< ciso
brief />
Tag Banner

All news with #incident response tag

247 articles · page 8 of 13

AWS Security Incident Response Expands to 10 Regions

🔒 AWS Security Incident Response is now available in ten additional opt-in AWS Regions across Africa, Asia Pacific, Europe, and the Middle East. The service streamlines the incident response lifecycle through automated security finding monitoring and triage, AI-powered investigation, and containment capabilities. Customers also receive 24/7 direct access to a dedicated AWS security team that responds within minutes, helping scale operations, accelerate recovery, and reduce operational overhead.
read more →

AWS Security Incident Response Adds Slack Integration

🔗 AWS Security Incident Response now integrates with Slack, enabling bidirectional case creation and automatic data replication so teams can create and update cases from either the Security Incident Response console or Slack. Each case is mapped to a dedicated Slack channel with comments and attachments syncing instantly, and responders are added automatically to accelerate engagement. The open-source solution on GitHub leverages EventBridge and a modular architecture and includes guidance for using AI assistants such as Amazon Q Developer or Kiro to extend integration targets beyond Slack.
read more →

Creating a Practical Ransomware Playbook for Response

🛡️ Organizations must build a ransomware playbook that pairs planning, technology, and people to reduce disruption and protect business continuity. Regular tabletop exercises create the muscle memory experts recommend, clarifying decision authority, communications, and containment steps across legal, IT, and executive stakeholders. Prevention should be layered — prioritized patching, behavior-based EDR, email/phishing defenses, MFA, least-privilege controls, and verified offline backups — while recovery playbooks, pre-engaged legal and forensics contacts, and tested restore procedures speed remediation and limit reputational harm.
read more →

Resilience and Security for Water Utilities in 2025

🔒 Modern water and wastewater systems face accelerating cyber threats as utilities adopt remote sensors, cloud telemetry, and integrated SCADA. Critical safeguards—multi-factor authentication, network segmentation, and unified IT/OT visibility—are often missing, increasing risk from nation-state actors and ransomware. Utilities should prioritize comprehensive asset inventories, containment architectures, anomaly detection (e.g., FortiNDR, FortiSIEM), and regularly tested recovery plans to meet rising federal expectations.
read more →

Imposter for Hire: Fake Employees Gaining Access Now

🔍 Microsoft Incident Response details a real-world intrusion where operatives posed as legitimate remote hires to gain trusted access. Attackers used low-cost PiKVM hardware to create persistent, out-of-band control of employer-issued workstations and bypassed normal EDR and onboarding controls. DART used telemetry from Microsoft Entra ID, Microsoft Defender, and bespoke forensic tools to trace activity to the North Korean group Jasper Sleet, contain the compromise, and restore affected systems. The report emphasizes strengthening vetting, enforcing least privilege, and monitoring for unauthorized IT devices.
read more →

Using Managed XDR to Address Cybersecurity Skills Gaps

🔒 Managed Extended Detection and Response (MXDR) enables organizations to augment understaffed security teams with experienced analysts who provide continuous monitoring and rapid response. Providers deliver 24/7 coverage, broad sensor visibility, and immediate containment actions such as endpoint isolation. MXDR can reduce the need to hire internal specialists, but organizations must evaluate vendors carefully for expertise, data protection, and configurability.
read more →

Hidden Forensic Evidence in Windows ETL: Diagtrack File

🔍 FortiGuard IR analysts discovered that an obscure ETL file, AutoLogger-Diagtrack-Listener.etl, can retain historical process execution data useful for post-incident forensics. Parsing ETW payloads exposed ProcessStarted events including ImageName, ProcessID, ParentProcessID and sometimes CommandLine entries that revealed deleted tools. Controlled testing showed creating the autologger and setting AllowTelemetry=3 often produced an empty file, indicating the DiagTrack service may populate the file only under undocumented conditions. Further research is needed to understand when and how this telemetry is written.
read more →

Microsoft Investigates Copilot Outage Affecting Europe

⚠️Microsoft is mitigating an incident that has blocked or degraded access to its AI-powered Copilot service for users in the United Kingdom and parts of Europe. The company says telemetry points to an unexpected traffic surge that prevented service autoscaling, and engineers are manually scaling capacity to restore availability. A related admin-facing issue is also affecting some Microsoft Defender for Endpoint features.
read more →

Microsoft and Beazley Partner to Strengthen Cyber Resilience

🤝 Microsoft announced a collaboration with Beazley that designates Microsoft Incident Response as an approved incident response provider for Beazley’s InfoSec and Media Tech policies. This alignment brings technical responders, insurers, brokers, and legal counsel together to accelerate detection, containment, and recovery. Microsoft Incident Response, supported by Microsoft Threat Intelligence and direct engineering access, offers streamlined invoicing aligned to insurance standards. Eligible incident response services used during a cyber event are considered reimbursable, helping customers secure faster claims and recovery.
read more →

NCSWIC Releases 'What Is a PACE Plan' Video for Agencies

🎥 This Emergency Communications Month, the National Council of Statewide Interoperability Coordinators (NCSWIC) Planning, Training, and Exercise Committee released a concise educational video, 'What is a PACE Plan', that explains the components of a PACE plan (Primary, Alternate, Contingency, Emergency) and why it matters for public safety communications. NCSWIC members describe how communications can change in atypical situations and demonstrate why agencies should know their PACE and routinely practice it. The video is a practical tool to help agencies maintain continuity of communications when primary systems degrade.
read more →

Unit 42 and AWS Launch No-Cost Incident Response Retainer

🔒 Palo Alto Networks Unit 42 and Amazon Web Services have expanded their partnership to offer a no-cost Unit 42 Incident Response Retainer in AWS Marketplace for qualified customers. The retainer provides 250 hours of initial incident response, a 2-hour response SLA and 24/7/365 access to Unit 42’s incident response team. The offering is designed to accelerate containment, enable holistic investigations across cloud and enterprise environments, and reduce procurement overhead while providing preferred pricing for proactive services.
read more →

AWS Debuts DevOps Agent Preview for Operational Excellence

🔧 AWS announced the preview of AWS DevOps Agent, a frontier agent designed to investigate incidents and proactively prevent outages across AWS, multicloud, and hybrid environments. The agent autonomously triages alerts, correlates telemetry, code, and deployment data, and guides teams to faster resolution to reduce MTTR. During preview it is available at no additional cost in US East (N. Virginia).
read more →

RBKC Cyberattack on IT Provider Disrupts Local Councils

🔒 The Royal Borough of Kensington and Chelsea (RBKC) has warned residents their data may have been compromised after unusual activity linked to a shared IT service provider was detected earlier this week. The council says it has evidence that some historical data was copied and removed and that the material could end up in the public domain. RBKC urged residents to be vigilant for phishing and social‑engineering attempts via email, text and phone while services are restored, and warned disruption could continue for at least two weeks as investigations and recovery proceed.
read more →

Gainsight Breach Impacts More Salesforce Customers

🔒Gainsight has confirmed the cyber‑attack tied to Salesforce affected more customers than initially reported, though the vendor says the number remains limited and affected customers were notified. As a precaution Gainsight temporarily disabled Salesforce read/write access for several products, including Customer Success (CS), Community (CC), Northpass (CE), Skilljar (SJ) and Staircase (ST). Other vendors such as Gong.io, Zendesk and HubSpot have also disabled their connectors. Gainsight engaged Mandiant for an independent forensic investigation and is advising customers to rotate credentials and S3 keys, reset NXT passwords where appropriate, re-authorize integrations, and follow proactive hardening guidance while the investigation continues.
read more →

Serious Cyber Incidents Hit Multiple London Councils

⚠️ Multiple London local authorities, including the Royal Borough of Kensington and Chelsea (RBKC) and Westminster City Council, are responding to a serious cybersecurity incident identified on Monday. Both councils have informed the ICO and are working with the NCSC while invoking business continuity and emergency plans to protect critical services. A number of systems, including phone lines and shared IT services, are affected across boroughs. RBKC reports successful mitigations are in place and recovery work is continuing.
read more →

Major US Banks Assess Impact of SitusAMC Data Breach

🔒 Major US banks including JPMorgan Chase, Citi and Morgan Stanley are assessing potential customer data exposure after third-party mortgage servicer SitusAMC disclosed a breach discovered on Nov. 12 and confirmed on Nov. 22. SitusAMC says corporate records and 'certain data' related to clients' customers may have been accessed; the company reports services remain operational and the incident is contained. The FBI is investigating, has found no operational impact to banking services so far, and the company has implemented credential resets, disabled remote access tools, updated firewall rules and engaged third-party advisors while forensic analysis continues.
read more →

IACR Election Nullified After Trustee Loses Decryption Key

🔐 The International Association of Cryptologic Research (IACR) nullified its 2025 online election after trustee Moti Yung irretrievably lost his private decryption key. The election used the Helios voting system with a strict 3-of-3 trustee decryption scheme, so the missing key meant the system could not compute the final decryption shares or verify the outcome. The loss was an honest human error; the IACR will rerun the vote under a 2-of-3 threshold to permit recovery, and the incident was reported by outlets including Ars Technica and The New York Times.
read more →

AWS Security Incident Response: AI Investigative Agent

🔎 The new AI-powered investigative agent in AWS Security Incident Response automates evidence collection, correlation, and timeline building to speed incident investigations from hours to minutes. It interactively asks clarifying questions, queries CloudTrail, IAM, EC2, and cost data, and summarizes critical findings and timelines. The capability is available now across commercial AWS Regions and is included with the service’s metered pricing.
read more →

AWS Security Incident Response Adds Agentic AI Investigator

🔍 AWS Security Incident Response now offers an agentic AI investigative capability that automatically gathers, correlates, and summarizes evidence across AWS data sources. The investigative agent assesses new cases, asks submitters clarifying questions for missing indicators or timeframes, and collects logs from AWS CloudTrail, AWS Identity and Access Management (IAM), Amazon EC2, and AWS Cost Explorer. Findings are presented as clear, actionable summaries, and the feature is enabled automatically at no extra cost in supported Regions.
read more →

Root Cause Analysis Lags, Undermining Incident Resilience

🔍 Post-incident learning often falls behind containment, with Foundry’s Security Priorities study reporting 57% of security leaders struggled to identify root causes last year. Experts warn that prioritizing firefighting over forensic investigation leaves organizations exposed to repeat breaches and that disciplined evidence preservation is essential. Centralized telemetry such as SIEM, and forensic-capable services like MDR and XDR, plus structured postmortems, are key to building long-term resilience.
read more →