< ciso
brief />
Tag Banner

All news with #incident response tag

247 articles · page 11 of 13

How to Respond After Clicking a Suspicious Link Safely

⚠ If you clicked a suspicious link, stay calm and act promptly. For work devices, contact IT immediately and follow their instructions. For personal devices, close the browser and check for unexpected downloads; if you entered credentials, change passwords and enable MFA; if financial data was entered, contact your bank; if a file was downloaded, disconnect, run a full scan, and consider restoring from a clean backup. Monitor accounts and report phishing attempts.
read more →

Responding to Cloud Incidents: Investigation and Recovery

🔍 Unit 42 outlines a structured approach to investigating and responding to cloud incidents, noting that 29% of 2024 incident investigations involved cloud or SaaS environments. The guidance emphasizes a shift from endpoint-centric forensics to focus on identities, misconfigurations and service interactions. It recommends enabling and centralizing logs, retaining them for at least 90 days, and preparing for rapid evidence collection and VM/container imaging. The article stresses identity forensics, behavioral baselining and surgical containment to avoid alerting adversaries.
read more →

Inside Microsoft Threat Intelligence: Calm in Chaos

🔎 Microsoft’s Incident Response (IR) team emphasizes calm, clarity, and rapid action when customers encounter major breaches. Adrian Hill explains how IR establishes trust within the first 30 seconds and coordinates with other vendors and stakeholders to stabilize compromised environments. Field discoveries are fed back into Microsoft Threat Intelligence, enabling new detections and product protections. Follow-up recovery, containment, and strategic guidance turn response into lasting partnership.
read more →

AWS Incident Detection and Response Now in GovCloud

🛡️ AWS Incident Detection and Response is now available in the AWS GovCloud (US-West) and GovCloud (US-East) Regions for eligible AWS Enterprise Support customers. The service provides proactive incident engagement and collaborative access to AWS expertise to detect issues earlier and reduce impact. Customers work with AWS to develop customized runbooks and response plans for each onboarded workload. The capability is intended to lower failure risk and accelerate recovery for critical workloads operating in GovCloud.
read more →

Service Desk as Attack Vector: Defend with Workflows

🔐 The service desk is now a primary enterprise perimeter for attackers, with social-engineering groups like Scattered Spider converting routine requests into broad access — as seen in high-impact incidents such as MGM Resorts and Clorox. Training matters but is not enough; verification must be a security-owned, auditable workflow rather than an agent’s discretionary call. Implement mandatory controls so agents never view credentials, apply role-based verification depths, and use points-based contingency checks when MFA fails. Integrate the flow with ITSM so tickets launch verification automatically, returning results and telemetry for alerting and audit.
read more →

WestJet Confirms Breach Exposed Customers' Passports

🔒 WestJet has confirmed that a cybersecurity incident disclosed on June 13 exposed sensitive customer information, including passports and other government IDs, according to a notification shared with U.S. authorities. The airline said an investigation completed on September 15 found impacted records varied by individual and could include full name, date of birth, mailing address, travel documents, loyalty program details, and certain card account information. WestJet emphasized that no credit or debit card numbers, expiry dates, CVV codes, or user passwords were compromised and is offering free two-year identity theft protection to affected customers. The company said the FBI is involved in the probe and that it is still working to determine the full scope of the incident.
read more →

Stop Alert Chaos: Contextual SOCs Improve Incident Response

🔍 The Hacker News piece argues that traditional, rule‑driven SOCs produce overwhelming alert noise that prevents timely, accurate incident response. It advocates flipping the model to treat incoming signals as parts of a larger story—normalizing, correlating, and enriching logs across identity, endpoints, cloud workloads, and SIEMs so analysts receive coherent investigations rather than isolated alerts. The contributed article presents Conifers and its CognitiveSOC™ platform as an example of agentic AI that automates multi‑tier investigations, reduces false positives, and shortens MTTR while keeping human judgment central.
read more →

How to Restructure a Security Program to Modernize Defense

🔒 The article advises that organizations should proactively restructure security programs instead of waiting for breaches or regulator intervention. It cites the 2024 FTC order against Marriott, following incidents exposing personal data of 344 million guests, as a cautionary example. Practical guidance includes an independent top-to-bottom review, listening tours, delivering quick visible wins, simplifying tool stacks, adopting AI-enabled capabilities, and investing in staff and training. It also outlines frequent mistakes such as insufficient executive buy-in, hiring biases, and underestimating evolving threats.
read more →

Asahi Halts Japan Operations After Cyberattack Disruption

⚠️ Asahi Group Holdings, Japan’s largest brewer, has suspended multiple domestic operations after a cyberattack disrupted ordering and shipping processes. Call center and customer service desks are currently unavailable to the public, and the company says the incident is confined to Japan-based systems. Investigations are ongoing; there is no confirmed leakage of personal or customer data, no public claim by ransomware gangs, and no recovery timeline has been announced.
read more →

UK backs Jaguar Land Rover with £1.5 billion loan guarantee

🔒 The UK Government has granted Jaguar Land Rover a £1.5 billion loan guarantee via UK Export Finance's Export Development Guarantee (EDG) to help the automaker recover after a severe cyberattack halted production and forced system shutdowns. The guarantee backs a commercial bank loan rather than direct state lending, reducing lender risk so JLR can secure larger, better-priced financing and immediate liquidity to pay suppliers. Repaid over five years, the measure is intended to stabilise the supply chain and protect thousands of jobs while JLR works with the NCSC, law enforcement and cybersecurity specialists during a phased return to manufacturing.
read more →

Retail at Risk: Single Alert Reveals Persistent Threat

🔍 A single Microsoft Defender alert triggered an investigation that uncovered a persistent cyberthreat against retail customers. Attackers exploited unpatched SharePoint flaws CVE-2025-49706 and CVE-2025-49704 using obfuscated ASPX web shells while also compromising identities through self-service password reset abuse and Microsoft Entra ID reconnaissance. DART swiftly contained the intrusions—removing web shells, isolating Entra ID, deprivileging accounts, and recommending Zero Trust measures, MFA enforcement, timely patching, and EDR deployment.
read more →

What Happens When You Engage Talos Incident Response

🔐 Cisco Talos Incident Response (Talos IR) provides rapid, 24/7 crisis support and proactive services to contain, investigate, and remediate cybersecurity incidents. Talos combines deep threat intelligence, digital forensics, and a vendor-agnostic approach to work with existing tools and environments. Engagements follow a structured IR lifecycle—Preparation, Identification, Containment, Eradication, Recovery, and Lessons learned—to minimize disruption and build long-term resilience.
read more →

Self-Driving IT Security: Preparing for Autonomous Defense

🛡️ IT security is entering a new era where autonomy augments human defenders, moving beyond scripted automation to adaptive, AI-driven responses. Traditional playbooks and scripts are limited because they only follow defined rules, while attackers continuously change tactics. Organizations must adopt self-driving security systems that combine real-time telemetry, machine learning, and human oversight to improve detection, reduce response time, and manage risk.
read more →

CISA Incident Response Findings: GeoServer Exploits

🔒 CISA assisted a U.S. federal civilian executive branch agency after endpoint alerts showed threat actors exploiting CVE-2024-36401 in public-facing GeoServer instances to gain initial access. The actors operated undetected for roughly three weeks, deployed web shells and proxy/C2 tools, and moved laterally to a web and SQL server. CISA highlights urgent patching of KEV-listed flaws, exercising incident response plans, and improving EDR coverage and centralized logging.
read more →

CISA Advisory: Lessons from Recent Incident Response

🔒 CISA published an advisory summarizing lessons learned from an incident response engagement after its endpoint detection and response tool detected potential malicious activity. The guidance emphasizes expedited patching—highlighting exploitation of GeoServer CVE-2024-36401—alongside strengthened incident response planning and enhanced threat monitoring. Organizations are urged to prioritize fixes for public-facing systems, test response playbooks, and implement centralized logging to improve detection and reduce exposure.
read more →

Attacker Breakout Time Drops to 18 Minutes, ReliaQuest

🔒 ReliaQuest's Threat Spotlight (June–August 2025) reports average attacker breakout time — the period from initial access to lateral movement — has fallen to 18 minutes, with one Akira incident taking just six minutes. The vendor warns adversaries are becoming faster and more adept at bypassing endpoint protections, noting an increase in ransomware using the SMB protocol (from 20% to 29%). Drive-by compromise was the leading initial vector at 34%, and USB-based malware, notably Gamarue, is resurging due to weak policy enforcement and inconsistent endpoint controls.
read more →

IR Playbooks and Mental Health After Major Incidents

🛡️ Joe Marshall uses the VPN Filter investigation to illuminate the often-hidden personal cost of incident response. He recounts months of high-pressure analysis into a modular SOHO botnet attributed to APT28 that featured persistence and a potentially destructive kill switch, and describes how prolonged stress produced burnout, fractured relationships, and career impact. Marshall offers four practical mitigations — boundaries, peer support, unplugged self-care, and mandatory decompression — and underscores how a Cisco Talos Incident Response (IR) Retainer can ensure organizations respond decisively while protecting staff wellbeing.
read more →

Unit 42 Earns NCSC Enhanced Level Incident Response

🔒 Palo Alto Networks' Unit 42 has been added to the UK's NCSC Cyber Incident Response scheme at the Enhanced Level, demonstrating certified capability to manage the most complex and impactful cyber incidents. The assurance verifies structured, government-benchmarked processes, strong investigative expertise, and a customer-focused retainer model tailored to regulatory and operational needs. This recognition underscores Unit 42's role in helping organisations reduce dwell time, contain threats faster, and strengthen long-term resilience.
read more →

SonicWall Urges Password Resets After Backup Files Exposure

🔒 SonicWall is urging customers to reset credentials after detecting suspicious activity that exposed firewall configuration backup files stored in MySonicWall cloud for under 5% of users. Although stored credentials were encrypted, the preference files contained information that could help attackers exploit related firewalls; the company says this was a series of brute-force accesses, not a ransomware event. Customers should verify backups, disable remote management and VPN access, reset passwords and TOTPs, review logs, and import the provided randomized preferences file that resets local passwords, TOTP bindings, and IPSec keys.
read more →

PyPI Invalidates Tokens Stolen in GhostAction Attack

🔐 The Python Software Foundation has invalidated PyPI publishing tokens that were exfiltrated during the early-September GhostAction supply chain attack. GitGuardian first reported malicious GitHub Actions workflows attempting to steal secrets, and PyPI found no evidence that the stolen tokens were used to publish malware. Affected maintainers were contacted and advised to rotate credentials and adopt short-lived Trusted Publishers tokens for GitHub Actions. PyPI also recommended reviewing account security history for suspicious activity.
read more →