Incident Types
This type of incident often involves tricking individuals into revealing sensitive information like passwords or credit card details through deceptive emails or websites
What is phishing?
A quick way to isolate a potentially compromised container in AWS Elastic Container Service (ECS) or Elastic Kubernetes Service (EKS) is to do this to the specific task or pod.
What is stopping or terminating it?
The process of completely removing the root cause of an incident from all affected systems is known as this.
What is eradication?
A key activity after an incident is to document what happened, the actions taken, and the lessons learned in this type of report.
What is an incident report (or after-action report)?
In 2013, this major retailer announced a breach affecting over 40 million credit and debit card numbers, highlighting the risks to Point-of-Sale (POS) systems.
What is Target?
This type of malicious software encrypts a victim's files and demands a payment, often in cryptocurrency, for their release.
What is ransomware?
To prevent a compromised container from accessing other AWS resources, you might review and restrict these associated with the container's IAM role.
What are IAM permissions or policies?
After eradicating a threat, this process involves restoring affected systems, data, and services to their pre-incident state.
What is recovery?
Identifying the root cause of the incident is crucial in post-incident activity to prevent similar incidents from occurring in the future. What is this process called?
What is root cause analysis?
This credit reporting agency disclosed in 2017 that the personal information of nearly 150 million individuals was compromised due to a vulnerability in an Apache Struts component.
What is Equifax?
An attack where malicious code is inserted into a legitimate website or application to compromise visitors or users is known as this.
What is a web injection attack (or code injection attack)?
In a Docker environment, you might use network policies or security groups at the AWS level to restrict network traffic to and from specific containers or groups of containers. What are these security controls?
What are AWS Security Groups or Network ACLs (for the VPC)?
A crucial step in eradication often involves identifying and removing these malicious files, processes, or configurations left behind by an attacker.
What are artifacts (or malicious artifacts)?
Based on the lessons learned during an incident, organizations should implement these to improve their security posture and incident response processes.
What are corrective actions or preventative measures?
In 2014, this internet company revealed that over 500 million user accounts were compromised in a massive data breach, later revised to include all 3 billion accounts.
What is Yahoo?
This type of incident involves an attacker gaining unauthorized access to a system or network from within the organization, often exploiting insider knowledge or credentials.
What is an insider threat?
If a specific container vulnerability is being exploited, a temporary containment measure might involve rolling back to this previously known good version of this for the affected service.
What is the Docker image?
In a recovery process, restoring data from these backups is critical to minimizing data loss and returning to operational status.
What are backups?
This process involves reviewing and updating incident response plans and procedures based on the experiences and insights gained from a recent incident.
What is plan review or lessons learned incorporation?
This 2016 breach involved the theft of sensitive information from over 50 million user profiles, impacting the U.S. presidential election and raising concerns about state-sponsored cyber activities.
What is the Democratic National Committee (DNC) hack?
This sophisticated and often targeted type of attack involves a prolonged presence within a victim's network, with the goal of data exfiltration or espionage, often attributed to nation-state actors.
What is an Advanced Persistent Threat (APT)?
To contain a potential data breach from a compromised container, you might temporarily isolate the affected application's access to this AWS service where the data is stored, such as S3 buckets or RDS instances.
What is the data storage layer (e.g., S3, RDS)?
This phase of recovery involves carefully bringing systems back online, often in a controlled and monitored manner, to ensure stability and prevent reinfection.
What is phased restoration (or staged recovery)?
Communicating the findings and improvements resulting from a significant incident to stakeholders, including employees and potentially customers, is a critical part of this post-incident activity.
What is stakeholder communication or transparency?
This global ransomware attack in 2017, attributed to a vulnerability in Microsoft Windows, rapidly spread across numerous organizations worldwide, encrypting files and demanding ransom payments.
What is WannaCry?