All news with #incident response tag

⚠️ Amazon says a major DNS failure in DynamoDB's DNS management system triggered a widespread AWS outage focused on the us-east-1 (Northern Virginia) region. A race condition at 11:48 PM PDT caused the accidental deletion of all IP addresses for the regional DynamoDB public endpoint, producing immediate DNS resolution failures for customer and internal traffic. The fault cascaded across services, kept automated recovery from restoring consistency, and required manual operator intervention to recover. AWS has disabled the problematic DNS automation globally, added protective checks, improved throttling, built new test suites, and apologized for the impact.

⚠ Cisco Talos reports a sharp increase in attacks against public-facing applications, with the ToolShell chain exploiting unpatched Microsoft SharePoint servers rising to over 60% of IR cases this quarter. Ransomware-related incidents fell to about 20% but show evolving tactics, including leveraging legitimate tools and compromised internal accounts for persistence and phishing. Organizations are urged to prioritize rapid patching, robust network segmentation, centralized logging, MFA, and user education to reduce exposure.

🛡️ How a CISO handles a major incident can make or break their career. A Cytactic survey of 480 senior US cybersecurity leaders, including 165 CISOs, found that 65% said leading an incident response elevated their internal reputation while only 5% said it hurt it. Experts say a well-managed response can translate into better budgets and authority, but prevention work is often invisible and a single failure can still cost a CISO their job.

📝 Amazon CloudWatch now offers interactive incident report generation, enabling customers to produce comprehensive post-incident analysis in minutes. The capability, available within CloudWatch investigations, automatically gathers and correlates telemetry data, user inputs, and investigation actions to produce streamlined reports. Reports include executive summaries, timelines, impact assessments, and actionable recommendations to help teams identify patterns and implement preventive measures. The feature is available in multiple AWS regions.

🔒 Ransomware attacks inflict both operational and deep personal harm, often devastating small businesses lacking cash reserves and cybersecurity expertise. Research underscores lasting trauma, exhaustion, and financial ruin that can outlast technical recovery. Organizations should pair an incident response plan with compassionate leadership and employee support. Cisco Talos also warns of evolving supply‑chain campaigns targeting developers and job seekers, reinforcing the need for layered defenses.

🔐 The arrival of cryptographically relevant quantum computers will create a "silent boom" where adversaries can capture encrypted traffic today and decrypt it later, making intrusions neither observed nor observable. This undermines traditional incident response and shifts responsibility to engineering teams, not a vendor checkbox. Organizations must pursue quantum readiness by engaging developers to inventory algorithms and data, assess internet-facing assets for PQC support, and build testing capability for new ciphers within their release cycles.

🛡️ Laura Faria, an incident commander with Cisco Talos Incident Response, discusses leading through chaos, empathy, and teamwork during high-pressure security incidents. She traces a career across multiple cybersecurity vendors and sales roles before joining Talos and stepping into incident command. Laura emphasizes purpose-driven response work, particularly when outages affect critical infrastructure and patient safety. The interview highlights resilience, collaboration, and practical leadership lessons.

🔒 Markus Weber, founder and managing director of dokuworks, describes the immediate steps his team takes when called in after a cyberattack: isolate and secure affected systems so IT forensics can operate, preserve extortion correspondence to help identify perpetrators, assess operational impact, and initiate emergency operations. He warns that ransomware is the predominant threat and generally advises against paying ransoms, though there are rare exceptions. Many organizations are improving technically but still neglect documented emergency organization and trusted external partnerships, leaving them vulnerable.

🔐 The UK’s National Cyber Security Centre (NCSC) reported 204 nationally significant incidents between September 2024 and August 2025, a 130% increase on the prior year’s 89 incidents. In total the agency received 1,727 incident tips and elevated 429 to cyber incidents requiring support, including 18 Category 2 “highly significant” events. NCSC leaders warned attackers are improving and urged businesses to harden defences and prioritise preparedness to sustain operations during attacks.

⚠️ The Cytactic 2025 State of Cyber Incident Response Management report found that 57% of significant incidents involved attack types the security team had not rehearsed. The finding suggests many tabletop exercises focus on dramatic, familiar scenarios like ransomware rather than the subtle, realistic tactics adversaries commonly use. Reported failures include misplaced burner phones and stale contact lists, illustrating gaps in basic readiness. Experts recommend regularly refreshing tailored simulations, roleplaying smaller breaches, and practicing communications and logistics to build practical muscle memory.

💧Forescout disclosed that a Russia-aligned hacktivist group, TwoNet, was tricked into attacking a honeypot designed to look like a water treatment utility. The actor accessed the HMI with default credentials and created an account named BARLATI to carry out defacement, PLC manipulation, log suppression and process disruption. Forescout said this incident reflects a broader shift from DDoS and defacement toward OT/ICS targeting and provided mitigation guidance.

🔒 Cloudflare today introduces REACT, a new incident response and advisory service from Cloudforce One designed to bridge the gap between edge defenses and in‑network remediation. REACT combines proactive advisory work—threat hunting, tabletop exercises, and readiness assessments—with emergency incident response and retainer options for guaranteed availability. As a network‑native, vendor‑agnostic service, REACT can deploy mitigations at the Cloudflare edge and coordinate investigations across on‑premise, cloud, and hybrid environments.

⚠ If you clicked a suspicious link, stay calm and act promptly. For work devices, contact IT immediately and follow their instructions. For personal devices, close the browser and check for unexpected downloads; if you entered credentials, change passwords and enable MFA; if financial data was entered, contact your bank; if a file was downloaded, disconnect, run a full scan, and consider restoring from a clean backup. Monitor accounts and report phishing attempts.

🔍 Unit 42 outlines a structured approach to investigating and responding to cloud incidents, noting that 29% of 2024 incident investigations involved cloud or SaaS environments. The guidance emphasizes a shift from endpoint-centric forensics to focus on identities, misconfigurations and service interactions. It recommends enabling and centralizing logs, retaining them for at least 90 days, and preparing for rapid evidence collection and VM/container imaging. The article stresses identity forensics, behavioral baselining and surgical containment to avoid alerting adversaries.

🔎 Microsoft’s Incident Response (IR) team emphasizes calm, clarity, and rapid action when customers encounter major breaches. Adrian Hill explains how IR establishes trust within the first 30 seconds and coordinates with other vendors and stakeholders to stabilize compromised environments. Field discoveries are fed back into Microsoft Threat Intelligence, enabling new detections and product protections. Follow-up recovery, containment, and strategic guidance turn response into lasting partnership.

🛡️ AWS Incident Detection and Response is now available in the AWS GovCloud (US-West) and GovCloud (US-East) Regions for eligible AWS Enterprise Support customers. The service provides proactive incident engagement and collaborative access to AWS expertise to detect issues earlier and reduce impact. Customers work with AWS to develop customized runbooks and response plans for each onboarded workload. The capability is intended to lower failure risk and accelerate recovery for critical workloads operating in GovCloud.

🔐 The service desk is now a primary enterprise perimeter for attackers, with social-engineering groups like Scattered Spider converting routine requests into broad access — as seen in high-impact incidents such as MGM Resorts and Clorox. Training matters but is not enough; verification must be a security-owned, auditable workflow rather than an agent’s discretionary call. Implement mandatory controls so agents never view credentials, apply role-based verification depths, and use points-based contingency checks when MFA fails. Integrate the flow with ITSM so tickets launch verification automatically, returning results and telemetry for alerting and audit.

🔒 WestJet has confirmed that a cybersecurity incident disclosed on June 13 exposed sensitive customer information, including passports and other government IDs, according to a notification shared with U.S. authorities. The airline said an investigation completed on September 15 found impacted records varied by individual and could include full name, date of birth, mailing address, travel documents, loyalty program details, and certain card account information. WestJet emphasized that no credit or debit card numbers, expiry dates, CVV codes, or user passwords were compromised and is offering free two-year identity theft protection to affected customers. The company said the FBI is involved in the probe and that it is still working to determine the full scope of the incident.

🔍 The Hacker News piece argues that traditional, rule‑driven SOCs produce overwhelming alert noise that prevents timely, accurate incident response. It advocates flipping the model to treat incoming signals as parts of a larger story—normalizing, correlating, and enriching logs across identity, endpoints, cloud workloads, and SIEMs so analysts receive coherent investigations rather than isolated alerts. The contributed article presents Conifers and its CognitiveSOC™ platform as an example of agentic AI that automates multi‑tier investigations, reduces false positives, and shortens MTTR while keeping human judgment central.

🔒 The article advises that organizations should proactively restructure security programs instead of waiting for breaches or regulator intervention. It cites the 2024 FTC order against Marriott, following incidents exposing personal data of 344 million guests, as a cautionary example. Practical guidance includes an independent top-to-bottom review, listening tours, delivering quick visible wins, simplifying tool stacks, adopting AI-enabled capabilities, and investing in staff and training. It also outlines frequent mistakes such as insufficient executive buy-in, hiring biases, and underestimating evolving threats.