< ciso
brief />
Tag Banner

All news with #incident response tag

247 articles · page 3 of 13

Train Like You Fight: No-notice Drills for Cyber Ops

🔔 Cybersecurity detection is improving, but response effectiveness hinges on how people perform under real stress. The article argues that scheduled, announced exercises leave teams neurologically unprepared because threat-induced arousal suppresses executive function. No-notice drills, informed by stress inoculation science, raise teams' tolerance for pressure and build practical outcomes: faster instinctive response, stronger cross-team trust and organizational honesty. Practical steps include anomaly injection, full-chain activation and rapid, blameless debriefs to close gaps.
read more →

DDoS Surge During Milano Cortina 2026 Winter Games

📈 The Milano Cortina 2026 Winter Games coincided with a dramatic rise in DDoS activity against Italian infrastructure, with attack frequency increasing 181% year-over-year from 2025. NETSCOUT ASERT recorded 12,963 attacks during the core Games window (Feb 6–23), peaking at more than 2,200 attacks on single days and shifting tactics from high-bandwidth floods to packet-rate–intensive vectors. The hacktivist group NoName057(16) dominated public claims, while ransomware groups and other actors also asserted responsibility. Adaptive defenses such as NETSCOUT ATLAS and Arbor products were highlighted as important mitigations.
read more →

AWS Console Mobile App Adds Enhanced CloudWatch Alarm Tools

📱 AWS has added expanded CloudWatch Alarm investigation tools to the AWS Console Mobile App. The update consolidates interactive metric graphs, AI-generated log summaries, and natural-language log search into a single alarm view to reduce time from notification to root cause. Engineers can zoom into specific time windows, adjust time zones, run voice or typed queries, and select pre-saved Logs Insights queries. Related metrics and resources are shown alongside alarms; the app is available in all AWS Commercial Regions at no additional cost.
read more →

Trellix Confirms Unauthorized Access to Source Code

🔐 Trellix has confirmed an incident that allowed unauthorized access to a portion of its source code repository. The company said it recently identified the compromise, engaged leading forensic experts, and notified law enforcement while pursuing an internal investigation. Trellix did not disclose the specific data accessed or an attribution, but stated there is currently no evidence that its source code was released, distributed, or exploited. Additional information will be shared as the investigation progresses.
read more →

Instructure Discloses Cybersecurity Incident, Investigates

🔐 Instructure has disclosed a cybersecurity incident and says it is actively investigating the impact with outside forensics experts. The company, best known for the Canvas learning platform, indicated some services have been under maintenance since May 1 and customers may experience issues with tools that rely on API keys. Instructure said it is working to understand the extent of the incident, minimize impact, and will provide updates as they become available.
read more →

Code Orange: Fail Small Complete — Stronger Cloudflare

🔧Cloudflare completed its Code Orange: Fail Small program after two quarters of focused engineering to prevent the November 18 and December 5, 2025 global outages. The work delivers safer configuration deployments through Snapstone, improved failure modes and segmentation to reduce blast radius, and revised break-glass and communications practices. Changes are codified in a mandatory Codex enforced by AI reviews to prevent regressions.
read more →

Criminal IP and Securonix Integrate Threat Intel Operations

🔗 Criminal IP and Securonix have integrated Criminal IP’s exposure-based threat intelligence into ThreatQ, enabling organizations to enrich IP indicators with contextual data such as maliciousness scoring, VPN/proxy detection, exposed services, open ports, and known vulnerabilities. The integration leverages APIs and ThreatQ’s orchestration engine to automate continuous enrichment and evaluation of incoming indicators, reducing manual analyst effort. Analysts can perform on-demand lookups and view expanded investigation graphs within ThreatQ, improving prioritization and response workflows.
read more →

Former incident-response staff get 4-year terms for BlackCat

🔒 Two former employees of incident response firms Sygnia and DigitalMint were each sentenced to four years in prison after pleading guilty to conspiring to obstruct commerce by extortion for acting as affiliates of the BlackCat (ALPHV) ransomware group between May and November 2023. Prosecutors say they paid a 20% share for access to BlackCat's ransomware and extortion platform and breached multiple U.S. companies, including medical and manufacturing firms; one Tampa medical device company paid $1.27 million after a $10 million demand. DigitalMint said the individuals were immediately terminated and their conduct was condemned by the company.
read more →

Medtronic Confirms Corporate IT Breach After Claims

🔒 Medtronic has confirmed a data security incident in which an unauthorized party accessed certain internal corporate IT systems. The company said there was no disruption to products, patient safety or operations and that hospital networks managed by customers were not affected. Cybercrime group ShinyHunters previously claimed to have exfiltrated millions of records, but Medtronic has not verified those figures and is actively investigating with external cybersecurity specialists. If sensitive data access is confirmed, affected individuals will be notified and offered support services.
read more →

Microsoft asks iPhone users to re-enter Outlook creds

📧 Microsoft has asked iPhone users to manually re-enter credentials in the default Mail app to restore access to Outlook and Hotmail accounts after a global sign-in outage. The company reported intermittent sign-in failures and some users being signed out or seeing "too many requests" errors, attributing the disruption to a "recently introduced change." Service health was reported as restored around 7 PM UTC, but iOS users must follow a step-by-step procedure in Settings → Mail → Accounts to update passwords. Microsoft has not disclosed the outage's root cause, scale, or affected regions.
read more →

Persistent 'Firestarter' Backdoor Hits Cisco Firewalls

🛡️ Security teams are being urged to inspect Cisco ASA and Firepower devices following discovery of a resilient backdoor called Firestarter that can persist after patching and survive normal reboots. CISA and the UK’s NCSC recommend generating a core dump and running their published YARA rules (or scanning a disk image) to detect the implant. If an infection is confirmed, the advisory states the device must be physically disconnected from all power sources, including redundant and backup supplies, for at least one minute or be fully reimaged — a standard reboot or power cycle is not sufficient.
read more →

Why Routine Password Resets Create Security Risks Explained

🔐 The article highlights that Forrester estimates each password reset costs roughly $70 and that self-service password reset (SSPR) tools have not eliminated helpdesk involvement. Attackers target resets to bypass MFA, as illustrated by the April 2025 Marks & Spencer incident tied to the Scattered Spider group, which began with a social-engineered reset and escalated to NTDS.dit extraction and ransomware. It recommends identity verification tools such as Specops Secure Service Desk, strong single-use temporary credentials, monitoring of reset activity, and clearer helpdesk procedures to reduce risk.
read more →

IR Trends Q1 2026: Phishing and public administration

🔒 Talos IR’s Q1 2026 analysis finds phishing reemerged as the top initial access vector, with public administration and health care tied as the most targeted sectors. Investigations documented abuse of AI-enabled services like Softr to build credential-harvesting pages and the first observed intrusion by Crimson Collective exploiting exposed developer secrets. Pre-ransomware activity rose but no encryptions occurred due to early mitigation. Talos emphasizes properly configured MFA, patching, and centralized logging.
read more →

Where Mature SOCs Eliminate Delays to Reduce MTTR Now

🔍 Mature SOCs compress MTTR by embedding threat intelligence directly into analyst workflows rather than relying on separate feeds, reports, or manual lookups. The contributed piece from ANY.RUN outlines five operational areas—detection, triage, investigation, response, and threat hunting—where integrated TI Feeds, TI Lookup, and Threat Reports remove handoffs. By surfacing behavioral context and enabling SIEM/SOAR automation, teams detect earlier, decide faster, and contain threats with minimal delay.
read more →

Vercel Confirms Cyber Incident After Third-Party Compromise

🔒 Vercel has confirmed a cyber incident in which a "highly sophisticated" attacker exploited the third-party tool Context.ai after an employee authorized the app. The adversary used that access to take over the employee's Vercel Google Workspace account and accessed several environments and environment variables not marked as sensitive; sensitive variables are stored unreadable and show no evidence of access. Vercel says npm packages and major projects like Next.js were not compromised, has engaged Mandiant to investigate, and is notifying affected customers while advising MFA, rotation of exposed variables, and strengthened deployment protections.
read more →

Seiko USA Website Defaced; Hacker Claims Customer Data Theft

🔒Seiko USA's website was briefly defaced over the weekend, showing a page titled 'HACKED' in the Press Lounge that replaced normal content with an extortion notice. The attackers claimed they had accessed the company's Shopify backend and exfiltrated the entire customer database, including names, email addresses, phone numbers, order history, shipping data, and account details. The message instructed Seiko to contact a specific customer account (ID 8069776801871) and warned of a 72-hour deadline before publishing the alleged data; Seiko has removed the message and has not publicly confirmed the incident.
read more →

Vercel Confirms Breach; Hackers Claim to Sell Data

🔒 Vercel has disclosed an unauthorized access incident that affected a limited subset of customers and certain internal systems. The company says its public services remain operational while it investigates the incident with external incident response experts and law enforcement. Vercel is notifying impacted customers and urging them to review environment variables, enable the sensitive environment variable feature where available, and rotate secrets or tokens if there is any suspicion of exposure.
read more →

Incident Response for AI: New Challenges, Same Principles

🔍 AI changes the assumptions behind incident response: outputs are non-deterministic, harmful content can be produced at machine speed, and root causes often emerge from interactions among training data, fine-tuning, retrieval, and user context rather than a single code defect. The familiar principles of explicit ownership, containment before investigation, psychologically safe escalation, and clear communication still apply, but teams must expand taxonomies and severity frameworks to capture AI-specific harms. Closing gaps in observability, reconciling privacy defaults with forensic needs, and adopting staged remediation—stop the bleed, fan out and strengthen, and fix at the source—are critical, as is protecting responder wellbeing during prolonged incidents.
read more →

Cloud CISO Perspectives — Technical and Cultural Resilience

🔒Thiébaut Meyer and Lia Wertheimer of Google Cloud’s Office of the CISO present a conversation with Matt Rowe, CSO of Lloyds Banking Group, on building resilience across both technology and teams. They argue resilience requires a dual approach: operational resilience through tool consolidation and a secure-by-default architecture, and cultural resilience through psychological safety, disciplined prioritization, and intentional pauses. Practical guidance includes shifting down the stack to reduce sprawl, embedding security goals into business priorities, and leaders modeling transparency to normalize speaking up. The interview frames resilience as a structural design choice rather than an exercise in individual endurance.
read more →

Four Key Questions to Ask Before Outsourcing MDR Services

🛡️ Outsourcing Managed Detection and Response (MDR) can close critical gaps in 24/7 threat monitoring and shorten attacker dwell time. Effective MDR validates alerts and reduces noise so internal teams focus on confirmed threats and high‑priority remediation. It also provides containment capabilities—isolating systems and stopping malicious activity—especially for organizations without a full SOC. When integrated with prevention and recovery tools, MDR becomes part of a cohesive cyber resilience strategy.
read more →