What is a cybersecurity incident?

A cybersecurity incident is a specific type of security incident that involves a breach or compromise of digital assets, computer systems, networks or data. It encompasses incidents that relate to the intentional exploitation of digital vulnerabilities such as malware, hacking attacks, data breaches or DoS attacks. Cybersecurity incidents can vary widely in terms of scope, impact and severity. They require immediate attention and response to mitigate potential harm.

How are cybersecurity incidents related to security events and security incidents?

In conclusion, a cybersecurity incident is a subset of security incidents, involving confirmed breaches or compromises of digital security that lead to unauthorized access or potential damage. It signifies a significant breach of security policies. In contrast, security events are early indicators of potential threats, highlighting unusual activities in IT environments. While security events are potential precursors to incidents, a cybersecurity event is a broader term covering both minor security events and major security incidents. Security incidents are any activity that poses a real time threat to the integrity of an organization's network. Organizations must diligently monitor and respond to cybersecurity events to enhance their cybersecurity posture and safeguard against security incidents.

For instance, a real-life example of a cybersecurity incident involved ChatGPT in March 2023. OpenAI admitted to the breach by releasing a statement acknowledging that credit card information, email IDs, membership numbers, names, and addresses of some users were visible to other users. This information was available for a nine-hour window and users who were active during this time risked having their details visible to other users. This breach is attributed to a bug in the open source AI that was being used by ChatGPT.

The growing importance of cybersecurity

The risks associated with cybercrimes are escalating as the digital age continues to progress. CyberCrime Magazine predicted that cybercrime will cost the world over USD 10 trillion annually by 2025.It is difficult to calculate the return on investment while budgeting for an organization's cybersecurity spending, however it remains most important. Highlighting the emphasis on cybersecurity, Bank of America's CEO, Brian Moynihan, once said that they had an unlimited spending budget on cybersecurity.

Understanding the intricacies of cybersecurity incidents, distinguishing them from security events and other incidents is crucial.

Difference between a security event and security incident

It is important to know the difference between a security event and a security incident. A security event is an occurrence in the network that might lead to a security breach. If a security event is confirmed to have resulted in a breach, the event is termed a security incident. A security incident results in risk or damage to the resources and assets of an enterprise. Based on the breach detected, sufficient action has to be taken to limit the damage and prevent the incident from getting worse.

Security events

Security events are the first step towards identifying a threat or a complete attack. An enterprise might run into thousands of security events per day. However, not all security events indicate a cyberattack. For example, a user receiving a spam email triggers a security event. Such events need to be monitored using a SIEM solution to detect if a security event leads to a security incident.

Some of the most common sources of security events that should be analyzed in a network are explained below.

Firewalls

A firewall controls traffic to and from the network. Firewall logs provide the first evidence of an intrusion by attackers. So, security events detected from firewall logs must be carefully monitored. Below are some of the common security events and incidents that you should monitor from firewall logs.

• Spike in incoming or outgoing traffic: A spike in incoming or outgoing traffic is a critical security event. On further inspection into the firewall logs, if multiple packets are received from source IP addresses unknown to your organization, this is a security incident, as it indicates a possible DDoS attack.
• Configuration changes to firewall policies: Changes to firewall configurations are security events, not incidents. However, if a user whose privileges have been recently escalated tries to change the firewall configurations, the event is termed a security incident.
• Modification to firewall settings: Changes made to firewall rules can be normal events unless they allow traffic from or to a malicious C2C server or any other malicious source for data exfiltration. In such cases, the change becomes a security incident. Therefore, it is necessary to carefully monitor these changes.

Critical servers

Critical servers, such as file servers, web servers, and domain controllers, are highly susceptible to attacks, as compromising these systems means gaining control of the network or data to a large extent. Monitoring all the user activities and changes to configurations in these servers is critical. Some of the common security events that you should monitor on critical servers are:

• User logins.
• User permission changes to access the servers.
• Changes to system settings.
• Changes to security configurations.

When the above events, upon investigating, turn out to be from a suspicious source or indicate unusual user behavior, then they are security incidents.

These are some common events that you should monitor. Depending on the functionality of the servers, you can add other events for monitoring. For instance, in a web server, it becomes essential for you to monitor the logs for injection attempts.

Databases

Databases are one of the most common targets for attackers, as they store employee details, confidential business data, and more. Some of the common security events in databases are:

• Changes to database tables: Changes to the tables in a database by privileged account users are security events. If such a user goes on to manipulate multiple tables, it is a security incident.
• Changes to user privileges: When a user's privileges are elevated to access database resources, it is a security event. This becomes a security incident if the user with recently elevated privileges tries to change the privileges of other users by adding or removing members in the database administrators security group.
• Accessing or extracting sensitive data: Employee biometric information, customer records, and transaction details are examples of sensitive enterprise information. If a user tries to extract such information from the database, it is a security incident.

Endpoints

Endpoints such as laptops and desktops generate a huge amount of security events in a single day. Some of the common security events that you need to monitor from endpoints are:

• Failed login attempts: If a user logs in to their device after repeated failed attempts, it is a security event. If such an event is followed by the user trying to escalate their privileges, it is a security incident.
• Unauthorized software installations: Downloading and installing unauthorized software on a device is a security event. If such an application harms the functioning of other applications and causes the device to malfunction, it is termed a security incident.

Security incidents

A security incident is a security event that damages network resources or data as part of an attack or security threat. An incident doesn’t always cause direct damage, but it still puts the enterprise's security at risk. For example, a user clicking on a link in a spam email is a security incident. This incident doesn't directly cause any damage, but it could install malware that causes a ransomware attack.

Some of the security incidents that you should be monitoring in your network include:

• Traffic from known malicious IP addresses: Several IP addresses are identified as malicious because of suspected notorious activities carried out through them. The information about malicious IP addresses is called threat information or a threat feed. To track down traffic from malicious sources, you should configure your security solution, such as a SIEM tool, to correlate data between these dynamically updated threat feeds and your network traffic information. If such an IP address is attempting to access the network, your SIEM solution can detect the attempt and take counteraction immediately.
• Suspicious malware installations on endpoints: Millions of malicious emails with genuine-looking attachments are sent to people every day. If such an attachment is opened by an unsuspecting user, this might lead to malware being installed on the device. The attacker may extract sensitive information stored on the user's device through the malware or gain entry into the enterprise's network resources, either of which make this a security incident.
• Unknown login attempts: Companies use VPN services to help remote users connect to the organization's network. If a hacker manages to crack the credentials of a remote user, they can enter the network and launch a full-scale cyberattack. If a user reports that their credentials have been compromised and that they had not logged in to the network recently, this is a serious security incident requiring rapid response from the IT administrator.
• Privilege escalations: Once an attacker has gained access to the enterprise's network, they can cause only limited damage by masquerading as the user they impersonate. So, their next step is often privilege escalation. Privilege escalation allows the attacker to gain more access and, therefore, better control over the network.
• Unauthorized changes to configurations of critical devices: An unauthorized attempt to make changes to critical services such as firewalls indicates a possible attack on the network, so it’s logged as a security incident.
• Malware infection through removable media: Plugging removable media, such as USB drives and hard drives, into a workstation can be harmful if the external device contains malware. If an antivirus system detects an external device containing malware, a security incident is logged.
• Data manipulation in databases: If the data present in an enterprise’s databases is deleted or modified by an unauthorized user, it is termed a security breach, and the IT administrator must take immediate action to prevent further damage to the enterprise's network.

Organizations must be diligent in monitoring and responding to cybersecurity events to bolster their cybersecurity posture to build their cyber defences against potential threats. Implementing a Security Information and Event Management (SIEM) solution can be instrumental in detecting, managing, and mitigating such incidents, offering a proactive approach to safeguarding your network.