Security incidents are events that occur in an organization which can represent a security threat or an attack. Identifying incidents, and responding to them quickly, is a critical cybersecurity process.
In this page you will learn about:
- The difference between a security incident and security event
- Notable security breaches
- Types of security incidents
- How to respond to a security incident
- Automating incident response
Security Incident Definition: What is a Cybersecurity Incident?
Security incidents indicate the failure of security measures or the breach of organizations’ systems or data. This includes any event that threatens the integrity, availability, or confidentiality of information. Causes of security incidents include perimeter breaches, cyber attacks, and insider threats.
Incidents usually require an IT administrator to take action. Incident response (IR) is an organized process by which organizations defend themselves against security incidents.
The Difference Between a Security Incident and a Security Event
Security incidents differ from security events and pose a higher risk to an organization. Security events indicate that a system might be compromised but could also result from other issues, such as an erroneous login attempt. Events are relatively easy to resolve and usually represent isolated risks.
Organizations may log thousands or millions of security events in a day, which they handle with automated tools. A single event is unlikely to result in an information breach that can severely impact the organization.
For example, a spam email is a security event, but if an employee clicks on a link in the email, it could be considered an incident because it may expose the system to malware or a phishing attack.
Notable Security Breaches
Most security breaches are not publicly announced. Here are several large, widely publicized breaches that started as security incidents:
- Home Depot data breach—the largest credit-card compromise and point-of-sale in history. This breach affected 56 million credit cards and 53 million email addresses. For almost six months in 2014, attackers lifted information from the PoS terminals at self-check-out lanes using custom-built malware. Home Depot was forced to pay $27.25 million in compensation to financial institutions.
- Morrisons—this British supermarket chain was compromised in 2014. A disgruntled employee leaked the entire employee database online, exposing information about over 100,000 employees. Over 2000 of these employees filed a class action lawsuit, damaging the reputation of the company. This breach highlights the risk of insider threats.
- Yahoo breaches of 2013 and 2014—a series of major data breaches compromised the accounts of over 1 billion users in 2013 and over 500 million in 2014. Anonymous hackers stole names, phone numbers, passwords, and email addresses. The breaches were only exposed in 2016, making them harder to investigate. The late discovery resulted in greater damage and higher remediation costs.
- Target breach of December 2013—estimated to have affected up to 110 million people. Malware compromised card payment readers, allowing attackers to steal contact information and debit and credit card numbers of over 70 million customers. Customers incurred significant losses. The highly-publicized breach resulted in several class action lawsuits and hefty remediation fees. As customers stopped shopping at its stores, Target’s profits plummeted by 40% in 2014.
Types of Security Incidents
Security incidents can occur via a broad range of threat vectors. Here are a few of the most common cybersecurity threats:
- Brute force attacks—attackers use brute force methods to breach networks, systems, or services, which they can then degrade or destroy. For example, attackers use software that tests multiple passwords to guess the correct one. Another example is a denial of service (DoS) attack, which overwhelms the target system and causes it to deny access to users.
- Email—attacks executed through an email message or attachments. Viruses posing as documents trick users into downloading an attachment and then take control of the host. Email can also be abused via phishing. An attacker may request sensitive information or link to a website that appears legitimate, tricking the recipient into complying.
- Web—attacks executed on websites or web-based applications. This could be via drive-by downloads, scripts, popup alerts or supposedly legitimate user-initiated downloads.
- Loss or theft of equipment—a company device like a laptop or smartphone is lost or stolen. Over 40 percent of small business owners and senior executives attribute their latest security incident to employee negligence or accidental loss, according to a 2018 study.
- External/removable media—attacks executed using removable media like a flash drive or CD, or a peripheral device. Using removable media from an unidentified source can spread malware. One study revealed that users plug up to half of USB sticks found in office parking lots into their computers, enabling malware infection.
How to Respond to a Security Incident
Incident response (IR) involves preparing an organization for a possible cyber attack or data breach. Organizations should prepare in advance and establish a battle-tested IR plan before an incident occurs.
The NIST Computer Security Incident Handling Guide defines six stages of IR:
- Assemble your team—establish measures to prevent security incidents, clarify who is responsible for responding when they occur, and prepare your team in advance.
- Detect the incident and its source—monitor potential attack vectors, identify signs of a breach and determine the urgency of each incident.
- Contain and recover—develop a containment strategy to quarantine affected systems or hosts, resolve malware issues, and provide backups for recovery.
- Assess the damage—retain evidence and review the cause of the incident to determine whether the attack was external or malicious prevent future recurrence, and consider launching a cyber attribution investigation.
- Notify the affected parties—inform customers or data owners of the incident, as obliged by law, so that they can protect themselves.
- Prevent future recurrence—apply the lessons learned from the incident to update your IR plan and fix vulnerabilities in your system.
Automated Incident Response
New technology is making it possible for security teams to manage IR automatically. These systems are known as security orchestration, automation and response (SOAR). Many common incident types can be managed and contained by an automated system allowing security analysts to perform more strategic tasks.
A SOAR system can:
- Collect security threat data and alerts
- Define and enforce a standard workflow for IR activities
- Analyze incidents, including triage and prioritization
- Enable automated security playbooks which encode incident analysis and response into a standard, fully-automated or semi-automated process
For an example of a SOAR security system, learn more about Exabeam’s Security Responder.