< ciso
brief />
Tag Banner

All news with #incident response tag

247 articles

Three real-world incident case studies from GERT

🔍 Over the past year, Kaspersky’s Global Emergency Response Team and MDR service investigated diverse security incidents that informed the Anatomy of a Cyber World Global Report 2026. The post presents three real case studies illustrating how adversaries use credential theft, known vulnerabilities, and lateral movement to achieve persistence, escalate privileges, and deploy ransomware or wipers. It highlights recurring misconfigurations, delayed patching, and blind spots in monitoring as root causes of successful attacks.
read more →

CMC analysis of Canvas incident impacts education

🔍 The UK Cyber Monitoring Centre (CMC) has published its review of the Canvas incident affecting Instructure’s Learning Management System, finding ~160 UK higher education institutions impacted and around 9,000 worldwide. The analysis highlights that financial losses arose mainly from response, recovery and risk management rather than prolonged outage. The CMC reinforced best-practice recommendations for the sector, including MFA enforcement, separation of application and data layers, careful third‑party control and clearer vendor communication.
read more →

Scattered Spider members plead guilty in TfL hack

🛡️ Two members of the Scattered Spider group, Thalha Jubair (20) and Owen Flowers (18), pleaded guilty to breaching Transport for London systems between August 31 and September 3, 2024. The intrusion disrupted Oyster refund services and forced 28,000 staff to reset passwords, contributing to an estimated £29 million in losses. Both suspects were arrested in 2025 after investigators recovered incriminating evidence and devices linking them to the attack and other intrusions.
read more →

Cybersecurity’s Shift From Protection to Survival

🔒 The piece argues that cybersecurity must move beyond a prevention-first mindset to a survival-focused discipline. It stresses that while traditional controls (MFA, patching, hardening) remain necessary, organizations need breach readiness: continuity, recoverability, tested incident response, and clear governance. Regulatory and market pressures (EU resilience laws, US disclosure and accountability) plus AI-driven acceleration make resilience an operational imperative.
read more →

Five Eyes urge CSOs to update cyber risk strategies now

🔒 The Five Eyes cybersecurity agencies warn that rapidly advancing AI capabilities are already reshaping offensive and defensive cyber operations and urge CSOs to treat cyber risk as core business risk. They recommend prioritizing secure-by-design practices, defense in depth, rapid patching, reduced attack surface, stronger identity controls, and testing breach responses. Some experts call the guidance too general or overdue but agree it reinforces the need for executive alignment and urgent action.
read more →

Breaking the Cycle of CISO Burnout and Resilience

🔒 When a major cyber incident occurs the CISO becomes the invisible CEO of crisis, making high‑pressure decisions while managing stakeholders and operational recovery. This intense role, combined with limited strategic influence and short tenures, drives burnout and turnover across EMEA. Preparation through exercises, clear measures of risk and a permanent strategic seat at the table are essential to build sustainable resilience.
read more →

Accelerating AWS security investigations with Kiro CLI

🔐 This post shows how Kiro CLI, an AI-powered command line assistant, speeds AWS security investigations by proposing, explaining, and optionally executing AWS CLI commands while documenting each step. It demonstrates a GuardDuty-driven investigation following the AWS Security Incident Response Guide: triage, EC2 and IAM assessment, CloudTrail analysis, containment, and remediation. The walkthrough highlights benefits like faster triage, automated CloudTrail queries, and guided remediation, while advising human validation and forensic preservation.
read more →

Law enforcement disrupts SocGholish infections at scale

🛡️ International law enforcement agencies cleaned nearly 15,000 WordPress sites and took down over 100 servers tied to the SocGholish botnet and the Evil Corp cybercrime group as part of Operation Endgame. Authorities from the Netherlands, Canada, the United States, and Germany removed malware and backdoors from 14,971 compromised sites, advised remediation steps, and decommissioned 106 servers and domains. The action aims to deny criminals access, limit malware spread, and reduce risks to critical infrastructure.
read more →

Lessons from 22,000 Breaches for Incident Preparedness

🔍 The 2026 Verizon DBIR analyzed over 22,000 confirmed breaches across 145 countries and concludes that organizations cannot patch fast enough to prevent every incident. Exploitation of vulnerabilities became the leading initial access vector as critical flaws and their remediation windows grew, while ransomware and third-party breaches surged. The report urges realistic, technical tabletop exercises that rehearse containment, communication, and coordination under time pressure.
read more →

SOC Speed Gap: How Attack Timelines Compressed Fast

⚠️ This article launches Unit 42's series Inside the Modern SOC, drawing on customer environments, SOC assessments and investigations to highlight a defining challenge: the speed gap. Attack timelines have compressed dramatically — in some cases from initial access to data exfiltration in about 72 minutes — driven by identity-driven tactics and AI-accelerated adversaries. The piece emphasizes that manual, sequential workflows and fragmented tooling leave defenders behind and argues for automated correlation, predefined response actions and behavior-focused detection to close the gap.
read more →

JLR CISO Ordered In-Person Password Resets

🔒 At Infosecurity Europe, Ashish Shrestha, then group CISO of Jaguar Land Rover, recounted the September 2025 cyber-attack response that required over 30,000 staff to reset passwords on site. He said the in-person resets ensured trusted identities for communications after the incident and validated Microsoft 365 integrity. The firm also reset MFA and validated users’ identities physically to mitigate risks of remote account takeover.
read more →

Normalcy Bias and the Risk of Criminal ‘Auditors’

🔍 Normalcy bias leads organisations to assume “no news is good news” about security, delaying detection and response. This complacency lets cybercriminals effectively perform their own audits, exposing gaps between perceived and actual security. The article urges proactive testing, continuous monitoring, and investment in MDR/MXDR and awareness to prevent costly breaches.
read more →

How enterprises fall short of military cyber readiness

🛡️ Military cyber teams rehearse constantly using realistic, dynamic simulations while many enterprises treat security as a compliance exercise. The article contrasts rigorous military practices — continuous exercises, defined roles, and realistic cyber ranges — with corporate annual tabletop drills that fail to reflect daily adversary innovation. It urges businesses to adopt regular live simulations, AI Proving Grounds, clear decision-making hierarchies, and cross-industry intelligence sharing to build operational cyber resilience.
read more →

Ukraine’s resilience lessons for cybersecurity planning

🛡️ Dmytro Kuleba, Ukraine’s foreign minister from 2020–2024, told Infosecurity Europe that pre-planning and contingency-driven resilience underpinned Ukraine’s survival after the 2022 full-scale invasion. He described a December 2023 attack that knocked KyivStar offline via a single compromised employee account, and praised rapid recovery and hardened defences thereafter. Kuleba advised organisations to rehearse crisis responses, understand systems intimately, and build instinctive survival practices. He warned that even benign third-party CRM tools can be weaponised for targeted intelligence, urging technological sovereignty and strict data security.
read more →

Crisis communications playbook for cyber incidents

🛡️ Senior cybersecurity leaders at Infosecurity Europe 2026 urged organisations to prepare concise, practical crisis playbooks that focus on defining the type of incident, roles and decision authority, and responsibilities. They emphasised that playbooks must be adaptable to unfolding realities, and that human factors — fatigue management, clear communication and staff welfare — are as vital as technical response steps.
read more →

Resilience and Self-Reliance in Cyber Conflict

🛡️ Dmytro Kuleba, Ukraine’s former foreign minister, told Infosecurity Europe that preparation, resilience and self-reliance are crucial for cybersecurity professionals facing wartime threats. He cited KyivStar’s rapid recovery from a December 2023 hack and stressed the value of wargaming and muscle-memory incident response. Kuleba warned that innocuous services such as CRMs can be weaponized and urged businesses to distrust products from potential adversaries.
read more →

Executives and CISOs Must Treat Cyber as Statecraft

🔒 Bharat Thakrar of ISACA’s London Chapter told Infosecurity Europe 2026 that cyber, AI and geopolitics are now inseparable and warned against treating security as merely an IT problem. He cited breaches like Sony Pictures (2014), Viasat (2022) and Stryker (2026) to show private firms can be legitimate geopolitical targets. Thakrar proposed the Cyber Geopolitical Preparedness and Response (CGPR) framework—assess exposure, evaluate readiness, plan response and continuous monitoring—and urged geopolitical stress‑tests, revamped HR vetting, tighter access controls and predefined executive authorities.
read more →

Microsoft Exchange Online outage delays emails

📧 Microsoft is addressing a widespread service issue impacting the mail flow pipeline for Exchange Online customers in North America and Germany. Users reported SMTP deferral errors and abrupt connection closures, causing significant delays or failures when sending and receiving email. Engineers are investigating incident EX1331830 to identify root causes and restore normal service.
read more →

NCSC: Act Now to Build Cyber Resilience

🔒 Paul Chichester of the NCSC warned at Infosecurity Europe that escalating technological change, geopolitical tensions and evolving threats make predicting cyber risk harder than ever. He highlighted hyper-connectivity, rapid tech transformation and state-backed cyber operations as key challenges, and urged stronger public-private collaboration. Chichester praised the Cyber Security and Resilience Bill and called for practical steps like reducing attack surface, addressing legacy systems, enforcing access controls and running incident exercises.
read more →

Seven tabletop exercise mistakes that undermine readiness

🛡️ Discussion-based, low-stress simulations let IT, legal, and business leaders walk through hypothetical incidents to test preparedness, but poorly run tabletops can mislead and harm response capabilities. The article outlines seven common mistakes — from lacking clear objectives and testing only familiar scenarios to favoring conceptual scripts over practical ambiguity — and offers expert recommendations to design realistic, business-relevant exercises. Emphasis is placed on including the right stakeholders, introducing technical detail and uncertainty, and aligning scenarios to actual risks and interdependencies to avoid false confidence and reveal true process gaps.
read more →