Ransomware is a type of malicious software, or malware, that locks up a victim's data or computing device and threatens to keep it locked—or worse—unless the victim pays a ransom. The latest X-Force Threat Intelligence Index from IBM reports that 20% of network attacks used ransomware and that extortion-based attacks are a driving force in cybercrime—only surpassed by data theft and leaks.

Phishing attacks are digital or voice messages that try to manipulate recipients to share sensitive information, download malicious software, transfer money or assets to the wrong people or take some other damaging action.  

Attackers craft phishing messages to look or sound as if they come from a trusted or credible organization or individual—sometimes even an individual the recipient knows personally.

Phishing and stolen or compromised credentials are the two most prevalent attack vectors, according to the IBM Cost of a Data Breach report. Phishing is also the most common form of social engineering—a class of attack that hacks human nature, rather than digital security vulnerabilities, to gain unauthorized access to sensitive personal or enterprise data or assets.

In a distributed denial-of-service (DDoS) attack, hackers gain control of large numbers of computers and use them to overwhelm a target organization’s network or servers with bogus traffic, making those resources unavailable to legitimate users.

Supply chain attacks are cyberattacks that infiltrate a target organization by attacking its vendors. For example, this could include stealing sensitive data from a supplier’s systems or using a vendor’s services to distribute malware. 

There are two types of insider threats. Malicious insiders are employees, partners or other authorized users who intentionally compromise an organization’s information security. Negligent insiders are authorized users who unintentionally compromise security by failing to follow security best practices—by, say, using weak passwords or storing sensitive data in insecure places.

These involve an attacker who first gains limited privileges in a system and uses those to move laterally, receiving higher privileges and gaining access to more sensitive data along the way. 

Stolen credentials can help the attacker with either the initial entry or boosting their privileges. According to the X-Force Threat Intelligence Index, the abuse of valid accounts is the most common way that attackers breach systems today.

In an MITM attack, the threat actor intercepts a communication—often an email containing sensitive information such as usernames or passwords—and either steals or alters that communication. The attacker either uses the stolen information directly or injects malware to be forwarded to the intended recipient.

This first phase of incident response is also a continuous one. The CSIRT selects the best possible procedures, tools and techniques to respond, identify, contain and recover from an incident as quickly as possible and with minimal business disruption.

Through regular risk assessment, the CSIRT identifies the business environment to be protected, the potential network vulnerabilities and the various types of security incidents that pose a risk to the network. The team prioritizes each type of incident according to its potential impact on the organization.  

The CSIRT might “wargame” several different attack strategies and then create templates of the most effective responses to speed action during a real attack. Response time might be tracked to establish metrics for future exercises and possible attacks. Based on a complete risk assessment, the CSIRT might update existing incident response plans or draft new ones.

During this phase, security team members monitor the network for suspicious activity and potential threats. They analyze data, notifications and alerts gathered from device logs and various security tools (antivirus software, firewalls) to identify incidents in progress. The team works to filter false positives from real incidents, triaging the actual alerts in order of severity.

Today, most organizations use one or more security solutions—such as security information and event management (SIEM) and endpoint detection and response (EDR)—to monitor security events in real time and automate response efforts. (See the “Incident response technologies” section for more.)

The communication plan also comes into play during this phase. When the CSIRT has determined what kind of threat or breach they're dealing with, they'll notify the appropriate personnel and then move to the next stage of the incident response process.

The incident response team takes steps to stop the breach or other malicious activity from doing further damage to the network. The emergency incident response plans then go into action. There are two categories of containment activities:

• Short-term mitigation measures focus on preventing the current threat from spreading by isolating the affected systems, such as by taking infected devices offline.

• Long-term containment measures focus on protecting unaffected systems by placing stronger security controls around them, such as segmenting sensitive databases from the rest of the network.

At this stage, the CSIRT might also create backups of affected and unaffected systems to prevent additional data loss and capture forensic evidence of the incident for future study.  

After the threat has been contained, the team moves on to full remediation and complete removal of the threat from the system. This could include removal of malware or booting an unauthorized or rogue user from the network. The team also reviews both affected and unaffected systems to help ensure that no traces of the breach are left behind.   

When the incident response team is confident the threat has been entirely eradicated, they restore affected systems to normal operations. This remediation might involve deploying patches, rebuilding systems from backups and bringing systems and devices back online. A record of the attack and its resolution are retained for analysis and system improvements.

Throughout each phase of the incident response process, the CSIRT collects evidence of the breach and documents the steps it takes to contain and eradicate the threat. At this stage, the CSIRT reviews this information to better understand the incident and gather “lessons learned.” The CSIRT seeks to determine the root cause of the attack, identify how it successfully breached the network, and resolve vulnerabilities so that future incidents of this type don't reoccur. 

The CSIRT also reviews what went well and looks for opportunities to improve systems, tools and processes to strengthen incident response initiatives against future attacks. Depending on the circumstances of the breach, law enforcement might also be involved in the post-incident investigation. 

ASM solutions automate the continuous discovery, analysis, remediation and monitoring of vulnerabilities and potential attack vectors across all the assets in an organization's attack surface. ASM can uncover previously unmonitored network assets and map relationships between assets.

EDR is software designed to automatically protect an organization's users, endpoint devices and IT assets against cyberthreats that get past antivirus software and other traditional endpoint security tools. 

EDR collects data continuously from all endpoints on the network. It also analyzes the data in real time for evidence of known or suspected cyberthreats and can respond automatically to prevent or minimize damage from the threats it identifies.

SIEM aggregates and correlates security event data from disparate internal security tools (for example firewalls, vulnerability scanners and threat intelligence feeds) and from devices on the network.

SIEM can help incident response teams fight “alert fatigue” by distinguishing indicators of actual threats from the huge volume of notifications that security tools generate.

SOAR enables security teams to define playbooks, formalized workflows that coordinate different security operations and tools in response to security incidents. SOAR platforms can also automate portions of these workflows where possible.

UEBA uses behavioral analytics, machine learning algorithms and automation to identify abnormal and potentially dangerous user and device behavior.

UEBA is effective at identifying insider threats—malicious insiders or hackers that use compromised insider credentials—that can elude other security tools because they mimic authorized network traffic. UEBA functions are often included in SIEM, EDR and XDR solutions.

XDR is a cybersecurity technology that unifies security tools, control points, data and telemetry sources and analytics across the hybrid IT environment. XDR creates a single, central enterprise system for threat prevention, detection and response. XDR can help overextended security teams and SOCs do more with less by eliminating silos between security tools and automating responses across the entire cyberthreat kill chain.

AI-powered systems can accelerate threat detection and mitigation by monitoring enormous volumes of data to speed the search for suspicious traffic patterns or user behaviors.

AI-powered systems can support more proactive incident response processes by providing real-time insights to the cybersecurity team, automating incident triage, coordinating defenses against cyberthreats and even isolating systems under attack. 

AI-powered risk analysis can produce incident summaries to speed alert investigations and help find the root cause for a failure. These incident summaries can help forecast which threats are most likely to occur in the future so the incident response team can fine-tune a stronger plan to meet those threats.