All news with #incident response tag

⚡ Attackers are weaponizing many newly disclosed CVEs within hours, forcing defenders to close the gap by moving beyond manual triage to automated remediation. Drawing on 2025 industry reports and CISA and Mandiant observations, the article notes roughly 50–61% of new vulnerabilities see exploit code within 48 hours. It urges adoption of policy-driven automation, controlled rollback, and streamlined change processes to shorten exposure windows while preserving operational stability.

🔔 AWS announced customizable communication preferences for Security Incident Response, letting teams select notification types such as case changes, membership updates, and organizational announcements. The update replaces a one-size-fits-all model so individuals receive only relevant updates and reduces notification noise. Settings include smart defaults and can be adjusted as roles evolve. The feature is available to all Security Incident Response customers at no additional cost via the console.

🔒 The Rhadamanthys infostealer operation has reportedly been disrupted, with multiple customers saying they no longer have SSH access to their web panels. Affected users report servers now require certificate-based logins instead of root passwords, prompting some to wipe and power down infrastructure. Researchers g0njxa and Gi7w0rm observed the outage and noted Tor onion sites for the operation are also offline. The developer and several customers suspect German law enforcement, and some analysts link the event to the broader Operation Endgame disruptions.

🔍 Varonis responded after a server CPU spike exposed an active intrusion later attributed to RansomHub affiliates. The attacker gained initial access via a SocGholish JavaScript masquerading as a browser update, then deployed a persistent Python-based SOCKS proxy and automated reconnaissance to hunt credentials and enumerate Active Directory. Within hours the actor obtained Domain Admin privileges and initiated broad discovery and exfiltration; Varonis developed an unpacker, identified IOCs, and coordinated containment and remediation that prevented ransomware with zero downtime.

🚨 Ludwigshafen's city administration shut down its IT systems on 6 November after monitoring tools flagged serious anomalies, leaving online services and phone and email communications unavailable. A specialist internet-forensics firm was engaged overnight and reported a cyberattack could not be ruled out; officials say indicators have since intensified. There is currently no evidence of citizen data exfiltration, and backups and emergency plans operated as intended while investigations continue.

🪂 Purple teaming must become ongoing practice, not a one-off exercise. Many organisations run purple team engagements as transactional penetration tests that emphasise bypass and board-ready reports rather than sustained capability building. Real SOC uplift requires repetition, rehearsal, and collaborative iteration between testers and defenders, with an emphasis on simplicity, context-aware detection, and teaching analysts to understand attacker behaviour. Embedding project-style coordination and running small, focused simulations helps turn the SOC from a static service into a living capability.

🔐 Executives must treat cybersecurity and business continuity as a unified discipline rather than separate functions. Drawing on six years managing high-availability systems at Amazon, the author warns that attackers increasingly target recovery and backup infrastructure, turning outages into leverage. The article advocates network segmentation, air-gapped and offline backups, and integrated incident-response and recovery testing to protect operations and reputation.

🔒 The State of Nevada published a detailed after-action report describing how attackers used a trojanized system administration utility to establish persistent access and deploy ransomware across state infrastructure. The initial compromise occurred on May 14 and was detected on August 24, impacting more than 60 agencies and prompting a 28-day recovery that restored 90% of required data without paying a ransom. Nevada engaged external responders including Microsoft DART and Mandiant, and has since implemented account cleanups, password resets, certificate removals, and tightened access controls.

🔔 This edition of the Threat Source newsletter opens with Bonfire Night and the 1605 Gunpowder Plot as a narrative hook, tracing how Guy Fawkes' image became a symbol of protest and hacktivism. It spotlights Cisco Talos research, including a new Incident Response report and a notable internal phishing case where compromised O365 accounts abused inbox rules to hide malicious activity. The newsletter also features a Tool Talk demonstrating a proof-of-concept that equips autonomous AI agents with real-time threat intelligence via LangChain, OpenAI, and the Cisco Umbrella API to improve domain trust decisions.

🔒 The University of Pennsylvania confirmed attackers used compromised credentials obtained via a sophisticated social engineering identity impersonation to access systems supporting development and alumni operations. The breach, discovered October 31, allowed exfiltration of approximately 1.71 GB of documents from SharePoint and Box and an alleged copy of a Salesforce donor marketing database of about 1.2 million records. Penn has engaged the FBI and CrowdStrike, revoked access, increased monitoring, and warned its community to be cautious of phishing and suspicious outreach while the investigation continues.

🔒 Microsoft describes how generative AI, exemplified by Microsoft Security Copilot, addresses common SOC challenges such as alert fatigue, tool fragmentation, and analyst burnout. The post highlights AI-driven triage, rapid incident summarization, and automated playbooks that accelerate containment and remediation. It emphasizes proactive threat hunting, query generation to uncover lateral movement, and simplified, audience-ready reporting. Organizations report measurable improvements, including a 30% reduction in mean time to resolution.

🛡️ Rapid, methodical incident response is essential when you suspect unauthorized access. Activating a rehearsed IR plan and notifying a cross-functional incident team (including HR, PR, legal and executives) helps you quickly establish scope, preserve evidence and maintain chain of custody. Contain affected systems without destroying forensic data, protect offline backups, notify regulators, insurers and law enforcement, then proceed to eradication, recovery and hardening.

📧 At-Bay's 2025 InsurSec analysis finds email and remote access were central to 90% of cyber insurance claims in 2024. Email accounted for 43% of incidents and fraud schemes commonly begin with credential theft, domain spoofing, and impersonation. Google Workspace was cited as the most secure mail provider, though claims rose; MDR services were highlighted as the most reliable defense against full encryption.

⚠️ Microsoft is experiencing a global DNS outage that began about an hour ago, causing widespread access problems to Azure and Microsoft 365 services. Customers worldwide report they cannot log into corporate networks or reach portals including Azure, Intune, and the Exchange admin center, and some report the Azure Front Door CDN is also unavailable. Microsoft attributes the interruptions to DNS failures, warns of intermittent request failures and latency, and is reviewing telemetry while working on mitigation; it recommends programmatic access (PowerShell/CLI) when portals are unreachable.

🔒 Dentsu disclosed a cybersecurity incident at its U.S. subsidiary Merkle, saying attackers accessed and stole files containing client, supplier, and employee information. The company detected abnormal activity, proactively took certain systems offline, and initiated incident response procedures while engaging third‑party responders. A circulated memo indicated exposed payroll and bank details, salary and National Insurance numbers, and personal contact details; impacted individuals are being notified and authorities in affected countries have been informed. Dentsu said Japan-based systems were not impacted and that the full scope and financial impact remain under investigation; no ransomware group has claimed responsibility so far.

🔐 This article outlines Mandiant's practical framework for securing privileged access across modern enterprise and cloud environments. It emphasizes a three-pillar approach—Prevention, Detection, and Response—and details controls such as PAM, PAWs, JIT/JEA, MFA, secrets rotation, and tiered access. The post highlights detection engineering, high-fidelity session capture, and SOAR automation to reduce dwell time and blast radius, and concludes with incident response guidance including enterprise password rotations and protected recovery paths.

🔒 In August 2025 Volvo Group North America disclosed a breach that originated in its third‑party HR provider, Miljödata, and a slow timeline of detection and notification has raised questions about forensic readiness. Reported exposed records included Social Security numbers and sensitive employee identifiers, and Volvo offered 18 months of identity‑protection services. The author provides five practical recommendations to preserve evidentiary integrity: embed forensics from day zero, align IR and forensic priorities, automate collection and triage, contractually manage vendor response, and coordinate legal messaging to reduce litigation and regulatory risk.

📡 The Resilience Risk Operations Center (ROC) reframes cyber defense by fusing technical, business and financial intelligence into a single operating environment. Rather than relying solely on a traditional SOC that reacts to alerts, the ROC prioritizes threats using actuarial and claims data to show potential financial impact and guide urgent decisions. Inspired by the US Air Force AOC, it co-locates multidisciplinary experts to anticipate attacks and accelerate response. Early use, including response to an April 2024 VPN zero-day, showed faster mitigation and reduced losses.

🔍 AWS has expanded Resource Explorer to support 47 additional resource types across services including Amazon Bedrock, AWS Shield, AWS Glue, VPC Lattice, WAFv2, SageMaker, and S3. With this update, customers can search for and discover these resources centrally, improving inventory accuracy and operational visibility. The change aims to streamline compliance, incident response, and cross-service troubleshooting by making more resource types queryable from a single interface.

🛡️ Roughly 70% of senior security leaders say internal conflicts during a cyber crisis cause more disruption than the attack itself, according to the Cytactic 2025 State of Cyber Incident Response Management (CIRM) Report. The survey of 480 US cybersecurity executives highlights blurred authority, poor communication, and unrehearsed roles that delay response. Experts recommend demonstrating security's business value, reducing operational friction with passwordless controls, and aligning incentives with lines of business.