for privileged employees’ accounts. For example, integrate tools for multifactor authentication, one-time passwords and manual access control. Such secondary solutions help check people’s behaviour under the control panel or service management account.  

Another essential measure is regular password rotation. According to the National Institute of Standards and Technology, this option should reduce the risk of unauthorised access to the privileged account. Moreover, CIRT members need to check if privileged users (excepting administrators) can’t create new accounts or edit access rights for unprivileged users. This approach helps keep all keys to your network exclusively for a specific category of users. 

Capital One

The last case to analyse is the massive client data breach from the financial company Capital One. A former staff member of the cloud hosting company took over the corporate database and withdrew important information. The data leakage was caused by the misconfigured web software that opened access to sensitive records of over 100 million customers: full names, telephone numbers and addresses, insurance policy numbers, and IBANs. 

What is a cyber security incident response plan for this case? First, the company needs to choose the third-party service provider correctly. Pay due attention to the cyber security regulations and practices; if a possible contractor doesn’t execute them, indicate it in the service level agreement. Among other things, the service access should be revoked for fired staff. 

Moreover, the access to your vital systems and information must be limited to the level required for the performance of the contractor’s duties. High-quality monitoring tools are also paramount; they help monitor access to your critical systems. You should also keep records of third-party vendor actions for conducting effective audits. And don’t forget about multi-factor authentication, manual access control, and one-time passwords. 

Conclusion

Organisations and companies should effectively solve cyber security threats. First and foremost, we are talking about preparing a clear plan for effective incident response, and this is the only way to limit the damage in the shortest time. Moreover, a comprehensive cyber security incident plan will save time and money for your company to restore the affected systems when a data leak occurs. And Rocketech can help you with all this stuff. We provide full-cycle services on software development and cyber security. Contact us to learn more about how we can assist in your case.