Threat Detection
This type of alert is triggered when a user logs in from two geographically distant locations within minutes without VPN usage.
What is impossible travel?
This is the FIRST action taken after confirming malware on an endpoint to prevent further spread.
What is isolate the host from the network?
This severity rating is assigned to vulnerabilities with a CVSS score between 9.0 and 10.0
What is Critical?
This risk occurs when a cloud storage bucket is configured for public access without restriction.
What is data exposure?
This category of data includes patient health records and is protected under U.S. healthcare regulations.
What is Protected Health Information (PHI)?
This attack technique is indicated when Microsoft Word spawns cmd.exe, often following a malicious document.
What is macro-based execution / malicious document exploitation?
This action should be taken after a user clicks a phishing link, even if no payload is confirmed.
What is reset user credentials and review activity logs?
This type of vulnerability requires immediate remediation when found on an internet-facing system due to exploitability.
What is a remote code execution (RCE) vulnerability?
This security issue arises when a cloud identity or role has more permissions than necessary.
What is over-permissioned IAM / excessive privileges?
This annual requirement under New York cybersecurity regulations must be submitted by leadership to confirm compliance.
What is annual certification of compliance?
This attack is identified when multiple accounts show failed logins followed by a success from a single IP address.
What is a password spraying attack?
This phase of incident response focuses on stopping lateral movement during an active ransomware event.
What is containment?
This factor lowers the overall risk of a vulnerability when exploitation requires elevated privileges or local access.
What are exploit prerequisites / required privileges?
This configuration risk exists when containers are deployed with root-level privileges in production.
What is container privilege escalation risk?
This program evaluates vendors who process sensitive data to ensure they meet security standards.
What is third-party risk management?
This technique involves generating many DNS queries to randomized subdomains to covertly exfiltrate data.
What is DNS tunneling?
This process determines whether an incident qualifies as a reportable data breach under regulatory requirements.
What is breach assessment / post-incident analysis?
This type of vulnerability affects multiple systems due to a shared component or library across environments.
What is a systemic (or inherited) vulnerability?
This risk scenario combines a critical vulnerability with internet exposure, significantly increasing exploit likelihood.
What is a high-risk (toxic combination) exposure?
This general timeframe is required for notifying individuals after a breach involving protected health data.
What is without unreasonable delay (typically within 60 days)?
This credential access technique is detected when a process attempts to read LSASS memory on a Windows system.
What is credential dumping?
This role has the authority to approve taking critical systems offline during a major cyber incident.
Who is the incident commander / executive leadership?
This approach is used when no patch is available, focusing on mitigating risk through controls like segmentation and monitoring.
What are compensating controls?
This attack path involves leveraging access to the cloud metadata service to obtain credentials and expand access.
What is cloud credential theft via metadata service?
This individual or group must formally approve accepting the risk of an unremediated critical vulnerability.
Who is the risk owner / senior leadership?