Updated June 21, 2023
Introduction to Cyber Security Incidents
When the systems in the organization are compromised, the term cyber security incident is used, and no breach or hack terms are used. That means there is a difference between the two terms cybersecurity incident and breach or hack. Let us understand the difference between the two terms. While the word ‘incident’ may sound harmless, people never use it to describe something positive. Incident is a troublesome word, and so is the term cyber security incident.
When information faces threats without actual compromise, it constitutes a cybersecurity incident. For example, if an organization successfully repels a cyber-attack, it is an incident, not a breach. Security incidents refer to events that suggest systems or data within an organization have been compromised or that protective measures for systems or data have failed.
Detection of Cyber Security Incidents
There are several methods to detect security incidents.
- Privileged User Accounts Unusual Behavior: Abnormal behavior in a privileged user account can indicate unauthorized network access attempts using that account.
- Servers and Data Accessed by Unauthorized Insiders: The systems and data that the insiders can access will be tested by them. If unauthorized users are trying to access servers and data, trying to access data unrelated to their jobs, abnormal times logging in from unusual locations, or trying to log in from multiple locations in a short time are all the warning signs.
- Outbound Network Traffic Abnormality: Organizations should not only worry about the traffic coming into the network but also about monitoring the traffic exiting their perimeters. Traffic exiting their perimeters include large files uploaded by the insiders to personal cloud applications, large files downloaded to external storage devices like USB flash drives, or many email messages sent with attachments outside the company.
- Traffic Sent to Unknown Locations or Traffic Sent from Unknown Locations: Suppose an organization operates in only one country; the traffic sent to other countries indicates malicious activity. The administrators must investigate traffic to any unknown network to ensure the traffic is legitimate.
- Too Much Consumption: Performance improvement of server memory or hard drives means that the attacker illegally accesses the server memory or hard drives.
- Configuration Changes: Unapproved changes such as service reconfigurations, startup program installations, or firewall alterations may indicate possible malicious activity. The same holds true for the added scheduled tasks.
- Files that Are Hidden: Hidden files are considered suspicious because their filenames, sizes, or locations indicating the data or logs can be leaked.
- Changes that Are Unexpected: Unexpected changes are lockouts of a user account, changes in password, or group membership changes.
- Abnormal Browsing Behavior: Abnormal browsing behavior includes unnecessary redirects, browser configuration changes, or recurring pop-ups.
- Registry Entries that Are Suspicious: When the Windows system is infected by malware, suspicious registry entry happens, and it is one of the main ways for the malware to ensure it remains in the infected system.
Attack Vectors of Cyber Security Incidents
An attack vector is a path by which the hacker gains access to a computer or network server to deliver a malicious outcome. The hackers can exploit the system’s vulnerabilities through attack vectors. Viruses, email attachments, webpages, pop-up windows, instant messages, chat rooms, deception, etc., are all attack vectors. Hardware and programming are integral components in all of these methods. The organization can handle any incident, but the main focus should be handling the incident using common attack vectors. The security incidents that use common attack vectors are:
- Removable Media or External Media: Removable media like a CD, flash drive, or peripheral device executes the attack.
- Attrition: Attrition attacks use brute force to compromise, degrade or destroy networks, systems, and services.
- Web: A website or web-based application is used to execute the attack.
- Email: An email message or attachment in the email executes the attack. The hacker tempts the recipient to click on a link directing to the infected webpage or open an infected attachment.
- Improper Usage: The root cause of such an incident is a violation of the organization’s acceptable use policies by the user.
- Malware Based on Ads: Malware based on ads is also called malvertising. Advertisements on websites contain embedded malware that carries out the attack. Just opening the malicious ad can inject malware into the unsecured device. Malicious ads can also affect trusted apps.
- Hovering of Mouse: Mouse hovering exploits vulnerabilities in well-known software like PowerPoint. Shell scripts launch automatically when users hover over a link without clicking on it.
- Scareware: Scareware persuades users to download and purchase unwanted and potentially harmful software by instilling fear. Scareware makes the user believe that his computer has a virus and suggests the user download and makes him pay for fake antivirus software for virus removal. If the user downloads and executes the program in the software, it will infect the system with malware.
A cybersecurity incident refers to a breach of system security that impacts its integrity or availability. The typical cases of cyber security incidents include trying to gain unauthorized access to a system or data, processing or storing data using unauthorized use of systems, making changes to the firmware, software, or hardware of the system without the consent of the owner, malicious disruption or denial of service, etc.
This is a guide to Cyber Security Incidents. Here we discuss the introduction and detection of Cyber Security Incidents along with attack vectors. You can also go through our other related articles to learn more –