< ciso
brief />
Tag Banner

All news with #incident response tag

247 articles · page 6 of 13

CISA Hosts Town Halls to Seek Input on CIRCIA Rulemaking

📣 CISA will host a series of virtual town hall meetings beginning March 9 to collect stakeholder input on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) rulemaking. The sessions will solicit feedback on the Notice of Proposed Rulemaking and implementation details; schedule information is published in the Federal Register and updates will be posted to CISA’s CIRCIA webpage. CIRCIA would require covered entities to report certain cyber incidents within 72 hours and ransom payments within 24 hours. CISA emphasized the need to balance improved national cybersecurity outcomes with minimizing unnecessary burden on critical infrastructure sectors.
read more →

Odido Data Breach Exposes Personal Data of 6.2M Customers

🔐 Odido confirmed a cyberattack that compromised its customer contact system and potentially exposed personal information for about 6.2 million customers. The company said attackers were able to download customer records but that passwords, call logs, location data, invoice details, and scans of identification documents were not accessed. Odido detected the incident on the weekend of February 7, blocked unauthorized access, reported the incident to the Dutch Data Protection Authority, and is notifying affected customers while working with external cybersecurity experts to strengthen controls and increase monitoring.
read more →

Microsoft 365 admin center outage affects North America

⚠️ Microsoft is investigating an outage that prevents some administrators with business or enterprise subscriptions from accessing the Microsoft 365 admin center in North America and Canada. The company is tracking the issue on its service health page and is collecting telemetry, with an early focus on CPU utilization and user HTTP Archive (HAR) files to identify a root cause. Impacted users report slow or unavailable admin portal access, degraded functionality, and potential inability to open the M365 app or raise support tickets.
read more →

How CISOs Reduce Burnout and Cut MTTR Without Hiring

🛡️ Top CISOs are cutting MTTR and reducing SOC burnout by making sandbox execution the first investigative step. By automating triage and pairing automation with live, interactive analysis, teams resolve routine alerts faster and escalate less. Solutions like ANY.RUN deliver runtime evidence, extract IOCs, and produce concise reports so analysts act decisively without adding headcount. The result: predictable workloads, fewer decision points, and measurable gains in throughput and SLA performance.
read more →

Betterment Data Breach Exposes 1.4 Million Accounts

🔒 Betterment disclosed a January incident in which threat actors accessed systems and stole contact and personal data from an estimated 1,435,174 accounts, including names, email addresses and location details. The attackers also sent fraudulent promotional emails promoting a cryptocurrency reward scam; Betterment says clicking the message did not compromise accounts. A forensic review with CrowdStrike found no evidence of customer account, password, or login credential theft, and the company reports the unauthorized access has been removed.
read more →

Building Board Trust Through Evidence-Based Cybersecurity

🔎 Cybersecurity is now a boardroom concern, but meaningful dialogue often breaks down when technical reports and compliance attestations fail to translate into business outcomes. CISOs should shift from activity lists to presenting continuous, tamper-resistant evidence that validates controls, backups, and insurance will work when needed. Automating evidence collection and sanitizing operational telemetry removes subjectivity from dashboards and enables clear decisions about mitigation or formal risk acceptance. That clarity fosters trust, improves governance, and reframes cybersecurity as a driver of business resilience.
read more →

The First 90 Seconds: Early Choices That Shape Investigations

🕒 The opening moments after detection — often referred to as the first 90 seconds — determine whether an incident becomes manageable or spirals out of control. Responders must quickly decide what to preserve, what to examine first, and whether a single affected host reflects broader compromise. Prioritize evidence of execution and retain backward telemetry rather than immediately restoring services. Consistent discipline, environment knowledge, and repeatable procedures are what let teams scale investigations with confidence.
read more →

Responding to Ransomware: Forensics, Triage, and Policy

🛡️ Stay calm and avoid rash moves when ransomware hits: shutting down systems can cause 'forensic suicide' by destroying volatile evidence such as RAM. Joanna Lang-Recht recommends isolating affected hosts from networks rather than powering them off, preserving forensic images, and engaging specialized incident response teams. Prioritize containment, secure offline backups, and clear crisis roles. Treat negotiation as an economic decision and rely on trained negotiators rather than emotional engagement.
read more →

How risk culture makes cyber teams predictive and resilient

🔍 Forecasting in cybersecurity is framed as disciplined habits and clear choices rather than guesswork. The author argues teams trapped in constant incident mode must build a risk culture where weak signals and near misses are captured, named, and acted on without fear. Practical steps include lightweight near-miss logs, explicit decision rights, concise behavioral standards, and a steady operating rhythm of weekly reviews, monthly scenario practices and quarterly tests to shift from reflexive response to proactive foresight.
read more →

Securing Mid-Market Across the Complete Threat Lifecycle

🔒 Mid-market organizations face a constant tradeoff between necessary security and limited budgets and staff. This article argues for security across the full threat lifecycle—combining prevention, protection, detection, and response—to reduce risk without adding complexity. It highlights how consolidated platforms like Bitdefender GravityZone and outsourced MDR services extend visibility and operational capacity. The goal is stronger coverage with less overhead.
read more →

Threat Source: Resilience, trends, and hard truths

📰 Hazel Burton opens this Threat Source newsletter by acknowledging how difficult it can be to stay engaged with the news and suggests small, human respites—like the U.K. show Taskmaster—to remind readers creativity and levity persist under pressure. On the technical side, Cisco Talos Incident Response’s Q4 2025 report shows exploitation of public-facing applications remains the leading initial access vector (down from 62% to ~40%), while phishing and credential harvesting rose and ransomware incidents fell to 13% with Qilin still common. The newsletter urges rapid patching, correct MFA configuration and monitoring, and comprehensive logging to detect suspicious activity.
read more →

FBI Launches Winter SHIELD to Strengthen Cyber Defenses

🔐 The FBI has launched Operation Winter SHIELD, a ten-week campaign outlining ten concrete actions organisations should adopt to improve cyber resilience across IT and OT environments. Developed with domestic and international partners and informed by recent investigations, the initiative connects observed adversary behaviour to practical defenses such as phish-resistant authentication, immutable offline backups, vulnerability management and reduced administrator privileges. Aligned with the US National Cyber Strategy and the FBI Cyber Strategy, the effort aims to harden critical infrastructure and reduce the attack surface.
read more →

January 22, 2026 IPv6 BGP Route Leak from Miami Data Center

⚠️On January 22, 2026, an automated routing policy change caused Cloudflare to unintentionally advertise IPv6 routes from a Miami router for 25 minutes. The misconfiguration accepted internal IBGP routes and redistributed them to peers and transit providers, funneling non-Cloudflare traffic into Miami and causing congestion, elevated packet loss, and higher latency on backbone links. Firewall filters on the router discarded around 12 Gbps of ingress traffic for those non-downstream prefixes. Cloudflare paused automation, reverted the change, restored normal operation, and apologized to affected users, customers, and external networks.
read more →

How Google SREs Use Gemini CLI to Resolve Outages Quickly

🛠️ Google SREs describe using Gemini 3 and Gemini CLI to accelerate incident response across the full lifecycle: paging, mitigation, root cause analysis, and postmortems. The CLI integrates with SRE tools (alerting, logs, timeseries, and source control) and selects deterministic, typed actions while enforcing policy to keep humans in the loop. In practice it lowers Mean Time to Mitigation by automating playbook selection, executing safe mutations with approval, and producing fixes and postmortems that are auditable and repeatable.
read more →

NCSC Warns of Pro-Russian DDoS Targeting UK Services

⚠️ The UK's National Cyber Security Centre (NCSC) warns that pro‑Russian hacktivist groups are conducting distributed denial-of-service (DDoS) attacks against British organisations, particularly local government and critical infrastructure operators. These attacks are typically low in technical sophistication but can still deny access, disrupt services and impose substantial recovery costs. The NCSC advises organisations and OT owners to review and harden defences, work with ISPs and CDNs, design scalable services, retain administrative access during incidents, and regularly test mitigations.
read more →

PDFSider Windows Backdoor Targeted Fortune 100 Firm

🔐 Researchers discovered a stealthy Windows backdoor named PDFSider during incident response at a Fortune 100 finance firm; the tool has been linked to Qilin ransomware operations and is now observed with multiple ransomware groups. Attackers used spearphishing with a ZIP containing a legitimately signed PDF24 Creator executable and a malicious cryptbase.dll to achieve DLL side-loading and bypass EDRs. The in-memory backdoor uses AES-256-GCM for encrypted C2, exfiltrates system data over DNS, launches commands via anonymous pipes to CMD, and employs anti-analysis checks to maintain long-term covert access.
read more →

Windows 11 January Update Causes Outlook Freezes for POP

⚠ Microsoft is investigating reports that the January Windows 11 security update KB5074109 causes the classic Outlook desktop client to freeze and hang for users with POP email accounts. Affected users say Outlook does not exit properly and will not restart after being closed, disrupting normal mail access. Microsoft’s Outlook and Windows teams are examining the issue but have not provided a timeline for a fix. As a temporary workaround, users can uninstall KB5074109 via Settings > Windows Update > Update history > Uninstall updates, though removing security updates can expose systems to additional risk.
read more →

Victorian Education Department Notifies Parents of Data Breach

🔒The Victorian Department of Education has notified parents that an unauthorized third party accessed a database containing student names, school names, year levels and school-issued email addresses, along with encrypted passwords for accounts that use those emails. The department said more sensitive fields such as birth dates, home addresses and phone numbers were not exposed. All student passwords have been reset and access to school accounts is blocked until new credentials are issued; VCE students will be prioritised. Authorities say they removed the attack vector and have not found evidence the data was publicly released or shared, and further updates will be provided.
read more →

Incident Response Perspectives with Terryn Valikodath

🔍 Terryn Valikodath, Senior Incident Response Consultant at Cisco Talos, describes a role that blends technical investigation with clear communication and proactive planning. He explains how his team balances developing incident response plans, running tabletop exercises and threat hunts with hands-on reactive investigations and remediation. Terryn highlights the reward of teaching through multi-day cyber range trainings and the satisfaction of helping organizations recover and build trust.
read more →

Cyberattack Suspected After False Active-Shooter Siren

🚨 On Saturday, 10 January, the city of Halle (Saale) experienced a widespread false alarm when all sirens sounded around 10:00 p.m., accompanied by an English announcement: “Active shooter. Lockdown now.” City officials, including Mayor Alexander Vogt and security head Tobias Teschner, said the alert was likely triggered by external access to the siren system and not by local, state, or federal authorities. Authorities have secured the system, filed a police report, and are investigating; the municipal website was briefly unavailable due to high visitor traffic rather than a targeted DDoS, and resilience measures have been implemented.
read more →