The Anatomy of a Cyber Incident: Real Cases and Lessons Learned.

A cyber incident refers to any event that poses a threat to the confidentiality, integrity, or availability of digital information or systems. When we talk about threats, we also need to consider risks and vulnerabilities. A vulnerability and a risk must be present for there to be a threat. All of them go hand in hand.

“A vulnerability is a weakness that can be exploited by a threat. E.g. misconfigurations, weak passwords, outdated firewall.”

“A risk is the potential or likelihood for damage or loss when a vulnerability is exploited.”

“A threat is a malicious event that can negatively impact organisations assets.”

For a better understanding, the equation is Vulnerability + Risk = Threat

There are many types of cyber incidents, including phishing, ransomware, denial-of-service attacks, malware, unauthorized access, and data breaches.

Imagine rushing into work with a full inbox and tight deadlines. You try to log in, only to see a message: “Your personal files have been encrypted. Access denied. Pay now to restore your files.” A ransomware attack has just stopped your work in its tracks, demanding urgent action.

Now, shift gears to a different scenario: You’re the proud owner of a thriving website that sells top-notch skincare products to a vast customer base. Everything seems to be running smoothly until one day, your phone starts ringing off the hook. On the other end are potential customers expressing their desire to make purchases but are thwarted by an error message on your website. Panicking, you reach out to an IT security team to address the issue urgently.

As the IT experts dive into troubleshooting, your potential customers, eager to buy your skincare products, face an inconvenient barrier. Frustrated and unable to access your website, they opt for alternative brands that offer similar products. In the aftermath, your business suffers a double blow – not only does the website malfunction result in lost revenue, it also leads to a decline in customer loyalty as they turn to competitors to fulfil their needs.

These scenarios, the first being a ransomware and the second a Distributed Denial-of-service attack illustrate the real-world impact of cyber incidents, where the consequences ripple through personal and business spheres alike. The urgency to address cybersecurity vulnerabilities becomes evident as individuals and businesses navigate the ever-evolving digital landscape, safeguarding against the potential fallout from unexpected cyber threats.

Incidents are categorised into various levels of severity, and they are:

  • Low (P4): Minor problems or routine irregularities that can be handled within standard operational procedures.
  • Medium (P3): Incidents that, while not an immediate danger, should be addressed in a timely manner to prevent any impact on business operations.
  • High (P2): Potential issues that aren’t an immediate threat but need prompt attention to safeguard business operations.
  • Critical (P1): Urgent problems that pose an immediate risk to essential business functions or sensitive data, requiring immediate action.

Looking at both scenarios mentioned above, we can classify them as Critical (P1) because they require immediate attention and pose an immediate risk to essential business functions.

Whenever incidents occur, the Security Operations Team carries out their Incident Response plan.This plan should already be created in anticipation of an incident as well as playbooks and run books. The incident response plan has several stages which includes:

  • Preparation stage: This is the stage where policies are created, jumpkits (tools, laptops and devices) are put in place and training is done to prepare and equip staff for whenever an incident occurs.
  • Detection and Analysis stage: This is the stage when an incident occurs and is being identified.Several details are documented in this stage like who identified the incident, what time did it occur and what type of incident it is.
  • Containment stage: This has two sub stages. Short term containment and long term containment. When an incident occurs, short term containment is first done to separate the affected systems from the organisations network. This helps so business can go on as usual and enable the security team to carry out their duties to minimise damage. Long term containment is done afterwards to return systems to their original secure state.
  • Eradication and recovery stage: Security analysts at this stage identify the root cause of the incident. Eliminating artefacts by removing malicious code and mitigating vulnerabilities. After this the affected systems are restored to a secure state.
  • Post Incident activity: This include documentation, informing organisational leaders and applying lessons learned to ensure the organisation is equipped to deal with future incidents.
  • Co-ordination: This stage involves reporting and sharing information throughout the incident response process in line with established standards. This stage is important because it ensure the organisation meets compliance.

Additionally, as a Security Analyst, its your duty to think of the tactics, techniques and procedures used by the threat actor. There are various frameworks used to identify this like the MITRE ATT&CK and Cyber Kill chain.

From the first scenario, the initial Attack Vector is a form of ransomware. Ransomware commonly infiltrates systems through deceptive methods and tools such as phishing emails, malicious attachments, or compromised websites. The victim may unknowingly download an infected file or click on a link that launches the ransomware. Once activated, the malicious code swiftly encrypts files, rendering them inaccessible without the decryption key held by the attacker.

The extent of the Damage and Impact on the Affected Organization includes; File Encryption, Data Loss, Operational Disruption, Financial Loss, Reputational Damage

To mitigate the impact of such attacks, organisations and individuals must prioritise cybersecurity measures, including regular backups, employee training on cybersecurity best practices, and the use of robust antivirus and anti-malware solutions. Additionally, maintaining updated software and promptly patching vulnerabilities helps prevent the exploitation that leads to ransomware infections.

The initial attack vector in the second scenario appears to be a targeted disruption of the website’s functionality, possibly through a distributed denial of service (DDoS) attack or a sophisticated exploitation of vulnerabilities in the website’s infrastructure. DDoS attacks involve overwhelming a website with traffic, rendering it inaccessible to legitimate users. Alternatively, attackers might exploit weaknesses in the website’s code or security protocols.

The threat actors methods and tools includes DDoS Attack, exploitation of vulnerabilities, SQL Injection or cross-Site Scripting (XSS), botnet utilisation.

The extent of the damage and Impact on the affected organization includes: Lost Revenue, Customer Frustration, Reputational Damage, Operational Disruption, Mitigation Costs

To mitigate such attacks, businesses should invest in robust cybersecurity measures, conduct regular security audits, and have incident response plans in place. This includes implementing DDoS protection, keeping software up-to-date, and monitoring for unusual website activity. Additionally, communication with customers during such incidents is crucial to maintain trust and transparency.

After going through an incident response process and recovering systems back in place, it is always advisable to give a proper documentation and apply lessons learned to be prepared for future incidents.

From both scenarios some lessons learned includes:

Invest in Cybersecurity Preparedness

Lesson: Proactive investment in cybersecurity measures is crucial to prevent and mitigate potential threats.

Insight: Businesses should regularly assess and enhance their cybersecurity infrastructure to stay ahead of evolving cyber threats.

Diversify Online Sales Channels:

Lesson: Relying solely on one online sales channel exposes the business to significant risks.

Insight: Diversifying sales channels, such as utilizing multiple platforms or maintaining a physical presence, can help mitigate the impact of disruptions on a single channel.

Implement DDoS Protection:

Lesson: Distributed Denial of Service (DDoS) attacks can cripple a website’s functionality, causing severe disruptions.

Insight: Implementing DDoS protection measures, such as traffic filtering and load balancing, is essential to safeguard against large-scale attacks.

Implement Multi-Layered Security Measures:

Lesson: Rely on a multi-layered security approach, combining antivirus software, firewalls, and intrusion detection systems.

Insight: Multiple layers of security measures enhance the overall defence against ransomware and other malware, reducing the likelihood of successful attacks.

As businesses and individuals navigate the ever-changing cybersecurity landscape, a commitment to continuous improvement, vigilance, and adaptability is essential. By internalising these lessons, organisations can fortify their defenses, mitigate risks, and respond effectively to cyber incidents, ultimately safeguarding their operations, data, and reputation.

Leave a Reply

Your email address will not be published. Required fields are marked *

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by