Identifying Cyber Incidents and Their Potential Impact
With the war being waged in Ukraine and other global unrest, your company could be a possible target of hackers looking to infiltrate your IT systems and uncover vital intelligence about your work with the DoD, your technology, your contracts, and more. What can you do to be alerted to any incursions into your infrastructure–and how can you stay ahead of the threats and guard against incidents?
Know what constitutes an cyber incident
These occurrences are centered around network or system breaches. With the post-COVID work environment resulting in a lot of remote workers, there can be many ways to infiltrate your systems.
At the most basic level, incidents are some type of intrusion for the purpose of political espionage or to acquire trade secrets. Typically for the defense industry base that translates to an attack against cloud infrastructure via an insertion of malicious software. An incident could also be a physical breach, such as a car break-in resulting in company laptop theft.
How do you know that a cyber incident has happened?
Receiving notification that an incident has occurred is the first step to mitigating its impact. Make sure you have deep visibility into your IT infrastructure, which could include laptops, cloud infrastructure, and more. Reviewing logs from the multiple security products that monitor these disparate systems provides insight into vulnerabilities and abnormalities in your environment. The team at CyberSheath is skilled at this review and analysis.
For example, Azure Active Directory through Microsoft allows us to geolocate where an employee is attempting to log in. Analytic alerts may notify us of an employee who is based in San Diego trying to access your systems from Calgary, which could signal an issue of compromised credentials. We can also see when someone successfully is able to log in through the first factor, which is the password, but then fails multifactor authentication, which also indicates a potential issue. These are indications of a breach in progress, and then, depending on the security proxy in place, we can investigate and escalate to your company as necessary.
Reporting cyber incidents
DFARS requires that you report a cybersecurity incident within 72 hours. Any malicious software has to be provided to the DoD cybercrime center. Using our tools, we can isolate a host and download the potentially malicious file. Learn how to report these incidents to the DoD–and if you are a subcontractor, be sure to also inform your prime.
Threat levels and category definitions
- Critical – These rare occurrences represent a real or imminent threat that would severely impact overall business availability, including widespread ransomware or breaches that result in down email. Unauthorized access changes, unauthorized release or disclosure of information, network intrusion, or widespread malicious incidents are often at the root of these issues. If you have good security hygiene and the products required, incidents don’t become critical. It’s typically companies with no patch management or endpoint detection response system that have these urgently important incidents.
- High – These incidents hold moderate impact. It could be that an entity is scanning your network and you need to jump on it right away. They indicate an internal threat, perhaps where someone changes a password or there’s privilege abuse, and a malicious code is launched.
- Medium – Not posing an immediate threat, these occurrences are time-sensitive and suspicious–and could have a long term business risk. This could be an employee’s email account getting compromised. In this example, a threat actor could then use this internal account to gain more access to internal systems and information.
- Low – These happenings are typically related to non-standard client content configurations and potential improper use. Perhaps someone visits a website that may be suspect, or uses a VPN. These things can obviously get escalated up the chain for verification, but there may be justifiable business uses that still trigger an alert.
A note about false positives
In monitoring incidents, it is always better to investigate issues that ultimately turn out to not be threats, than to have potentially harmful activities go unnoticed. Some client environments may have an initial false positive rate of up to 70% before tuning. Typically these false positive events are us flagging someone logging in from a different location. A quick call can then uncover that the employee in question is indeed on the road–and the issue is resolved.
How CyberSheath can help
We offer a variety of services to ensure that your systems are robust and monitored 24/7/365.
- Patch management – Making sure your systems are up to date with the latest patches from all if your technology solutions providers is vital to your cybersecurity. We ensure your systems are all current, which stops incidents from happening.
- Back-up services – Keeping accurate back-ups of all of your company’s electronics information is essential.
- Security Operations Center (SOC) – Information security shouldn’t take evenings off. Our all-day, everyday security monitoring team, takes on the task of making sure your systems are secure and protected, quickly alerting you of possible incidents.
Learn more about our monitoring services and how we can help you secure your infrastructure.