Incident Response
In order to define “incident response,” you first need to understand what constitutes a security incident. The Verizon report defines an incident as “a security event that compromises the integrity, confidentiality or availability of an information asset.” An incident could include an attack, that is, an intentional attempt to gain unauthorized access to damage or destroy a network. Or an incident could be a simple accident, such as an employee leaving a company laptop in a cab. An incident may or may not involve a breach, the theft of company information.
Cybersecurity incident response is a formal, organized approach for dealing with all kinds of security incidents. It usually involves an incident response plan (IPR), which lays out the steps that a company should follow after an incident occurs. These plans should include the incident response process for all of the most common types of incidents, including those listed below.
Examples of security incidents
- Phishing.In a phishing attack, criminals send an organization’s employees a message (usually via email) that includes a malicious attachment. The bad news, according to Verizon, is that phishing attacks are on the rise and employees don’t know how to handle them. The median time between when attackers send out a phishing campaign and when the first recipient opens the message is just 1 minute and 40 seconds, and the median time for clicking on the malicious link is just 3 minutes and 45 seconds. Only 3 percent of phishing recipients reported the malicious email.
- Stolen Credentials.The goal of many phishing or malware attacks is to obtain credentials that will allow an attacker to access the organization’s network. In many cases, however, the attackers don’t actually have to “steal” anything — they simply guess the correct password. According to the Verizon report, “63 percent of confirmed data breaches involved weak, default or stolen passwords.”
- Malware. Malware is a broad category that includes any kind of malicious software. Examples include viruses, trojan horses, rootkits, adware and the increasingly common ransomware. Users can introduce malware into a network in a number of ways, for example, by clicking a malicious attachment in a phishing email, by visiting a malicious Web page or by connecting an infected USB drive or other device to the network.
- Ransomware.An increasingly common attack vector, ransomware is a type of malware that demands that victims pay a fee in order to remove the malicious code, regain access to files that were encrypted by the ransomware or prevent something unwanted from happening, such as making a victim’s data public. According to Symantec’s Ransomware and Business 2016 Report, security vendors discovered one hundred new malware families last year alone, and the average ransom demand has climbed to $679.
- Denial of service attacks.In a denial of service (DoS) attack, attacks flood a system, usually a Web server, with so much traffic that legitimate users can no longer access it. Hackers often mount DoS attacks for ideological reasons or to “punish” a person or organization for some activity. For example, last year attackers hit security blogger Brian Krebs with a DoS attack after he published a series of articles on DoS-for-hire services.
- Web app attacks.Hackers attack organizations’ Web apps in a number of different ways, such as buffer overflows, SQL injection, cross-site scripting and, as already mentioned, DoS attacks. Verizon reported 5,334 incidents of Web app attacks last year, including 908 that resulted in data breaches. Financial services companies are a particularly popular target for Web attacks.
- One of the hardest types of incidents to defend against, cyberespionage occurs when an unauthorized person attempts to infiltrate a system or network in order to gain access to secret information. Often these attacks are perpetrated by a company’s competitors or by nation-states. According to Verizon, “90 percent of cyberespionage breaches capture trade secrets or proprietary information.”
- Loss of theft of devices.As mobile devices have become more common, organizations have experienced an increase in the loss or theft of devices that contain corporate information or that can access corporate networks. Many of these incidents do not result in data breach, but organizations often find it very difficult to distinguish between accidents and intentional theft carried out with the goal of infiltrating an organization’s networks.
- Insider attacks.Organizations sometimes don’t pay enough attention to threats from their own employees or partners’ employees, but Verizon reported that there were 10,489 incidents of “insider and privilege misuse” last year. These attacks can be very difficult to detect and mitigate because insiders often have knowledge that helps them evade an organization’s security measures.
In order to define “incident response,” you first need to understand what constitutes a security incident. The Verizon report defines an incident as “a security event that compromises the integrity, confidentiality or availability of an information asset.” An incident could include an attack, that is, an intentional attempt to gain unauthorized access to damage or destroy a network. Or an incident could be a simple accident, such as an employee leaving a company laptop in a cab. An incident may or may not involve a breach, the theft of company information.
Cybersecurity incident response is a formal, organized approach for dealing with all kinds of security incidents. It usually involves an incident response plan (IPR), which lays out the steps that a company should follow after an incident occurs. These plans should include the incident response process for all of the most common types of incidents, including those listed below.
Examples of security incidents
- Phishing.In a phishing attack, criminals send an organization’s employees a message (usually via email) that includes a malicious attachment. The bad news, according to Verizon, is that phishing attacks are on the rise and employees don’t know how to handle them. The median time between when attackers send out a phishing campaign and when the first recipient opens the message is just 1 minute and 40 seconds, and the median time for clicking on the malicious link is just 3 minutes and 45 seconds. Only 3 percent of phishing recipients reported the malicious email.
- Stolen Credentials.The goal of many phishing or malware attacks is to obtain credentials that will allow an attacker to access the organization’s network. In many cases, however, the attackers don’t actually have to “steal” anything — they simply guess the correct password. According to the Verizon report, “63 percent of confirmed data breaches involved weak, default or stolen passwords.”
- Malware. Malware is a broad category that includes any kind of malicious software. Examples include viruses, trojan horses, rootkits, adware and the increasingly common ransomware. Users can introduce malware into a network in a number of ways, for example, by clicking a malicious attachment in a phishing email, by visiting a malicious Web page or by connecting an infected USB drive or other device to the network.
- Ransomware.An increasingly common attack vector, ransomware is a type of malware that demands that victims pay a fee in order to remove the malicious code, regain access to files that were encrypted by the ransomware or prevent something unwanted from happening, such as making a victim’s data public. According to Symantec’s Ransomware and Business 2016 Report, security vendors discovered one hundred new malware families last year alone, and the average ransom demand has climbed to $679.
- Denial of service attacks.In a denial of service (DoS) attack, attacks flood a system, usually a Web server, with so much traffic that legitimate users can no longer access it. Hackers often mount DoS attacks for ideological reasons or to “punish” a person or organization for some activity. For example, last year attackers hit security blogger Brian Krebs with a DoS attack after he published a series of articles on DoS-for-hire services.
- Web app attacks.Hackers attack organizations’ Web apps in a number of different ways, such as buffer overflows, SQL injection, cross-site scripting and, as already mentioned, DoS attacks. Verizon reported 5,334 incidents of Web app attacks last year, including 908 that resulted in data breaches. Financial services companies are a particularly popular target for Web attacks.
- One of the hardest types of incidents to defend against, cyberespionage occurs when an unauthorized person attempts to infiltrate a system or network in order to gain access to secret information. Often these attacks are perpetrated by a company’s competitors or by nation-states. According to Verizon, “90 percent of cyberespionage breaches capture trade secrets or proprietary information.”
- Loss of theft of devices.As mobile devices have become more common, organizations have experienced an increase in the loss or theft of devices that contain corporate information or that can access corporate networks. Many of these incidents do not result in data breach, but organizations often find it very difficult to distinguish between accidents and intentional theft carried out with the goal of infiltrating an organization’s networks.
- Insider attacks.Organizations sometimes don’t pay enough attention to threats from their own employees or partners’ employees, but Verizon reported that there were 10,489 incidents of “insider and privilege misuse” last year. These attacks can be very difficult to detect and mitigate because insiders often have knowledge that helps them evade an organization’s security measures.
English
Arabic
Malay
Malayalam
Tamil
Telugu