Security Incidents: What You Should Look Out For
Security incidents are events that occur with a potential impact to an organization which can represent a cybersecurity threat or attack. Identifying incidents and responding to them quickly is a critical cybersecurity process.
In this article:
- The definition of a cybersecurity incident
- The difference between a security incident and security event
- Notable security breaches
- Types of security incidents
- How to respond to a security incident
- Automating incident response
Security incident definition: What is a cybersecurity incident?
Security incidents indicate the failure of security measures or the breach of organizations’ systems or data. This includes any event that threatens the integrity, availability, or confidentiality of information — or represents a violation or threat of violation to a law, security policy or procedure, or acceptable use policies. Causes of security incidents include anything from perimeter breaches and external attacks to insider threats or negligence.
Incidents usually require an IT administrator to take action. Incident response (IR) is an organized process by which organizations identify, triage, investigate scope, and direct mitigation or recovery from security incidents.
The difference between a security incident and a security event
Security incidents differ from security events and pose a higher risk to an organization. Security events indicate that a system might be compromised, but could also result from other issues, such as an erroneous login attempt or a misconfiguration. Events are relatively easy to resolve and usually represent isolated risks, i.e., organizations may log thousands or millions of security events in a day, which they handle with automated tools.
A single event is unlikely to result in an information breach that can severely impact the organization. For example, a spam email is a security event, but if an employee clicks on a link in the email, it could be considered an incident because it may expose the system to malware, credential theft, or a phishing attack.
Notable security breaches
Most security breaches are not publicly announced. Here are several large, widely publicized breaches that started as security incidents:
- Colonial Pipeline – The U.S.-based Colonial Pipeline was the victim of a ransomware attack. Malicious actors managed entry through a VPN account with a single compromised password to acquire network access. While operational technology (OT) systems weren’t affected, the organization halted the fuel flow in its mainline as a precautionary measure, causing shortages in regions around the country. Credentials are involved in the majority of attacks, and seeing abnormal behavior is key to automating incident responses.
- Accellion – The file transfer and collaboration software provider Accellion announced a zero-day vulnerability in their File Transfer Appliance (FTA), a file sharing service they acknowledged was at the end of its life and released a patch to fix it. The next month, they released four additional patches to address other vulnerabilities that bad actors used to attack their customers through their FTA service. However, before some of their customers could install the patch, ransomware groups exploited these vulnerabilities in their customers to access their data — proving the ability to scan for software, processes, and abnormal file transfers cannot be overstated in importance.
- Microsoft – The Hafnian group gained access to MS Exchange Servers either with stolen passwords or by using a zero-day vulnerability to disguise itself as someone who should have access. They created a web shell connected to a Command & Control server outside the network. Then they used that remote access — run from the U.S.-based private servers — to steal data, proving, as ever, that both abnormal credential behavior and abnormal network traffic should always be considered a critical alert.
- SunBurst – The first of the biggest software supply chain attacks, the malicious actors gained access to numerous public and private organizations around the world via Trojanized updates to SolarWinds’ Orion IT monitoring and management software. Post-compromise activity via the identity store included lateral movement and, far too often, data theft via backdoor comms via HTTP to third-party servers.
Types of security incidents
Security incidents can occur via a broad range of threat vectors. Here are a few of the most common cybersecurity threats and vulnerabilities:
- Brute force attacks – Attackers use brute force methods to breach networks, systems, or services, which they can then degrade or destroy. For example, attackers use software that tests multiple passwords to guess the correct one. Another example is a distributed denial-of-service (DDoS) attack, which overwhelms the target system and causes it to deny access to users.
- Email – attacks executed through an email message or attachments. Viruses posing as documents trick users into downloading an attachment and then take control of the host. Email can also be abused via phishing. An attacker may request sensitive information or link to a website that appears legitimate, tricking the recipient into complying.
- Web – attacks executed on websites or web-based applications. This could be via drive-by downloads from watering hole attacks, malicious scripts, popup alerts or supposedly legitimate user-initiated downloads. Beyond this lies the host of OWASP-based application vulnerabilities and misconfigurations. (Remember the Panama Papers? Application security matters!)
- Loss or theft of equipment – A company device like a laptop or smartphone is lost or stolen. Over 40 percent of small business owners, healthcare centers, and senior executives of all industries attribute their latest security incident to employee negligence or accidental loss, according to a 2018 study.
- External/removable media – attacks executed using removable media like a flash drive or CD, or a peripheral device. Using removable media from an unidentified source can spread malware. One study revealed that users plug up to half of USB sticks found in office parking lots into their computers, enabling malware infection. (One supposes this is why many Macs no longer have USB drives.)
How to respond to a security incident
Incident response (IR) involves preparing an organization for a possible cyberattack or data breach. Organizations should prepare in advance and establish a battle-tested IR plan before an incident occurs.
The NIST Computer Security Incident Handling Guide defines six stages of IR:
- Assemble your team – Establish measures to prevent security incidents, clarify who is responsible for responding when they occur, and prepare your team in advance.
- Detect the incident and its source – Monitor potential attack vectors, identify signs of a breach, and determine the urgency of each incident.
- Contain and recover – Develop a containment strategy to quarantine affected systems or hosts, resolve malware issues, and provide backups for recovery.
- Assess the damage – Retain evidence and review the cause of the incident to determine whether the attack was external or malicious, prevent future recurrence, and consider launching a cyber attribution investigation.
- Notify the affected parties – Inform customers or data owners of the incident, as obliged by law, so that they can protect themselves.
- Prevent future recurrence – Apply the lessons learned from the incident to update your IR plan and fix vulnerabilities in your system.
Automating incident response
New technology is making it possible for security teams to manage IR automatically. These incident response automation systems are known as security orchestration, automation and response (SOAR). Many common incident types can be managed and contained by an automated system allowing security analysts to perform more strategic tasks.
A SOAR system can:
- Collect security threat data and alerts
- Define and enforce a standard workflow for IR activities
- Analyze incidents, including triage and prioritization
- Enable automated security playbooks which encode incident analysis and response into a standard, fully-automated or semi-automated process
For an example of a SOAR security system, learn more about Exabeam’s Security Responder.
Learn more about Cybersecurity Threats
- 21 Top Cybersecurity Threats and How Threat Intelligence Can Help
- Information Security Threats and Tools for Addressing Them
- Drive By Downloads: What They Are and How to Avoid Them
- Cyber Crime: Types, Examples, and What Your Business Can Do
- What is MITRE ATT&CK: An Explainer
- Mitigating Security Threats with MITRE ATT&CK
- Defending Against Ransomware: Prevention, Protection, Removal
- Top 5 Social Engineering Techniques and How to Prevent Them
- Privilege Escalation Detection: The Key to Preventing Advanced Attacks
What Can We Learn From the Lapsus$ Attacks?
Incident Response: 6 Steps, Technologies, and Tips
The Responsibility of Risk: Regulations, Certifications – What do Privacy and Data Security Mean?
An Outcome-based Approach to Use Cases: Solving for Lateral Movement
Subscribe today and we'll send our latest blog posts right to your inbox, so you can stay ahead of the cybercriminals and defend your organization.
See a world-class SIEM solution in action
Most reported breaches involved lost or stolen credentials. How can you keep pace?
Exabeam delivers SOC teams industry-leading analytics, patented anomaly detection, and Smart Timelines to help teams pinpoint the actions that lead to exploits.
Whether you need a SIEM replacement, a legacy SIEM modernization with XDR, Exabeam offers advanced, modular, and cloud-delivered TDIR.
Get a demo today!