There are many security incidents that could be indicators of compromise or attempted compromise at your organization.

We will only be able to discuss a few here.

If you want an exhaustive list, check out the MITRE ATT&CK  framework or the Atomic Red Team framework by Red Canary.

Both of these provide great detail on various security incidents and are great resources for shoring up your defenses.

This is an attempt by an attacker to get access to something on your network that they shouldn’t.

It could be devices or data.

The attacker may try to phish an employee to get credentials so they can get access to the employees email.

Or they may try to read files on a file share on the network.

If attackers gain access to your network and get a foothold in some way, they will try to escalate privileges at some point.

That is, if your network is set up correctly.

If you have implemented least privilege in your environment, they will start with low level access and need to escalate to administrators at some point to achieve their goals.

So, how might an attacker gain initial access?

They could have used phishing, or used a vulnerability or missing patch.

Essentially, there are an untold number of ways.

Insider threat incidents are caused by your own employees or vendors accidentally or intentionally.

These types of incidents could range from accidentally clicking on malicious links or deliberately exfiltrating customer data to sell to criminals.

There are several examples of insider threat incidents that you should beware of - pawns, careless employees, collaborators and lone wolfs.

Pawns are employees who are being manipulated by bad actors to cause harm to your environment.

Careless employees take harmful or careless actions without malicious intent.

Collaborators work with another entity such as a competitor or otherwise motivated attacker to steal sensitive information from your company.

Lone wolves are insiders who are working by themselves to achieve some malicious goal.

Phishing attack incidents occur when hackers try to impersonate someone or another company and get one of your employees to take some detrimental action.

These attacks usually happen via email or text message.

Malware incidents can come in many forms and methods.

They can include ransomware, viruses, trojans, worms, adware, coin miners, and more.

There are a myriad of ways malware can be installed on your systems.

Employees can accidentally click links or attackers could brute force and gain access to your servers.

A denial of service incident happens when someone performs an attack to overwhelm your systems with traffic.

They flood your server or system with so much traffic that it is overloaded and can’t operate.

This can cause the system to crash or simply be unusable.

A man-in-the-middle (MitM) attack intercepts network communications and proxies them through an attacker’s device.

They can eavesdrop on all traffic passing through.

This means that if you are entering passwords or other sensitive information, they could potentially get it.

MitM attacks can be quite difficult to detect, so prevention is important.

There are many ways that password attacks can happen, but any security incident involving password attacks merits an investigation.

Password attacks can include:

All of these are dangerous and could result in unauthorized access to systems or data

Web application attacks are security incidents where attackers target websites or other web applications as an entry point into your environment.

They may use SQL injections, known exploits, cross site scripting, or various other attack methods.

These types of security incidents can be challenging to detect.

The loss or theft of equipment with sensitive information is a serious risk.

If an attacker has access to a laptop or mobile device that is not encrypted, they can get access to all data on it.

It’s quite simple to get around passwords.

In fact, under HIPAA, the loss or theft of equipment is considered a breach and must be reported.

Any time someone loses a device, a security incident review should be conducted to determine if sensitive information was leaked

Removable media attacks usually involve USBs and CDs or DVDs.

Attackers can deploy scripts and malware to your network from programs on these devices.

Operating systems have done a lot to control this threat over the last few years, but it still exists.

Improper disclosure happens when an employee or vendor accidentally sends sensitive information to the wrong party or sensitive information is left unprotected.

We have seen this happen a lot since AWS buckets became popular.

Attackers are constantly scanning the internet looking for potential targets.

This usually involves port scanning - a scan in which a device is inspected to see which ports are open.

If ports are found to be open, the scanner will send special packets to look for responses.

From these responses, it can figure out what applications or services are running.

Port scans happen quite frequently and are typically not a cause for much concern.

When data is found to be actively leaving your network, you have a serious security incident.

This typically means that attackers have already compromised your network, escalated privileges, and begun taking what they want.

When you are finished using a device, you can’t just throw it away.

There is sensitive information on it that can be accessed and read.

This applies to mobile devices, hard drives, USB drives, DVDs, CDs, servers, printers, copiers, and any other device that stores information.

Similarly, paper records should be shredded or addressed in another acceptable manner.

These examples of security incidents should help you begin identifying them in your network and responding appropriately.

Remember, everyone has security incidents.

If you can contain them before they turn into breaches or leaks of confidential data, you will be much better off.

This means that you need to have a solid incident response plan in place.