All news with #incident response tag

🔒 Microsoft Incident Response expands its proactive offerings to help organizations build cyber resilience and reduce disruption. New services include incident response plan development, major event support, an immersive cyber range, advisory engagements, and compromise assessments for M&A activity. These capabilities build on existing services such as compromise assessments, identity assessment and hardening, and tabletop exercises. The focus is on preparation, gap detection, defense hardening, and tailored threat insights to accelerate recovery and strengthen security posture.

🔒 Microsoft is investigating a bug in the classic Outlook client introduced by Current Channel Version 2511 (Build 19426.20218) that prevents recipients from opening messages encrypted with Encrypt Only permissions. Impacted users may see a reading pane error asking them to verify credentials or encounter a message_v2.rpmsg attachment instead of readable content. The Outlook Team is working on a fix but has not provided an ETA. Microsoft recommends two temporary workarounds: have senders save encrypted messages before sending, or roll back to build 16.0.19426.20186.

🔒 The new Microsoft Defender Experts Suite combines managed extended detection and response (MXDR), proactive and reactive incident response, and a designated Microsoft security advisor to help organizations counter advanced, AI-accelerated threats. Microsoft analysts deliver 24/7 triage, continuous threat hunting, and on-demand expertise across endpoints, identities, email, cloud apps, and cloud workloads. Enhanced Designated Engineering supports secure deployment and operational modernization, while Incident Response offers planning, simulations, and rapid remediation. Eligible customers can access a limited-time promotional discount through 2026.

🔍 Organizations often overemphasize detection and response at the expense of thorough investigation. While IDS, firewalls, and response teams are essential to stop immediate damage, investigation provides the root-cause insights—examining exploited vulnerabilities, attacker entry paths, and post-compromise activity—that prevent recurrence. Investing in deep packet inspection and forensic analysis turns incidents into learning opportunities and strengthens long-term resilience.

🔒 Resecurity says it intentionally diverted attackers into a honeypot after individuals claiming ties to the Scattered Lapsus$ Hunters (SLH) alliance posted screenshots alleging a breach. The company reports it detected reconnaissance of exposed services and steered the activity to an emulated environment populated with synthetic consumer and payment records. According to Resecurity, the adversaries interacted with the decoy, generating telemetry that revealed tooling and methods, while independent researchers have found no evidence that production systems or client data were compromised.

🤖 Generative AI is rapidly transforming CyberOps by automating routine tasks, accelerating investigations and raising overall team productivity. Tools—some developed in-house and some by vendors—assist with forensics, incident response, log analysis, orchestration, vulnerability management and reporting. While AI scales capabilities and elevates junior staff, leaders stress the need for AI governance, prompt engineering skills and human oversight to manage risk.

⚠️ Cybercrime has matured into a structured, global underground economy that often outstrips corporate defenders. Groups now operate with division of labor, formal processes and professional marketing, and Ransomware-as-a-Service offerings enable nontechnical actors to lease malware, support and revenue-sharing schemes. The result is scalable, fast-moving criminal supply chains that exploit human error, weaponize stolen data and exploit slow, bureaucratic response models. Organizations must move beyond pure prevention to measurable resilience, rehearsed recovery and decisive incident leadership.

🔍 Post-incident reviews are a structured means to understand security incidents and improve future defenses. Conducted promptly, they preserve fresh details and enable accurate timelines that reveal where delays or failures occurred. Reviews must include root-cause analysis, evaluation of detection and response performance, and assessment of business impact. Involving legal, governance, finance, HR, and board stakeholders helps connect technical findings to policy and risk decisions, while avoiding blame and assigning concrete, timebound follow-up is essential.

🔍 Interpol’s month-long Operation Sentinel targeted cybercriminal infrastructure across 19 African countries, producing 574 arrests, the decryption of six ransomware strains, and the takedown of roughly 6,000 malicious links. The sweep also uncovered a business email compromise (BEC) scheme that nearly cost a petroleum company $7.9 million and helped recover about $3 million. National law enforcement teams in Ghana, Benin and Cameroon executed targeted takedowns, recovered terabytes of data, and seized devices and servers with assistance from private cybersecurity organizations.

🔒 An effective Incident Response plan must combine impact analysis, communications, clear roles, threat awareness, testing, and modular simplicity. The article outlines six essential components—including Business Impact Analysis, a comprehensive communications strategy, defined response roles, visibility across the threat landscape, regular testing, and modular playbooks—that help organizations maintain resilience during major outages or cyberattacks. Experts emphasize practical playbooks, pre-approved message templates, and disciplined After-Action Reviews to reduce downtime and ensure continuous improvement.

⚠️ Cloudflare has opened a company‑wide "Code Orange: Fail Small" initiative after two network incidents in November and December 2025 that disrupted customer traffic. The program prioritizes three workstreams: require controlled rollouts for configuration changes, review and harden failure modes across services, and overhaul break‑glass procedures to remove circular dependencies. Changes will be delivered iteratively, using existing Health Mediated Deployments (HMD) and updates to Quicksilver to stage and validate configuration updates before global propagation.

⚠️ Microsoft is investigating a widespread incident affecting Microsoft Teams, with thousands of users reporting messaging delays, failed sends, and issues with other service functions. The outage began around 2:30 PM ET and is impacting users across the United States and Europe. Microsoft says it is observing recovery in telemetry, is continuing analysis to identify impacted scenarios and determine root cause, and will share updates; this is a developing story.

🔒 AWS Security Incident Response is now available in ten additional opt-in AWS Regions across Africa, Asia Pacific, Europe, and the Middle East. The service streamlines the incident response lifecycle through automated security finding monitoring and triage, AI-powered investigation, and containment capabilities. Customers also receive 24/7 direct access to a dedicated AWS security team that responds within minutes, helping scale operations, accelerate recovery, and reduce operational overhead.

🔗 AWS Security Incident Response now integrates with Slack, enabling bidirectional case creation and automatic data replication so teams can create and update cases from either the Security Incident Response console or Slack. Each case is mapped to a dedicated Slack channel with comments and attachments syncing instantly, and responders are added automatically to accelerate engagement. The open-source solution on GitHub leverages EventBridge and a modular architecture and includes guidance for using AI assistants such as Amazon Q Developer or Kiro to extend integration targets beyond Slack.

🛡️ Organizations must build a ransomware playbook that pairs planning, technology, and people to reduce disruption and protect business continuity. Regular tabletop exercises create the muscle memory experts recommend, clarifying decision authority, communications, and containment steps across legal, IT, and executive stakeholders. Prevention should be layered — prioritized patching, behavior-based EDR, email/phishing defenses, MFA, least-privilege controls, and verified offline backups — while recovery playbooks, pre-engaged legal and forensics contacts, and tested restore procedures speed remediation and limit reputational harm.

🔒 Modern water and wastewater systems face accelerating cyber threats as utilities adopt remote sensors, cloud telemetry, and integrated SCADA. Critical safeguards—multi-factor authentication, network segmentation, and unified IT/OT visibility—are often missing, increasing risk from nation-state actors and ransomware. Utilities should prioritize comprehensive asset inventories, containment architectures, anomaly detection (e.g., FortiNDR, FortiSIEM), and regularly tested recovery plans to meet rising federal expectations.

🔍 Microsoft Incident Response details a real-world intrusion where operatives posed as legitimate remote hires to gain trusted access. Attackers used low-cost PiKVM hardware to create persistent, out-of-band control of employer-issued workstations and bypassed normal EDR and onboarding controls. DART used telemetry from Microsoft Entra ID, Microsoft Defender, and bespoke forensic tools to trace activity to the North Korean group Jasper Sleet, contain the compromise, and restore affected systems. The report emphasizes strengthening vetting, enforcing least privilege, and monitoring for unauthorized IT devices.

🔒 Managed Extended Detection and Response (MXDR) enables organizations to augment understaffed security teams with experienced analysts who provide continuous monitoring and rapid response. Providers deliver 24/7 coverage, broad sensor visibility, and immediate containment actions such as endpoint isolation. MXDR can reduce the need to hire internal specialists, but organizations must evaluate vendors carefully for expertise, data protection, and configurability.

🔍 FortiGuard IR analysts discovered that an obscure ETL file, AutoLogger-Diagtrack-Listener.etl, can retain historical process execution data useful for post-incident forensics. Parsing ETW payloads exposed ProcessStarted events including ImageName, ProcessID, ParentProcessID and sometimes CommandLine entries that revealed deleted tools. Controlled testing showed creating the autologger and setting AllowTelemetry=3 often produced an empty file, indicating the DiagTrack service may populate the file only under undocumented conditions. Further research is needed to understand when and how this telemetry is written.

⚠️Microsoft is mitigating an incident that has blocked or degraded access to its AI-powered Copilot service for users in the United Kingdom and parts of Europe. The company says telemetry points to an unexpected traffic surge that prevented service autoscaling, and engineers are manually scaling capacity to restore availability. A related admin-facing issue is also affecting some Microsoft Defender for Endpoint features.