10 Types of Security Incidents and How to Handle Them
Security incidents are events that put the confidentiality, integrity or availability of an organization’s systems or data at risk. A security incident may or may not result in compromised data, depending on whether measures in place to protect the digital environment succeed or fail.
In IT, a security event is anything that has significance for system hardware or software, and an incident is an event that disrupts normal operations. Security events are usually distinguished from security incidents by the degree of severity and the associated potential risk to the organization.
If just one user is denied access to a requested service, for example, that may be a high-severity security event because it could indicate a compromised system. On the other hand, the access failure could be due to any number of relatively innocuous factors. Typically, that one event doesn’t have a severe impact on the organization and, therefore, doesn’t qualify as an incident.
If large numbers of users are denied access, however, it likely means there’s a more serious problem, such as a DoS attack. In that case, the event is classified as a security incident.
A security breach is a confirmed incident in which sensitive, confidential or otherwise protected data has been accessed or disclosed in an unauthorized fashion.
Unlike a security breach, a security incident doesn’t necessarily mean information has been compromised — only that the information was threatened. For example, an organization that successfully thwarts a cyberattack has experienced a security incident but not a breach.
How to detect security incidents
Nearly every day brings a new headline about one high-profile data breach or another. But many more incidents go unnoticed because organizations don’t know how to detect them.
Here are some signs enterprises can look for to uncover security incidents:
- Unusual behavior from privileged user accounts. Any anomalies in the behavior of a privileged user account can indicate someone is using it to gain a foothold in a company’s network.
- Unauthorized insiders trying to access servers and data. Many insiders test the waters to determine exactly what resources they can access. Warning signs include unauthorized users attempting to access servers and data, requesting access to data that isn’t related to their jobs, logging in at abnormal times from unusual locations or logging in from multiple locations in a short time frame.
- Anomalies in outbound network traffic. It’s not just traffic that comes into a network that organizations should worry about. Organizations should monitor for traffic leaving their systems as well. This could include insiders uploading large files to personal cloud applications; downloading large files to external storage devices, such as USB flash drives; or sending large numbers of email messages with attachments outside the company.
- Traffic sent to or from unknown locations. For a company that only operates in one country, any traffic sent to other countries could indicate malicious activity. Administrators should investigate any traffic to unknown networks to ensure it’s legitimate.
- Excessive consumption. An increase in the performance of server memory or hard drives may mean an attacker is accessing them illegally.
- Changes in configuration. Changes that haven’t been approved, including reconfiguration of services, installation of startup programs or firewall changes, are a sign of possible malicious activity. The same is true of scheduled tasks that have been added.
- Hidden files. These can be considered suspicious because of their file names, sizes or locations, which indicate the data or logs may have been leaked.
- Unexpected changes. These include user account lockouts, password changes or sudden changes in group memberships.
- Abnormal browsing behavior. This could be unexpected redirects, changes in the browser configuration or repeated pop-ups.
- Suspicious registry entries. This happens mostly when malware infects Windows systems. It’s one of the main ways malware ensures it remains in an infected system.
Common attack vectors
An attack vector is a path or means by which a hacker can gain access to a computer or network server to deliver a payload or malicious outcome. Attack vectors enable malicious hackers to exploit system vulnerabilities, including end users.
Attack vectors include viruses, email attachments, webpages, pop-up windows, instant messages, chatrooms and deception. All these methods involve software or, in a few cases, hardware. The exception is deception, which is when a human end user is fooled into removing or weakening system defenses.
Although organizations should be able to handle any incident, they should focus on those that use common attack vectors. These include the following:
- External/removable media. The attack is executed from removable media — e.g., CD, flash drive or peripheral device.
- Attrition. This type of attack uses brute-force methods to compromise, degrade or destroy networks, systems or services.
- Web. The attack is executed from a website or web-based application.
- Email. The attack is executed via an email message or attachment. A hacker entices the recipient to either click on a link that takes them to an infected website or to open an infected attachment.
- Improper usage. This type of incident stems from the violation of an organization’s acceptable use policies by an authorized user.
- Drive-by downloads. A user views a website that triggers a malware download; this can happen without the user’s knowledge. Drive-by downloads, which take advantage of vulnerabilities in web browsers, inject malicious code using JavaScript and other browsing features.
- Ad-based malware (malvertising). The attack is executed via malware embedded in advertisements on websites. Merely viewing a malicious ad could inject malicious code into an insecure device. In addition, malicious ads can also be embedded directly into otherwise trusted apps and served via them.
- Mouse hovering. This takes advantage of vulnerabilities in well-known software, such as PowerPoint. When a user hovers over a link — rather than clicking on it — to see where it goes, shell scripts can be launched automatically. Mouse hovering takes advantage of system flaws that make it possible to launch programs based on innocent user actions.
- Scareware. This manipulates users into purchasing and downloading unnecessary, unwanted and potentially dangerous software. Scareware tricks user into thinking their computers have viruses and then recommends that they download and pay for fake antivirus software to correct the problem. If a user downloads the software and allows the program to execute, however, malware may infect the system.
Understanding attackers’ methodologies and goals
Although an organization can never be sure which path an attacker will take through its network, hackers typically employ a certain methodology — i.e., a sequence of stages to infiltrate a network and steal data. Each stage indicates a certain goal along the attacker’s path. This security industry-accepted methodology, dubbed the Cyber Kill Chain, was developed by Lockheed Martin Corp.
According to Lockheed Martin, these are the stages of an attack:
- Reconnaissance — i.e., identify the targets. Threat actors assess potential targets from outside the organization to identify the ones that best enable them to meet their objectives.
The goal of attackers is to find information systems with few protections or with vulnerabilities they can exploit to access the target system.
- Weaponization — i.e., prepare the operation. During this stage, attackers create malware designed specifically to exploit the vulnerabilities discovered during the reconnaissance phase. Based on the intelligence gathered in that phase, attackers customize their tool sets to meet the specific requirements of the target network.
- Delivery — i.e., launch the operation. The attackers send the malware to the target by any intrusion method, such as a phishing email, a man-in-the-middle attack or a watering-hole attack.
- Exploitation — i.e., gain access to victim. The threat actors exploit a vulnerability to gain access to the target’s network.
- Installation — i.e., establish beachhead at the victim. Once malicious hackers have infiltrated the network, they install a persistent backdoor or implant to maintain access for an extended period of time.
- Command and control — i.e., remotely control the implants. The malware opens a command channel, enabling the attackers to remotely manipulate the target’s systems and devices through the network. The malicious hackers can then take control of all affected systems from its administrator.
- Actions on objectives — i.e., achieve the mission’s goals. What happens next, now that attackers have command and control of the target’s system, is entirely up to them. They may corrupt or steal data, destroy systems or demand ransom payments, among other things.
10 common types of security incidents and how to prevent them
Many types of cybersecurity attacks and incidents could result in intrusions on an organization’s network. These include the following.
1. Unauthorized attempt to access systems or data
To prevent a threat actor from gaining access to systems or data using an authorized user’s account, implement MFA. This requires a user to provide a password, plus at least one additional piece of identifying information.
Additionally, encrypt sensitive corporate data at rest and as it travels over a network, using suitable software or hardware technology. That way, attackers aren’t able to access confidential information.
2. Privilege escalation attack
An attacker who gains unauthorized access to an organization’s network may then try to obtain higher-level privileges using what’s known as a privilege escalation exploit. Successful privilege escalation attacks grant threat actors privileges that normal users don’t have.
Typically, privilege escalation occurs when the threat actor takes advantage of a bug, misconfiguration, programming error or any vulnerability in an application or system to gain elevated access to protected data.
This usually occurs after a malicious hacker has already compromised a network by gaining access to a low-level user account and looks to gain higher-level privileges — i.e., full access to an enterprise’s IT system — either to study the system further or perform an attack.
To decrease the risk of privilege escalation, organizations should look for and remediate security weak spots in their IT environments on a regular basis. They should also follow the principle of least privilege – i.e., limit the access rights for users to the bare-minimum permissions they need to do their jobs — and implement security monitoring.
Organizations should also evaluate the risks to their sensitive data and take the necessary steps to secure that data.
3. Insider threat
This is a malicious or accidental threat to an organization’s security or data typically attributed to employees; former employees; or third parties, including contractors, temporary workers or customers.
To detect and prevent insider threats, implement spyware scanning programs, antivirus programs, firewalls, and a rigorous data backup and archiving routine. In addition, train employees and contractors on security awareness before allowing them to access the corporate network. Implement employee monitoring software to reduce the risk of data breaches and the theft of intellectual property by identifying careless, disgruntled or malicious insiders.
4. Phishing attack
In a phishing attack, a threat actor masquerades as a reputable entity or person in an email or other communication channel. The attacker uses phishing emails to distribute malicious links or attachments that can perform a variety of functions, including extracting login credentials or account information from victims. A more targeted type of phishing attack known as spear phishing occurs when the attacker invests time researching the victim to pull off an even more successful attack.
Effective defense against phishing attacks starts with educating users to identify phishing messages. In addition, a gateway email filter can trap many mass-targeted phishing emails and reduce the number of phishing emails that reach users’ inboxes.
5. Malware attack
This is a broad term for different types of malware that are installed on an enterprise’s system. Malware includes Trojans, worms, ransomware, adware, spyware and various types of viruses. Some malware is inadvertently installed when an employee clicks on an ad, visits an infected website, or installs freeware or other software.
Signs of malware include unusual system activity, such as a sudden loss of disk space; unusually slow speeds; repeated crashes or freezes; an increase in unwanted internet activity; and pop-up advertisements. Installing an antivirus tool can detect and remove malware. These tools can either provide real-time protection or detect and remove malware by executing routine system scans.
6. DoS attack
A threat actor launches a denial-of-service (DoS) attack to shut down an individual machine or an entire network so that it’s unable to respond to service requests. DoS attacks do this by flooding the target with traffic or sending it some information that triggers a crash.
An organization can typically deal with a DoS attack that crashes a server by simply rebooting the system. In addition, reconfiguring firewalls, routers and servers can block any bogus traffic. Keep routers and firewalls updated with the latest security patches.
Also, application front-end hardware that’s integrated into the network can help analyze and screen data packets — i.e., classify data as priority, regular or dangerous — as they enter the system. The hardware can also help block threatening data.
7. Man-in-the-middle attack
A man-in-the-middle (MitM) attack is one in which the attacker secretly intercepts and alters messages between two parties who believe they are communicating directly with each other. In this attack, the attacker manipulates both victims to gain access to data. Examples of MitM attacks include session hijacking, email hijacking and Wi-Fi eavesdropping.
Although it’s difficult to detect MitM attacks, there are ways to prevent them. One way is to implement an encryption protocol, such as TLS, that provides authentication, privacy and data integrity between two communicating computer applications. Another encryption protocol is SSH, a network protocol that gives users, particularly system administrators, a secure way to access a computer over an insecure network.
Enterprises should also educate employees to the dangers of using open public Wi-Fi, as it’s easier for hackers to hack these connections. Organizations should also tell their workers to pay attention to warnings from browsers that sites or connections may not be legitimate. Companies should also use VPNs to help ensure secure connections.
8. Password attack
This type of attack is aimed specifically at obtaining a user’s password or an account’s password. To do this, malicious hackers use a variety of methods, including password-cracking programs, dictionary attacks, password sniffers and guessing passwords via brute force — i.e., trial and error.
A password cracker is an application program used to identify an unknown or forgotten password for a computer or network resources. This helps an attacker obtain unauthorized access to resources. A dictionary attack is a method of breaking into a password-protected computer or server by systematically entering every word in a dictionary as a password.
To prevent password attacks, organizations should adopt MFA for user validation. In addition, users should choose strong passwords that include at least seven characters, as well as a mix of upper and lowercase letters, numbers and symbols. Users should change their passwords regularly and use different passwords for different accounts. In addition, organizations should use encryption on any passwords stored in secure repositories.
9. Web application attack
This is any incident in which a web application is the vector of the attack, including exploits of code-level vulnerabilities in the application, as well as thwarting authentication mechanisms. One example of a web application attack is a cross-site scripting attack. This is a type of injection security attack in which an attacker injects data, such as a malicious script, into content from otherwise trusted websites.
Enterprises should review code early in the development phase to detect vulnerabilities; static and dynamic code scanners can automatically check for these. Also, implement bot detection functionality to prevent bots from accessing application data. Finally, a web application firewall (WAF) can monitor a network and block potential attacks.
10. Advanced persistent threat
An advanced persistent threat (APT) is a prolonged and targeted cyberattack typically executed by sophisticated cybercriminals or nation-states. In this attack, the intruder gains access to a network and remains undetected for an extended period of time. The APT’s goal is usually to monitor network activity and steal data rather than cause damage to the network or organization.
Monitoring incoming and outgoing traffic can help organizations prevent hackers from installing backdoors and extracting sensitive data. Enterprises should also install WAFs at the edge of their networks to filter traffic coming into their web application servers. This can help filter out application layer attacks, such as SQL injection attacks, often used during the APT infiltration phase. Additionally, a network firewall can monitor internal traffic.
Examples of security incidents
Here are several examples of well-known security incidents:
- Cybersecurity researchers first detected the Stuxnet worm, used to attack Iran’s nuclear program, in 2010. It is still considered one of the most sophisticated pieces of malware ever detected. The malware targeted SCADA systems and spread through infected USB devices. Both the U.S. and Israel have been linked to the development of Stuxnet, and while neither nation has officially acknowledged its role in developing it, there have been unofficial confirmations that they were responsible for it.
- In October 2016, another major security incident occurred when cybercriminals launched a DDoS attack on domain name system provider Dyn, which disrupted online services worldwide. The attack hit a number of websites, including Netflix, Twitter, PayPal, Pinterest and PlayStation Network.
- In July 2017, a massive breach was discovered involving 14 million Verizon Communications Inc. customer records, including phone numbers and account PINs, which were reportedly exposed to the internet, although Verizon claimed no data was stolen. A month earlier, a researcher from security firm UpGuard found the data on a cloud server maintained by data analytics firm Nice Systems. The data wasn’t password-protected, and as such, cybercriminals could have easily downloaded and exploited it, according to the security firm.
- In 2023, casino giant Caesars Entertainment fell victim to a social engineering campaign that led to the exposure of sensitive customer data, including Social Security numbers. Threat actors reportedly called the IT service desk and tricked personnel into resetting MFA factors for Okta super administrator accounts. MGM suffered a similar incident the same month, resulting in an estimated $100 million in losses.
Trends in the causes of incidents
According to the 2023 “Data Security Incident Response Report” by U.S. law firm BakerHostetler, the number of security incidents and their severity remain high. Even as organizations implement new security measures, attackers find ways to circumvent them.
In analysis of more than 1,160 incidents, BakerHostetler found network intrusions were most common, accounting for nearly half of all security incidents. Thirty percent of incidents were business email compromise attacks, and 12% involved inadvertent disclosure of private information.
The most common known root cause was phishing, which kicked off one in four security incidents. Unpatched vulnerabilities were behind 11% of cases; social engineering and other human error each drove 5% of incidents.
Ransomware was involved in 28% of incidents analyzed. Across all industries, the average time to recover after a ransomware attack increased over the previous year, as did the average ransom payment.
On the bright side, detection and response capabilities improved. The median number of days to detect an attack was three — down from 13 the previous year. The median time from discovery to containment took zero days. The time from containment to forensic analysis also decreased from 30 to 24.
Create an incident response plan
The expanding threat landscape puts organizations at more risk of being attacked than ever before. As a result, enterprises must constantly monitor the threat landscape and be ready to respond to security incidents, data breaches and cyberthreats when they occur.
Putting well-defined incident response plans in place enables organizations to effectively identify these incidents, minimize the damage and reduce the costs of cyberattacks. Such plans also help companies prevent future attacks.