Security Incidents: Types, Tools, Examples, and Prevention

What Is a Security Incident?

Security incidents are events representing a change in security posture with a potential impact to an organization — which can represent a cybersecurity threat or attack. Identifying events and threats and responding to them quickly is a critical cybersecurity process.

Security incidents indicate the failure of a current security posture which could represent a material breach of organizations’ systems or data. This includes any event that threatens the integrity, availability, or confidentiality of information — or represents a violation or threat of violation to a law, security policy or procedure, or acceptable use policies. Causes of security incidents include anything from perimeter breaches and external attacks to insider threats or negligence.

Cybersecurity incidents usually require an IT administrator to take action, in addition to potential other operations teams involvement. Incident response (IR) is an organized process by which organizations identify, triage, investigate scope, and direct mitigation or recovery from security incidents.

In this article:

• The difference between a security incident and a security event
• Common types of security incidents
• How to recognize and detect security incidents
• Which tools can help detect security incidents?
• Notable security breaches
• How to respond to a security incident
• Automating incident response

The difference between a security incident and a security event

Security incidents differ from security events and pose a higher risk to an organization. Security events indicate that a system might be compromised, but could also result from other issues, such as an erroneous login attempt or a misconfiguration. Events are relatively easy to resolve and usually represent isolated risks, i.e., organizations may log thousands or millions of security events in a day, which they handle with automated tools.

A single event is unlikely to result in an information breach that can severely impact the organization. For example, a spam email is a security event, but if an employee clicks on a link in the email, it could be considered an incident because it may expose the system to malware, credential theft, or a phishing attack.

Common types of security incidents

Here are common attack vectors used by cybercriminals to carry out security incidents:

• Email – attacks executed through an email message or attachments. Viruses posing as documents trick users into downloading an attachment and then take control of the host. Email can also be abused via phishing. An attacker may request sensitive information or link to a website that appears legitimate, tricking the recipient into complying.
• Web – attacks executed on websites or web-based applications. This could be via drive-by downloads from watering hole attacks, malicious scripts, popup alerts or supposedly legitimate user-initiated downloads. Beyond this lies the host of OWASP-based application vulnerabilities and misconfigurations. (Remember the Panama Papers? Application security matters!)
• Loss or theft of equipment – A company device like a laptop or smartphone is lost or stolen. Over 40 percent of small business owners, healthcare centers, and senior executives of all industries attribute their latest security incident to employee negligence or accidental loss, according to a 2018 study.
• External/removable media – attacks executed using removable media like a flash drive or CD, or a peripheral device. Using removable media from an unidentified source can spread malware. One study revealed that users plug up to half of USB sticks found in office parking lots into their computers, enabling malware infection. (One supposes this is why many Macs no longer have USB drives.)

Following are some of the most common types of security events which can cause incidents that target businesses and organizations:

• Unauthorized access attacks: These attacks involve unauthorized entry into a system or network by exploiting vulnerabilities or circumventing authentication processes. This includes a wide range of attack types involving stolen or compromised credentials. The consequences can include public exposure, data theft, system disruption, or even total control over the affected systems.
• Privilege escalation attacks: Attackers exploit software or operating system vulnerabilities to gain elevated privileges within a system. This enables them to perform actions they wouldn’t normally have permission for, such as accessing sensitive data or modifying crucial configurations.
• Malicious insider threat attacks: These attacks are carried out by employees (or someone else with system credentials, e.g., contractors) who intentionally misuse their authorized access rights for malicious intent, including stealing confidential information, sabotaging operations, or causing other harm from within the organization’s security perimeter.
• Phishing attacks: A form of social engineering, phishing attacks deceive victims into disclosing sensitive information or performing actions that compromise their security. Attackers often use fraudulent messages (e.g., emails, texts, or IMs) that appear to come from trustworthy sources.
• Malware attacks: Malware attacks, including viruses, worms, ransomware, and Trojans, infiltrate systems without consent and cause harm in various ways, such as data theft or system disruption. Malware is often combined with unauthorized access, phishing, and privilege escalation attacks.
• Distributed denial-of-service (DDoS) attacks: In these attacks, multiple devices compromised by attackers and joined into a botnet send fake traffic to a target’s network, leading to service disruptions or outages.
• Man-in-the-Middle (MitM) Attacks: Occur when an attacker intercepts communication between two parties, MitM attacks often aim to eavesdrop or modify the data being transmitted. This can result in the disclosure of sensitive information or unauthorized transactions. 

How to recognize and detect security incidents

Here are several key signs or indicators of compromise (IoCs) that can suggest a security incident has occurred or is in progress:

• Unexpected system behavior: Unusual or unexpected system behavior can often indicate a security event. This could include systems running more slowly than usual, crashing, or restarting frequently. Unexpected changes in the configuration of systems, or new user accounts being created without reason can also be a sign.
• Anomalies in network traffic: A sudden increase in network activity, particularly during non-business hours, can indicate a security incident. This could be a sign of a data breach, with large amounts of data being transferred out of the network.
• Unauthorized access or account activity: If there are signs of access or activity on an account that the account owner did not initiate, this could indicate a security incident. This might include unfamiliar transactions, or changes to account settings or credentials.
• Unexpected software or files: The presence of unknown software, files, or processes on a system can suggest a security incident. This could be malware that has been installed on the system.
• Altered or deleted files: If files are changed or deleted without reason, this could be a sign of a security incident. Similarly, if there are unauthorized changes to file permissions, this could indicate a security issue.
• Unexpected communications: Unexpected or unusual emails, particularly those with attachments or links, can be a sign of a phishing attempt, which is a common security event — or incident if successful.
• Unusual resource usage: A sudden spike in CPU usage, disk activity, or network bandwidth could indicate a security incident, as many types of malware are resource-intensive. Beyond malware, CPU usage can also indicate some form of blockchain mining operation, or a server running some form of unsanctioned web programming.
• Unusual user behavior: If a user starts accessing files or systems they don’t typically use, or at odd hours, it could be a sign of a compromised account — or disgruntlement.

Which tools can help detect security incidents?

Detecting security incidents involves a combination of tools, technologies, and strategies designed to identify potential threats and vulnerabilities. Here are some common methods:

• Intrusion Detection Systems (IDS): These systems monitor network traffic for suspicious activity or violations of policies. There are two main types of IDS: Network Intrusion Detection Systems (NIDS) and Host Intrusion Detection Systems (HIDS), which focus on a single host, like a device or server.
• Security Information and Event Management (SIEM) systems: SIEM systems collect and analyze security data from across an organization’s networks, servers, databases, and other systems in real time. They are capable of correlating disparate data and can identify anomalous patterns that might indicate a security incident.
• User and Entity Behavior Analytics (UEBA): UEBA systems use machine learning, statistical analysis, and other advanced analytics to detect unusual behavior that may indicate a security incident. They can identify when user or system behaviors deviate from established patterns.
• Threat hunting: This is a proactive security strategy where analysts actively search for advanced threats that may have evaded detection by automated systems.
• Endpoint Detection and Response (EDR), Network Detection and Response (NDR) and Extended Detection and Response (XDR): Detection and response tools continuously monitor and gather data from a range of devices including endpoints (like computers, mobile devices, servers), network security tools (like firewalls), and beyond, looking for signs of potential security incidents.
• Application Security: Software Composition Analysis (SCA), dynamic application security testing (DAST), and static application security testing (SAST) can help you harden your web-facing applications by identifying insecure libraries our outdated frameworks, logical vulnerabilities, or other code-based issues within your website to help avoid a material change in security posture.

Notable security breaches

Most security breaches are not publicly announced. Here are several large, widely publicized breaches that started as security incidents:

• Colonial Pipeline – The U.S.-based Colonial Pipeline was the victim of a ransomware attack. Malicious actors managed entry through a VPN account with a single compromised password to acquire network access. While operational technology (OT) systems weren’t affected, the organization halted the fuel flow in its mainline as a precautionary measure, causing shortages in regions around the country. Credentials are involved in the majority of attacks, and seeing abnormal behavior is key to automating incident responses.
• Accellion – The file transfer and collaboration software provider Accellion announced a zero-day vulnerability in their File Transfer Appliance (FTA), a file sharing service they acknowledged was at the end of its life and released a patch to fix it. The next month, they released four additional patches to address other vulnerabilities that bad actors used to attack their customers through their FTA service. However, before some of their customers could install the patch, ransomware groups exploited these vulnerabilities in their customers to access their data — proving the ability to scan for software, processes, and abnormal file transfers cannot be overstated in importance.
• Microsoft – The Hafnian group gained access to MS Exchange Servers either with stolen passwords or by using a zero-day vulnerability to disguise itself as someone who should have access. They created a web shell connected to a Command & Control server outside the network. Then they used that remote access — run from the U.S.-based private servers — to steal data, proving, as ever, that both abnormal credential behavior and abnormal network traffic should always be considered a critical alert.
• SunBurst – The first of the biggest software supply chain attacks, the malicious actors gained access to numerous public and private organizations around the world via Trojanized updates to SolarWinds’ Orion IT monitoring and management software. Post-compromise activity via the identity store included lateral movement and, far too often, data theft via backdoor comms via HTTP to third-party servers.

How to respond to a security incident

Incident response (IR) involves preparing an organization for a possible cyberattack or data breach. Organizations should prepare in advance and establish a battle-tested IR plan before an incident occurs.

The NIST Computer Security Incident Handling Guide defines six stages of IR:

1. Assemble your team – Establish measures to prevent security incidents, clarify who is responsible for responding when they occur, and prepare your team in advance.
2. Detect the incident and its source – Monitor potential attack vectors, identify signs of a breach, and determine the urgency of each incident.
3. Contain and recover – Develop a containment strategy to quarantine affected systems or hosts, resolve malware issues, and provide backups for recovery.
4. Assess the damage – Retain evidence and review the cause of the incident to determine whether the attack was external or malicious, prevent future recurrence, and consider launching a cyber attribution investigation.
5. Notify the affected parties – Inform customers or data owners of the incident, as obliged by law, so that they can protect themselves.
6. Prevent future recurrence – Apply the lessons learned from the incident to update your IR plan, install control points to review vulnerable systems, processes, and entities, and fix vulnerabilities in your system.

Automating incident response

New technology is making it possible for security teams to manage IR automatically. These incident response automation systems are known as security orchestration, automation and response (SOAR). Many common incident types can be managed and contained by an automated system allowing security analysts to perform more strategic tasks.

A SOAR system can:

• Collect security threat data and alerts
• Define and enforce a standard workflow for IR activities
• Analyze incidents, including triage and prioritization
• Enable automated security playbooks which encode incident analysis and response into a standard, fully-automated or semi-automated process

For an example of a SOAR security system, learn more about Exabeam Incident Response within Exabeam Fusion or Exabeam Security Investigation.