As a cybersecurity professional, or someone inclined to the cybersecurity field, you would have come across the term INCIDENT RESPONSE. However, do you know what the role of the INCIDENT RESPONSE is/are?
Don’t worry, we will answer that in a bit.
The INCIDENT RESPONSE is inclined to work in the BLUE TEAM FIELD, of CYBERSECURITY. They are responsible for handling cybersecurity incidents when they arise or occur, and therefore known as FIRST INCIDENT RESPONDER. The role of the INCIDENT RESPONDER or INCIDENT RESPONSE TEAM focuses on gathering COMPUTER EVIDENCE otherwise known as COMPUTER FORENSICS, that were involved in the cyber incident, as part of the exhibit to be investigated.
The process of collecting this information is called EVIDENCE COLLECTION, and the information being collected are known as “EVIDENCE.”
Now comes the question, what is COMPUTER SECURITY INCIDENT:
“A Computer Security Incident is an act that is mischievous, sinister, destructive, damaging, and disastrous on a computing device (computers, or any computing hardware), done by a person; resulting to the computing device or hardware resources temporarily or permanently damaged.”- FixitGearWare Security
In a less complex term, it is:
- The Intention to cause harm.
- Performed by a Person (mostly malicious).
- Resulting in The Destruction of Computing Resources.
The complexities of understanding the profession FIRST INCIDENT RESPONSE, is a reason why COMPUTER SECURITY INCIDENT, should be understood in depth.
UNDERSTANDING COMPUTER SECURITY INCIDENT:
SCENERIO 1 THE INTENTION TO CAUSE HARM (FROM A GREY HAT HACKERS PERSPECTIVE:
Grey-Hats are known to be inclined to being good sometimes and being bad at most times. This is fueled by their motivation, when conducting penetration testing or hacking (Non-Ethical sometimes, and Ethical sometimes) activity. If a Grey Hat in the process of testing a web-application, discovers a database that exposes customers credentials, and instead of reporting it, he makes an alternative decision, which is to sell such data on the darkweb (leaning on his dark-side this time) when he successfully dumps the database, we could consider this as an INTENTION TO CAUSE HARM.
Although, he hasn’t dumped the database table yet, but is still contemplating. Hence, there is no harm. Nonetheless, there is certainly an intent to do so (dumping the database table and selling it).
SCENARIO 2 PERFORMED BY A PERSON (MOSTLY MALICIOUS):
The Grey Hat would have made his final decision. Consequently, any incident that occurs after he has successfully dumped the database, would be considered a Computer Security Incident. However, if he was yet to dump the database, and there was a system blackout due to power outage resulting from electrical faults or lighting, then certainly that would not be called an incident, except the database has been dumped before the power outage, or the Grey-Hat in some way influenced the outage.
SCENARIO 3 RESULTING IN THE DESTRUCTION OF COMPUTING RESOURCES:
To be able to classify the incident as a Computer Security Incident, there must be a destruction of computing resources. As technology evolves, the term computing resources are not just computers, therefore it is pertinent to use the term computing resources. These resources could be Database Backups, Webserver/Website Backups, Video recording and CCTV camera’s, Authentication Applications, Recovery Keys, Access Cards, Credit Cards, and so on.
The destruction of these various computing components, or resources, certainly would result in them not being able to be utilized when needed or renders them completely unavailable (Destruction of Computing Resources).
Abridge these Three Scenario, the GreyHat Hacker must have the intent (The Intent Must be There), The damage caused to the computing device must be done by a person in this case the GreyHat Hacker, Computing resources (Data, Hardware and so on) must have been damaged or compromised.
Undeniably, this analysis has properly described the COMPUTER SECURITY INCIDENT, and criteria’s that an occurrence to be considered an Incident.
It is imperative to note that an Incident that seems suspicious, are to be seen as a potential incident, until all investigation has been concluded, and proven that the occurrence is not an incident at all.
Now you have understood what an INCIDENT RESPONSE, AND COMPUTER SECURITY INCIDENT is, let’s have an insight of COMPUTER SECURITY INCIDENT, and notable CYBERSECURITY INCIDENT.
- Sensitive Information Exfiltration and Data theft. This could be PII’s (Personal Identifiable Information’s), email address, and other essential information.
“Dell Reportedly gets hit with a cyber-attack resulting to the compromise of over 49-million customers data associated with the giant tech company.”https://www.bleepingcomputer.com/news/security/dell-warns-of-data-breach-49-million-customers-allegedly-affected/
- It could also involve Financial loss, wire-frauds, and illegitimate access to user’s bank accounts.
“BBTOK Malware, impersonates over 40 international bank accounts in Latin America, and Mexico.”https://www.fixitgearware.com/cybsec-news/global-news/bbtok-trojan-impersonates-40-banks-to-seize-victim-accounts/2023/09/25/
- Ransomware and Extortion.
“Hospitals across Romania gets hit with a ransomware attack. Threat actors making demands for crypto as a form of payment.”https://www.fixitgearware.com/cybsec-news/global-news/bbtok-trojan-impersonates-40-banks-to-seize-victim-accounts/2023/09/25/
- Accessing computer resources, without having the authorization to do so. This concept is understood, from a DDOS attack perspective.
https://www.fixitgearware.com/cybsec-news/cyber-security/cyber-security-attacks-series-part-1-dos-ddos/2024/02/28/
- Having access and possessing of illegal or unauthorized materials.
“A Cyber Incident has been reported to compromise over 62 Australia Government Institutions.”https://www.fixitgearware.com/cybsec-news/global-news/major-cyber-attack-compromises-australian-government-institutions/2024/01/15/
- The presence of spyware, malware, and remote access software’s.
“A Fake telegram software reported to have been used to compromise millions of users. “https://www.fixitgearware.com/cybsec-news/cyber-security/cyber-security-attacks-series-part-1-dos-ddos/2024/02/28/
These incidents certainly would result into a range of outcomes such as financial loss, the need to spend more in mitigating, remedial actions, and a permanent reputational damage. On that account, the actions taken BEFORE, DURING, and AFTER an Incident is very crucial. As this, may not only impact the organization negatively but may also lead to a permanent dissolution if the computing resources, is irreparable.
Put your comments below in the comment section on your thoughts about this.