The Cyber Blog Times: How to react to a cyber incident?

Welcome back to our second article from The Cyber Blog Times addressing cyber incidents.

If you have missed our first article, catch up and find the rules right here.

Ready? Grab your glasses, help yourself a cup of coffee and let’s nail this month reading.

What is a Cyber Incident?

Let’s begin at the beginning, what is a cyber incident? According to NIST, a cyber incident refers to: “An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.”

When dealing with a cybersecurity incident, the organization must be able to react quickly and appropriately. In other words, it is crucial to decide beforehand how to handle certain situations rather than waiting until the first confrontation during an incident. You need to develop a strategy to limit damage, reduce costs and recovery time, as well as communicate with internal and external stakeholders.

The cyber incident response lifecycle

In this section, we are going to discuss the incident response lifecycle. But first, what is this exactly? It is your organization’s step-by-step framework for identifying and reacting to a service outage or security threat.

Phase 1: Preparation

Firstly, comes the preparation. This phase covers the work an organization does to be ready for incident response including putting the right tools and resources in place and training the team. This phase includes the work done to prevent incidents from occurring.

Some of the important points for the preparation phase are:

Develop a response plan in case of a cybersecurity incident and update it regularly.
Identify your assets and potential threats.
Assign responsibilities and create a team to lead the cybersecurity incident response.
Work with external experts that are specialized in cybersecurity incidents.

Phase 2: Cyber incident’s detection & analysis

Secondly, we have to monitor security events to detect, alert, and report on potential security incidents.

Monitor security events in your environment using firewalls, intrusion prevention systems, and data loss prevention.
Detect potential security incidents by correlating alerts within a SIEM solution.
Analysts create an incident ticket, document initial findings, and assign an initial incident classification.
The reporting process should include accommodation for regulatory reporting escalations.

Phase 3: Containment, Eradication, Recovery

Thirdly, we have to keep the incident impact as small as possible and mitigating service disruptions.

Phase 4: Post-Incident Activity

Finally, learning and improving after an incident is one of the most important parts of incident response yet too often ignored. In this phase, the incident and incident response efforts are analyzed. The goals here are to limit the chances of the incident happening over again and as well as identify ways of improving future incident response activity.

Cyber incident challenges

Organizations face daily attempts to get access to their data or systems. This creates a new form of expertise, which needs to be deployed across the different teams to respond to the following:

Manage intrusions and security incidents.
Neutralize or contain the attack.
Elaborate intrusion response plan.
Gather information on discovered malicious file.
Assessment of controls in place.
Damage’s evaluation.
Keep evidence.
Train team to incident handling.
Stop data leakage.

CERT-XLM: Computer Security Incident Response Team of Excellium Services

A Computer Security Incident Response team is a bit like the fire brigade except that instead of putting out fires they help organizations contain, neutralize, and eradicate intrusions. Just as fire drills help save lives if a real fire strikes. Along these lines, careful preparation makes it easier to detect, handle and mitigate actual intrusions.

With the expertise of CERT-XLM, you may react in real-time to security incidents. Not to mention that the networking and data intelligence of CERTXLM also help you improve drastically your threat survey.

The Excellium CSIRT helps organizations respond efficiently to IT incidents by providing the following services:

Help customer with incident handling.
Malware analysis (Windows, Unix & Mobile).
Prepare and evaluate your incident response plan.
Forensic Investigations.
Malicious document analysis.
Breach analysis.
CERT collaboration and intelligence sharing.
Server “takedown”.

Security Skills:

CERT-XLM is composed of highly experienced security experts who can handle sophisticated attacks and threats.

Intelligence:

CERT-XLM gathers, aggregates, integrates, and analyses intelligence feeds.

Furthermore, CERT-XLM also develops tools to identify threats to your infrastructure.

Networking:

Regarding networking, CERT-XLM is a member of the CERT.LU initiative and an accredited member of Trusted Introducer.

Confidentiality:

CERT-XLM as Excellium has held PSF accreditation since 2016.

Ready to play?

Last but not least, our cyber quiz!

According to you, a takedown is…

the removal of a website, web page, or file from the internet.
related to malicious file analysis.
a support for organizations to decrease the number of threats.
a way to keep evidence in case of forensic investigation.

Send us your answer here and get the chance to win the final award.

Did you like the article? Feel free to let us know by sharing the word online: #TheCyberBlogTimes

Alaaedine CHATRI,

Lionel THONNATE.

Cookie	Duration	Description
CLID	1 year	Microsoft Clarity set this cookie to store information about how visitors interact with the website. The cookie helps to provide an analysis report. The data collection includes the number of visitors, where they visit the website, and the pages visited.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
MR	7 days	This cookie, set by Bing, is used to collect user information for analytics purposes.
SM	session	Microsoft Clarity cookie set this cookie for synchronizing the MUID across Microsoft domains.
_clck	1 year	Microsoft Clarity sets this cookie to retain the browser's Clarity User ID and settings exclusive to that website. This guarantees that actions taken during subsequent visits to the same website will be linked to the same user ID.
_clsk	1 day	Microsoft Clarity sets this cookie to store and consolidate a user's pageviews into a single session recording.

Cookie	Duration	Description
ANONCHK	10 minutes	The ANONCHK cookie, set by Bing, is used to store a user's session ID and also verify the clicks from ads on the Bing search engine. The cookie helps in reporting and personalization as well.
MUID	1 year 24 days	Bing sets this cookie to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

About us

Career Opportunities

Get in Touch