All news with #incident response tag

🛡️ Triage often increases organizational risk when investigators make decisions without execution evidence, when outcomes vary by analyst seniority, or when manual steps and escalations slow response. The article outlines five specific failures—lack of early evidence, seniority-dependent quality, slow time-to-decision, over-escalation, and repetitive manual work—and recommends execution-driven fixes such as using ANY.RUN interactive sandboxing to produce fast, observable behavior that enables evidence-backed verdicts, reduces rework, and shortens MTTR.

🔍Boards and security leaders must shift reporting from raw counts to risk signals that map to exposure, trajectory, and consequence. Metrics such as mean time to detect and mean time to contain translate technical activity into business impact and serve as proxies for loss avoided. Experts warn that countable metrics can obscure structural risk, near misses, and changing assumptions that boards must know. AI has not created new board-level metrics but amplifies visibility and governance gaps that directors need signaled.

🔒 Organizations are shifting from reactive incident response to proactive cyber defense to anticipate and block attacks before they cause damage. Speakers from PwC and Microsoft highlighted AI-accelerated threats, phishing deepfakes, and a criminal supply chain of ransomware-as-a-service, urging layered controls, zero trust, multicloud resilience, and security by design. Microsoft's Defender for Cloud, integrated with Microsoft 365 and third-party tools and deployed with PwC services, automates detection and response to reduce exposure time and staffing burdens.

⚡ AWS announced that AWS Observability is now available as a Kiro Power, enabling AI agent-assisted workflows to speed investigation of application and infrastructure health issues. The power packages four MCP servers—CloudWatch, Application Signals, CloudTrail, and AWS Documentation—to supply contextual observability, tracing, security signals, and references. It also provides automated gap analysis to identify missing instrumentation and eight steering guides to accelerate incident response and observability improvements.

⚠️ On February 20, 2026, Cloudflare introduced a change to how it manages BYOIP addresses that triggered a cleanup sub-task to erroneously withdraw customer prefixes via BGP, causing connectivity failures for affected customers. About 1,100 prefixes (≈25% of BYOIP prefixes on the peer) were withdrawn, including a subset of one.one.one.one. Engineers reverted the change, restored configurations, and resolved the incident in roughly six hours; Cloudflare confirmed the issue was not due to malicious activity.

🚨 Operation Red Card 2.0 demonstrates how synchronized public‑ and private‑sector action can disrupt transnational fraud. Between December 2025 and January 2026, authorities across 16 African countries used shared intelligence and operational coordination to identify victims, arrest operators, seize devices, and dismantle malicious infrastructure. Fortinet supported the effort through data contributions and the Cybercrime Atlas, helping turn intelligence into enforcement outcomes.

🔍 A coordinated operation led by INTERPOL and the African Joint Operation against Cybercrime (AFJOC) arrested 651 suspects across 16 countries between December 8 and January 30. Authorities recovered over $4.3 million and identified 1,247 victims linked to schemes responsible for more than $45 million in losses. Investigators seized 2,341 devices, dismantled networks of fraudulent accounts and took down 1,442 malicious websites, domains, and servers.

⚙️ Intelligent workflows combine automation, AI-driven decisioning, and human oversight to accelerate outcomes and reduce operational drag across Security and IT. This contributed piece presents three production-ready use cases — automated phishing response, AI agents for IT service requests, and vulnerability monitoring tied to CISA and Tenable — with pre-built templates to integrate into existing stacks. These Tines templates are designed to help teams prove value quickly while keeping humans in the loop and maintaining governance.

🔍 This webinar examines how modern cloud forensics replaces slow, manual log stitching with automated, context-aware investigation across transient infrastructure. You’ll learn why traditional incident response fails when compromised instances, rotating identities, and expiring logs erase evidence, and why three capabilities — host-level visibility, context mapping, and automated evidence capture — are essential. The session demonstrates real investigations where correlated signals rebuild full attack timelines in minutes, enabling faster scoping, clearer attribution, and more confident remediation.

🔒 Unit 42 Managed XSIAM 2.0 delivers a 24/7 managed SOC built on Cortex XSIAM and operated by Unit 42 analysts, threat hunters, responders and SOC engineers. Designed to close the gap with machine-speed attacks, MSIAM 2.0 replaces alert-driven models with continuous detection, proactive hunting and ongoing engineering of detections, correlations and playbooks. The service supports native and third-party EDR telemetry, enables pre-authorized full-cycle remediation across endpoints, firewalls, identity and cloud, and includes a Breach Response Guarantee with up to 250 hours of Unit 42 incident response to streamline crisis containment and recovery.

🔍 In 2025 the UK became the most targeted country in Europe, and the nature of attacks shifted dramatically. Where ransomware once dominated, attackers prioritized disruption over monetization, altering tactics and intent. Many organizations that hardened defenses for extortion found those assumptions outdated and exposures increased. Detection, response and business-continuity strategies must be reevaluated.

🔧 Cybersecurity suffers not from a true talent shortage but from a leadership and accountability gap. Many organizations recruit for experience instead of building it, accept surface‑level post‑mortems, and allow technical debt to accumulate into risk. Fixing this requires structured training, persistent follow‑through, and translating technical debt into business terms so leaders can demand action.

📣 CISA will host a series of virtual town hall meetings beginning March 9 to collect stakeholder input on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) rulemaking. The sessions will solicit feedback on the Notice of Proposed Rulemaking and implementation details; schedule information is published in the Federal Register and updates will be posted to CISA’s CIRCIA webpage. CIRCIA would require covered entities to report certain cyber incidents within 72 hours and ransom payments within 24 hours. CISA emphasized the need to balance improved national cybersecurity outcomes with minimizing unnecessary burden on critical infrastructure sectors.

🔐 Odido confirmed a cyberattack that compromised its customer contact system and potentially exposed personal information for about 6.2 million customers. The company said attackers were able to download customer records but that passwords, call logs, location data, invoice details, and scans of identification documents were not accessed. Odido detected the incident on the weekend of February 7, blocked unauthorized access, reported the incident to the Dutch Data Protection Authority, and is notifying affected customers while working with external cybersecurity experts to strengthen controls and increase monitoring.

⚠️ Microsoft is investigating an outage that prevents some administrators with business or enterprise subscriptions from accessing the Microsoft 365 admin center in North America and Canada. The company is tracking the issue on its service health page and is collecting telemetry, with an early focus on CPU utilization and user HTTP Archive (HAR) files to identify a root cause. Impacted users report slow or unavailable admin portal access, degraded functionality, and potential inability to open the M365 app or raise support tickets.

🛡️ Top CISOs are cutting MTTR and reducing SOC burnout by making sandbox execution the first investigative step. By automating triage and pairing automation with live, interactive analysis, teams resolve routine alerts faster and escalate less. Solutions like ANY.RUN deliver runtime evidence, extract IOCs, and produce concise reports so analysts act decisively without adding headcount. The result: predictable workloads, fewer decision points, and measurable gains in throughput and SLA performance.

🔒 Betterment disclosed a January incident in which threat actors accessed systems and stole contact and personal data from an estimated 1,435,174 accounts, including names, email addresses and location details. The attackers also sent fraudulent promotional emails promoting a cryptocurrency reward scam; Betterment says clicking the message did not compromise accounts. A forensic review with CrowdStrike found no evidence of customer account, password, or login credential theft, and the company reports the unauthorized access has been removed.

🔎 Cybersecurity is now a boardroom concern, but meaningful dialogue often breaks down when technical reports and compliance attestations fail to translate into business outcomes. CISOs should shift from activity lists to presenting continuous, tamper-resistant evidence that validates controls, backups, and insurance will work when needed. Automating evidence collection and sanitizing operational telemetry removes subjectivity from dashboards and enables clear decisions about mitigation or formal risk acceptance. That clarity fosters trust, improves governance, and reframes cybersecurity as a driver of business resilience.

🕒 The opening moments after detection — often referred to as the first 90 seconds — determine whether an incident becomes manageable or spirals out of control. Responders must quickly decide what to preserve, what to examine first, and whether a single affected host reflects broader compromise. Prioritize evidence of execution and retain backward telemetry rather than immediately restoring services. Consistent discipline, environment knowledge, and repeatable procedures are what let teams scale investigations with confidence.

🛡️ Stay calm and avoid rash moves when ransomware hits: shutting down systems can cause 'forensic suicide' by destroying volatile evidence such as RAM. Joanna Lang-Recht recommends isolating affected hosts from networks rather than powering them off, preserving forensic images, and engaging specialized incident response teams. Prioritize containment, secure offline backups, and clear crisis roles. Treat negotiation as an economic decision and rely on trained negotiators rather than emotional engagement.