Security Incidents: What You Should Look Out For - Exabeam

Security Incidents: What You Should Look Out For

March 15, 2022


Reading time
7 mins

Security incidents are events that occur with a potential impact to an organization which can represent a cybersecurity threat or attack. Identifying incidents and responding to them quickly is a critical cybersecurity process.

In this article:

Security incident definition: What is a cybersecurity incident?

Security incidents indicate the failure of security measures or the breach of organizations’ systems or data. This includes any event that threatens the integrity, availability, or confidentiality of information — or represents a violation or threat of violation to a law, security policy or procedure, or acceptable use policies. Causes of security incidents include anything from perimeter breaches and external attacks to insider threats or negligence.

Incidents usually require an IT administrator to take action. Incident response (IR) is an organized process by which organizations identify, triage, investigate scope, and direct mitigation or recovery from security incidents.

The difference between a security incident and a security event

Security incidents differ from security events and pose a higher risk to an organization. Security events indicate that a system might be compromised, but could also result from other issues, such as an erroneous login attempt or a misconfiguration. Events are relatively easy to resolve and usually represent isolated risks, i.e., organizations may log thousands or millions of security events in a day, which they handle with automated tools.

A single event is unlikely to result in an information breach that can severely impact the organization. For example, a spam email is a security event, but if an employee clicks on a link in the email, it could be considered an incident because it may expose the system to malware, credential theft, or a phishing attack.

Notable security breaches

Most security breaches are not publicly announced. Here are several large, widely publicized breaches that started as security incidents:

  • Colonial Pipeline – The U.S.-based Colonial Pipeline was the victim of a ransomware attack. Malicious actors managed entry through a VPN account with a single compromised password to acquire network access. While operational technology (OT) systems weren’t affected, the organization halted the fuel flow in its mainline as a precautionary measure, causing shortages in regions around the country. Credentials are involved in the majority of attacks, and seeing abnormal behavior is key to automating incident responses.
  • Accellion – The file transfer and collaboration software provider Accellion announced a zero-day vulnerability in their File Transfer Appliance (FTA), a file sharing service they acknowledged was at the end of its life and released a patch to fix it. The next month, they released four additional patches to address other vulnerabilities that bad actors used to attack their customers through their FTA service. However, before some of their customers could install the patch, ransomware groups exploited these vulnerabilities in their customers to access their data — proving the ability to scan for software, processes, and abnormal file transfers cannot be overstated in importance.
  • Microsoft – The Hafnian group gained access to MS Exchange Servers either with stolen passwords or by using a zero-day vulnerability to disguise itself as someone who should have access. They created a web shell connected to a Command & Control server outside the network. Then they used that remote access — run from the U.S.-based private servers — to steal data, proving, as ever, that both abnormal credential behavior and abnormal network traffic should always be considered a critical alert.
  • SunBurst – The first of the biggest software supply chain attacks, the malicious actors gained access to numerous public and private organizations around the world via Trojanized updates to SolarWinds’ Orion IT monitoring and management software. Post-compromise activity via the identity store included lateral movement and, far too often, data theft via backdoor comms via HTTP to third-party servers.

Types of security incidents

Security incidents can occur via a broad range of threat vectors. Here are a few of the most common cybersecurity threats and vulnerabilities:

  • Brute force attacks – Attackers use brute force methods to breach networks, systems, or services, which they can then degrade or destroy. For example, attackers use software that tests multiple passwords to guess the correct one. Another example is a distributed denial-of-service (DDoS) attack, which overwhelms the target system and causes it to deny access to users.
  • Email – attacks executed through an email message or attachments. Viruses posing as documents trick users into downloading an attachment and then take control of the host. Email can also be abused via phishing. An attacker may request sensitive information or link to a website that appears legitimate, tricking the recipient into complying.
  • Web – attacks executed on websites or web-based applications. This could be via drive-by downloads from watering hole attacks, malicious scripts, popup alerts or supposedly legitimate user-initiated downloads. Beyond this lies the host of OWASP-based application vulnerabilities and misconfigurations. (Remember the Panama Papers? Application security matters!)
  • Loss or theft of equipment – A company device like a laptop or smartphone is lost or stolen. Over 40 percent of small business owners, healthcare centers, and senior executives of all industries attribute their latest security incident to employee negligence or accidental loss, according to a 2018 study.
  • External/removable media – attacks executed using removable media like a flash drive or CD, or a peripheral device. Using removable media from an unidentified source can spread malware. One study revealed that users plug up to half of USB sticks found in office parking lots into their computers, enabling malware infection. (One supposes this is why many Macs no longer have USB drives.)

How to respond to a security incident

Incident response (IR) involves preparing an organization for a possible cyberattack or data breach. Organizations should prepare in advance and establish a battle-tested IR plan before an incident occurs.

The NIST Computer Security Incident Handling Guide defines six stages of IR:

  1. Assemble your team – Establish measures to prevent security incidents, clarify who is responsible for responding when they occur, and prepare your team in advance.
  2. Detect the incident and its source – Monitor potential attack vectors, identify signs of a breach, and determine the urgency of each incident.
  3. Contain and recover – Develop a containment strategy to quarantine affected systems or hosts, resolve malware issues, and provide backups for recovery.
  4. Assess the damage – Retain evidence and review the cause of the incident to determine whether the attack was external or malicious, prevent future recurrence, and consider launching a cyber attribution investigation.
  5. Notify the affected parties – Inform customers or data owners of the incident, as obliged by law, so that they can protect themselves.
  6. Prevent future recurrence – Apply the lessons learned from the incident to update your IR plan and fix vulnerabilities in your system.

Automating incident response

New technology is making it possible for security teams to manage IR automatically. These incident response automation systems are known as security orchestration, automation and response (SOAR). Many common incident types can be managed and contained by an automated system allowing security analysts to perform more strategic tasks.

A SOAR system can:

  • Collect security threat data and alerts
  • Define and enforce a standard workflow for IR activities
  • Analyze incidents, including triage and prioritization
  • Enable automated security playbooks which encode incident analysis and response into a standard, fully-automated or semi-automated process

For an example of a SOAR security system, learn more about Exabeam’s Security Responder.

Learn more about Cybersecurity Threats

Similar Posts

The 4 Steps to a Phishing Investigation

Log4j by Another Name. It’s Coming; How Can You Keep Pace?

What Can We Learn From the Lapsus$ Attacks?

Recent Posts

Exabeam News Wrap-up – Week of September 19, 2022

Exabeam News Wrap-up – Week of September 12, 2022

The 4 Steps to a Phishing Investigation

See a world-class SIEM solution in action

Most reported breaches involved lost or stolen credentials. How can you keep pace?

Exabeam delivers SOC teams industry-leading analytics, patented anomaly detection, and Smart Timelines to help teams pinpoint the actions that lead to exploits.

Whether you need a SIEM replacement, a legacy SIEM modernization with XDR, Exabeam offers advanced, modular, and cloud-delivered TDIR.

Get a demo today!