Ruslan Rakhmetov, Security Vision
Today even an ordinary smartphone stores more personal information than a wallet: photos, correspondence, banking applications, passwords. For business, the situation is even more serious, because a data leak or system failure can cost millions and reputation. All of this is a consequence of cyber incidents. A cyber incident is an event that disrupts the normal operation of a digital system or threatens its security. Simply put, it's like a fire in a building or an attempt to break the lock on a digital door. In this article, let's break down what exactly is considered a cyberincident, how they are categorised, and give real-life examples.
Data in information systems is usually described by the triad of confidentiality-availability- integrity (CII), so if something goes wrong in the system and it can damage the data or the business - it is an incident. A cyber incident is an event involving a breach of the confidentiality, integrity or availability of information, IT systems or networks.
In addition to being intentional or accidental, incidents are divided along other lines, from the source of the threat to the consequences, so to continue, we'll look at a few popular models:
1) Based on the source of the threat, incidents can be divided into internal (configuration errors, lost devices) and external (attacks from outside - hackers, viruses, phishing). For example, if an employee downloaded an infected file, the source of the threat becomes internal, but the initiator could be an external attacker.
2) By the type of impact on the parameters of the DCC: personal data leakage affects confidentiality, a virus changes the content of files and violates integrity, and when servers are down and clients cannot use services, availability is affected. If we take an email as an object, all these three types of impact can be described by the following cases: someone read your email, tampered with it, or if the email didn't get through at all.
3) According to the level of criticality, incidents are usually divided into 3 levels: low (does not affect the business, for example, infection of one PC without access to the network), medium (affects individual departments or services), high (which paralyses the company's work or leads to the leakage of sensitive data). Sometimes critical is added to the levels, and false positives are also worth considering.
4) By type of system breached, e.g. user devices (phones, laptops), servers and DBMS (databases, web services), network devices (routers, VPNs, firewalls) and cloud services (leaks from Dropbox, Yandex.Disk, Google Drive, cloud CRMs), etc.
5) By mode of implementation, which we have previously covered in detail here and here, cyber incidents include: malware (VPOs such as viruses, Trojans and encryptors), bruteforce (password cracking / login mining), phishing and social engineering, exploitation of software vulnerabilities (exploits), channel congestion to cause a denial of service (DDoS), physical access (stolen laptop), etc. Imagine if your documents were locked in a safe and ransom was demanded (this is how VPOs often operate), if someone opened the door with your key and got into the cupboard (this is unauthorised access), if your luggage from a flight was taken by another passenger (analogous to data leakage from information systems), if 1000 people called you at the same time and family members and friends did not get through on important issues (denial of service) or if someone accidentally erased your hard drive (failure due to staff error).
Even if an incident occurred by mistake (e.g., an employee opened a phishing email), it is still considered a cyber incident if it affected security. Most serious incidents are not a sudden explosion, but rather a ‘planned operation.’ Like a burglary of a flat, it starts with reconnaissance and ends with the trail disappearing. This process is often referred to as a ‘cyberattack in phases’ or a ‘killchain’. So let's take a look at what such a killchain typically consists of and why the Security Vision SOAR incident management module uses this methodology.
Stage 1: Reconnaissance, when the attacker studies the target (scans the network and open ports, looks for vulnerable services and gathers information from open source intelligence (OSINT), for example - employee names on LinkedIn, e-mail addresses from presentations, schedules from social networks). Like a thief studying a house: when the tenants leave, where the keys are kept, whether there is an alarm system, the hacker finds a PDF file on the company's website, looks at the properties of the document - and there is the name of the system administrator, which he will use in the future.
Stage 2. Penetration (Initial Access), when an attacker "enters the house" through a phishing email with a malicious link or attachment, brute force of a weak password, hacking an old vulnerability in a web server, or using compromised credentials from the darknet. At this stage, as if the thief had opened the lock with someone else's keys or climbed through an unlocked window, the employee receives a letter "from the security service" and enters the password on the fake site.
Stage 3. Persistence, when an attacker strengthens his position (creates new accounts, installs a backdoor, or "back login" to the system and configures the automatic launch of malware). As a thief who makes a duplicate key to return later, the virus is registered in autoload, and even after rebooting continues to operate.
Stage 4. Expanding access (Privilege Escalation and Lateral Movement), when a hacker moves further along the network (increases his rights and switches from one device to another). As a thief who started from the attic, but found the keys to the safe in the living room, entering the accountant's PC, the attacker gains access to the server with salaries.
Stage 5. Target actions (Action on Objects) when the main one starts:
- Data theft (uploading to third-party servers);
- File encryption (for ransom);
- Sabotage (deleting databases, running scripts);
- Installation of miners or bots.
The thief found the jewelry, took it and left - or set fire to the house, and the WannaCry ransomware virus disabled thousands of computers in a matter of hours.
Stage 6. Covering Tracks, when a hacker "cleans" logs, deletes temporary files, closes vulnerabilities to mask attack traces. As if the thief after the robbery crushed the floor and put the lock back.
The NIST (National Institute of Standards and Technology) Incident Response Model emerged from this chain, and it is one of the clearest and most logical, so it is widely used in corporate practice:
1) Preparation, the stage before the incident: the organisation must be ‘in shape’: security features are set up, instructions are written, employees are trained. For example, a company has trained employees on phishing and set up a filter that blocks suspicious emails. It's like preparing for a fire: there's a fire extinguisher, an evacuation plan and everyone knows where the exit is.
2) Detection, capturing the signs of an incident. This can be either an instant alert or alarming symptoms: strange activity, user complaints, unusual system behaviour. For example, if an employee notices that his mouse moves on its own, and the SIEM has a login from another country, or if he notices a smell of burning or smoke - this is not a fire, but a reason to be alarmed.
3) Containment, when you want to prevent the incident from spreading, ‘lock the attacker in one room’ and prevent him from infecting the entire network. So the infected PC is isolated from the network, but not shut down to preserve evidence. It's like closing doors and turning off ventilation in a fire to keep the fire from spreading to other rooms.
4) Investigation, analysing the incident: where it came from, what it did, what systems were affected. For example, when the logs show that the attack started via phishing and the attacker used PowerShell to secure it. An analogy from everyday life would be to find out the cause of a fire, where it started, who is to blame, what the consequences might be.
5) Eradication, removing malicious code, closing vulnerabilities, eliminating entry points. When the IS staff removed the trojan, reset all passwords and updated the vulnerable server. How to not just put out the fire, but eliminate the source - faulty wiring.
6) Recovery, getting things back to normal. It is important not just to ‘start everything back up’, but to make sure that the intruder is not left in the system. Servers are re-deployed from images, but work in a limited mode under the supervision of the SOC. Like turning on the electricity in stages after a home renovation and seeing if it sticks again.
7) Post-Incident, to deal with the incident and improve defences for the future. After the incident, the company updated the password policy, added 2FA and conducted phishing training. Like dismantling a fire and installing new smoke detectors so this doesn't happen again. This phase includes:
- Post-mortem (Post-mortem): stage-by-stage parsing;
- Updating documentation and instructions;
- Staff training;
- Improving protection tools;
- Notifying regulators if necessary.
Cyber incidents happen to everyone: large corporations and microbusinesses, government agencies and freelance students. The main thing is not to be helpless. Even if you are not an IS specialist, you can be a link in the security chain. Just like with fire safety: everyone should know simple rules. You don't need to be afraid of technology, just understand how it can be used against you... and don't give attackers that opportunity.
It's important to remember that:
- Prevention is cheaper than response;
- Staff training is one of the best shields;
- An incident is not a failure, but an opportunity to become stronger;
- There is no shame in calling for help.
.jpg)
.jpg)
.jpg)
