For this week’s “In the News”, research a recent article, providing the link to the article, that describes an incident that impacted an organization.
- How was the impact worse or reduced because of their Incident Response Program?
- What were the strengths of their Incident Response Program?
Kelly Sharadin says
A Japanese gaming publisher, Bandai Namco, responsible for producing games like Elden Ring and Dark Souls, has suffered a breached (most likely ransomwared) by the advanced persistence threat group AlphV/BackCat. Bandai Namco has released a public statement regarding the incident and its ongoing investigation. The statement is evidence that Bandai Namco has some incident response capabilities as they have contained and temporarily remediated the leak. Having timely communications is a critical part of the incident response process. An organization must be able to notify its customers and stakeholders of emerging details once an incident has occurred to maintain its reputation. In its statement, Bandai Namco mentions they are working to ensure that does not happen again. Reading the case details, I believe Bandai Namco should increase its detection capabilities regarding unauthorized access and routinely audit what third-party vendors have access to within the organization.
https://www.bleepingcomputer.com/news/security/bandai-namco-confirms-hack-after-alphv-ransomware-data-leak-threat/
Shubham Patil says
A cyber security incident has been noticed on the e-mail system of the Securities and Exchange Board of India (Sebi) which was undergoing a system upgrade and accordingly an FIR (First Information Report) as per the relevant provisions of law has been filed.
A regulator stated various mitigation measures were immediately taken in response to that cyber security incident including, informing CERT-IN as per the standard operating procedure, and strengthening the required security configuration of the system among others. CERT-IN (Indian Computer Emergency Response Team) is the national nodal agency for responding to computer security incidents as and when they occur. An official spokesperson said, “It was a small incident. CERT-IN is fully in the loop. No sensitive data was lost. Root cause has been diagnosed and fixed. Prevention for future has been fully implemented”. Sebi said that it constantly monitors its detection and prevention systems and has taken additional measures post-incident to tighten the security procedures for the implementation and migration activities.
This article portrays how the impact was reduced because of their robust Incident Response Program. All procedures in the runbook were followed to respond and mitigate the incident for the future.
Link: https://www.business-standard.com/article/markets/sebi-files-fir-in-cyber-security-incident-no-sensitive-data-lost-122071600923_1.html
Vraj Patel says
Hello Shubham,
I do agree that assessing and analysis the risks with the new technology would be crucial, specifically with the IoT devices. IoT devices make it more difficult for the company since if they are not properly managed, there might be many IoT devices linked to the network that could potentially provide the attacker an access to the companies network.
Mohammed Syed says
https://www.securityweek.com/why-ransomware-response-matters-more-protection
Incident response plans are one of the critical factors for every organization in this digital era. Incident response planning is designed per goals, scope, and guiding principles to mitigate downtime of essential services and reduce the impact of any avoidable attack. It prepares the organization to handle every upcoming critical situation with proper defense to prevent loss. As per the above news article, we understand ransomware is one of the biggest threats to businesses worldwide. Cause of a lot of damages for a company beyond the financial cost of paying ransom, downtime, lost opportunities as well as ransomware removable processes and recovery expenses, many organizations lost money, customer trust, highly damages in business regularity and goodwill in the stand market up again.
The main question is what organizations do to minimize the impact of falling victim to a ransomware attack. So answer is only one which is a proper incident response program to face this type of attack; the organization implements strategic readiness to face attack, a prevention mechanism in the situation of attack then possible to defend against the attack.
Some organizations can be capable of protecting themselves due to proper Incident Response programs such as strategic readiness, enabling ransomware cyber hygiene across endpoints, implementing access device security posture, discovering sensitive endpoint data, self-healing for endpoint security, and other essential vital elements that can protect the organization from dealing with ransomware threats.
Antonio Cozza says
This Portswigger article describes changes being made to a soccer fantasy league application with over 9 million users. While there have been many players complaining of compromised accounts, especially those within the top few % of players as targets, Fantasy Premier League made a statement in late 2021 denying any evidence of compromised accounts as a result of their internal system configuration vulnerabilities or questionable defensive choices. However, as the attacks were large in number and continuing, it prompted change to occur. FPL blamed users for sharing account credentials with third-party team management websites, one of which was hacked soon after the statement by FPL, allowing attackers to gain hashed passwords and usernames associated with them. While the issue was not the direct result of FPL in this case, they took the measure of implementing 2FA for accounts as an added measure in response to this continuing problem (which likely should have already been in use at this time in my opinion). Presumably, the company had sufficient internal preventative and detection controls as it was not directly an issue stemming internally, or at least is unconfirmed so far. Business-wise, this response decision was well received by the regular players overall and made them feel more safe with their accounts, incentivizing continued play of the game / usage of the app.
https://portswigger.net/daily-swig/fantasy-premier-league-football-app-introduces-2fa-to-tackle-account-takeover-hacks
Vraj Patel says
Hey Antonio,
The IoT devices does increase an attack surface for an organization. As they it would be harder to keep an track of them and patch them regularly to secure them from any vulnerability.
Kyuande Johnson says
On June 22, 2022 The Univerisity of Winsdor was affected by breach of the universities website. There were many services utilized by the university that was taken down due to the breach. The Univeristy Immediatly hired cber security experts to perform an investigation of the breach. They were able to identify the security flaw, remediate the vulnerabilities and return back to normal operations within a few days. It was mention that the universities payroll systems were affected. Luckily a contingency place was put in place to enable the universities staff to be paid on time. The incident response of the univeristy was very effective. Even though systems were taken offline, they were able to eradicate the threat and recover from the breach in a resonsible time without disrupting essential operation.
https://www.cbc.ca/news/canada/windsor/uwindsor-restores-systems-1.6521329
Vraj Patel says
Marriott international had a data breach recently impacting around 300-400 customers. The attacker was able to gain an access to one of the individuals computers through an social engineering technique. The individual that was a victim of that social engineering attack had access to the guest’s reservation and their credit card information which appeared to be compromised during this incident. It appears as the Marriott had an effective Incident Response program in place which had lower the impact due to the incident; however, it seems like their security training program need to be strengthened which could provide an awareness the individual regarding the social engineering attacks.
References:
https://www.securityweek.com/marriott-confirms-small-scale-data-breach
Mitchell Dulaney says
“Marriott International suffers latest in series of data breaches”
According to Cybersecurity Hub, a group of hackers successfully gained access to an employee workstation at a Marriott hotel through social engineering. While Marrriot has had massive data breaches in recent years, their spokesperson stated that this breach only impacts 300-400 individuals. The data that was exfiltrated was primarily limited to information pertaining to the business operations of the hotel in which the employee was located. The threat actors were not able to access Marriott’s “core network”, which is indicative of some combination of successful security architecture and successful incident response. This means that the networks at the hotel site were properly segmented and protected such that an attacker accessing an employee computer could easily move into or exfiltrate data from more sensitive networks. The article notes that the company had “identified and was investigating” the breach by the time the threat actors contacted them to attempt to extort the company over the data. While it’s never a good thing when your company experiences a breach, it is a small comfort that the incident response team was able to initiate the response process independently without the threat actor having to notify them.
https://www.cshub.com/attacks/news/iotw-marriott-international-suffers-latest-in-series-of-major-data-breaches