What is a Cyber Incident? How to handle it?
The term "Cyber Incident" or "security incident" refers to any event that impacts the Confidentiality, meaning the privacy of information, Integrity, meaning the truthfulness of information, and Availability, meaning the accessibility of information. For example, a failure (intentional or accidental) affecting hardware or software impacts Availability and is therefore a Cyber Incident.
Recently, we have been witnessing a real Cyber Incident escalation: breaching sensitive data is not always a matter of money.
In this editorial, we will delve into the aspects of Cyber Incidents:
Cyber Incident classifications
The classification of security incidents is as follows:
-
Access not granted: unauthorized access to certain systems;
-
Privilege escalation: attack made possible by a system flaw, such as a configuration error;
-
Insider threat: internal threat such as employees or former employees with sensitive information;
-
Phishing: cyber scam aimed at obtaining the victim's sensitive data by posing as a trusted entity;
-
Malware: attack carried out using malicious software installed on the victim's devices without their knowledge;
-
Denial-of-service (DoS): “denial of service”. This refers to any attack capable of deliberately exhausting the resources of a computer system that provides a service to clients;
-
Man-in-the-middle: attack that involves unlawfully inserting oneself into a conversation between two parties, replacing one of them;
-
Password cracking: attempt to obtain system passwords. Often involves trying all possible combinations of digits and characters.
Roles and professional activities in Cyber Incidents
There are two important professional roles in the field of Cyber Incidents:
Response Team
A group of technicians who evaluate, document, and act, addressing a Cyber Incident so that a system can not only quickly recover from the damage suffered but also prevent new and further damage.
Cyber Incident forensics
Forensic analytical activity carried out following a Cyber Incident, in order to obtain documentary evidence to be reproduced in court.
Phases of a Cyber Incident
The main phases in which the response to a Cyber Incident can be broken down are:
Cyber Incident management
Management of the Cyber Incident. This refers to the use, even combined, of devices, software systems, and/or investigations carried out by individuals. It begins when a security incident is identified.
Reporting Framework
Reporting system used as soon as it is confirmed that a system has been hit by a Cyber Incident.
Response Plan
A set of instructions to help staff detect, respond, repair, and/or recover from the damage caused by a Cyber Incident. In Blue Team terminology, they are also called PlayBooks.
Communication Plan
Communication system aimed at quickly notifying the parties involved in the Cyber Incident and coordinating them for damage repair.
Incident report
Report created based on a template and a checklist to describe the aspects of the security incident, the data involved, the systems involved, the time span, the informed personnel, and the roles of the team. It can be structured according to a list of questions and answers that must at least include the Five Ws, namely: Who, What, Where, When, Why.
Methodology
Training
It is essential to train the Cyber Incident Response Team that will intervene in the event of a Cyber Incident. It is advisable to always appoint a leader to improve coordination among all members.
Detection and identification
It is essential to accurately detect the breach and also ensure that it is not capable of causing further damage.
Containment and damage repair
Such actions may consist of blocking individual IP addresses or IP ranges, isolating a specific system, blocking users, preventing the execution of files based on their name, MD5, content, installing security patches to resolve other network vulnerability issues.
Assessing the severity of the damage
Once the Cyber Incident has occurred, what are the actual damages caused to the system? What data and systems were involved?
Start of the notification process
The breach of sensitive data must also be notified to the relevant public authorities, in accordance with current privacy protection regulations (GDPR).
Prevention
The best way to avoid a Cyber Incident is to anticipate risks, resolve issues that may cause and/or facilitate it, and periodically conduct attack simulations.
References:
The Cyber Incident Response Team
https://www.ncsc.gov.uk/collection/incident-management/creating-incident-response-team
