We’ll begin by exploring some recent history, and how IR has evolved over time.

The general notion regarding the origin of hacking is that it started in the 1960s, around the time of the invention of modern computers and operating systems. To disprove this notion, let’s next briefly explore the history of data breaches, to develop an idea of the context behind the modern attack environment.

The history of data breaches

Data interception associated with hacking activities goes as far back as 1836, when two persons were caught intercepting data transmissions in a criminal manner.

During the last decade of the 1700s, France implemented a national data network, which was one of a kind at the time, to transfer data between Paris and Bordeaux. It was built on top of a mechanical telegraph system, which was a network of physical towers. Each tower was equipped with a unique system of movable arms. The tower operators would use different combinations of these arms to form numbers and characters that could be read from a similar distant tower using a telescope. This combination of numbers and characters was relayed from tower to tower until it reached the other city. As a result, the government achieved a much more efficient, speedier mechanism of transferring data.

Interestingly, all this happened in the open. Even though the combinations were encrypted and would’ve required an experienced telegraph operator to decode the message at the far end to bring up the original message, the risks were just around the corner. This operation was observed by two bankers, Francois and Joseph Blanc. They used to trade government bonds at the exchange in Bordeaux, and it was they who figured out a method to poison the data transfer and obtain an indicator of current market status, by bribing the telegraph operators. Usually, it took several days before the information related to bond performance reached Bordeaux by mail. Now, they had an advantage to get that same information well before the exchange in Bordeaux received it.

In a normal transmission, the operator included a backspace symbol to indicate to the other operator that they needed to avoid the previous character and consider it a mistake. The bankers paid one of the operators to include a deliberate mistake with a predefined character, to indicate the previous day’s exchange performance, so that they could assume the market movement and plan to buy or sell bonds. This additional character did not affect the original message sent by the government, because it was indicated to be ignored by the receiving telegraph operator. But this extra character would be observed by another former telegraph operator who was paid by the bankers to decode it by observing through a telescope.

Using this unique information related to market movement, the Blanc brothers had an advantage over the market for two years, until they were caught in 1836. The modern equivalent of this attack would perhaps be data poisoning, a man-in-the middle attack, misuse of a network, or social engineering. However, the striking similarity is that these attacks often go unnoticed for days or years before they get caught. Unfortunately, the Blanc brothers could not be convicted as there were no laws under which they could be prosecuted at that time. Maybe the Blanc brothers’ hack was not so innovative compared to today’s cyber-attacks, but it does indicate that data has always been at risk. And, with the digitization of data in all shapes and forms, operations, and transport mechanisms (networks), the attack surface is huge now. It is now the responsibility of the organization and individuals to keep the data, network, and computer infrastructure safe.

Let’s fast-forward another 150 years, to 1988. This is when the world witnessed the first-ever computer virus—the Morris worm. Even though the creator of the worm, Robert Tappan Morris, denied the allegation that it was intended to cause harm to computers, it did, indeed, affect millions of them. With the intention of measuring the vastness of the cyber world, Morris wrote an experimental program that was self-replicating and hopped from one computer to another on its own.

It was injected into the internet by Morris, but, to his surprise, this so-called worm spread at a much faster rate than he would have imagined. Within the next 24 hours, at least 10% of internet-connected machines were affected. This was then targeted to the Advanced Research Projects Agency Network (ARPANET), and some reports suggested that the number of connected computers at the time was around 60,000. The worm exploited a flaw in the Unix email program Sendmail, and a bug in the finger daemon (fingerd). Morris’ worm infected many sites, including universities, military organizations, and other research facilities. It took a team of programmers from various US universities working non-stop for hours to reach a solution. It took a few more days still to get back to a normal state. A few years later, in 1990, Morris was convicted by the court for violating the Computer Fraud and Abuse Act; unlike at the time of the Blanc brothers, when there was no law to prosecute, Morris was criminally liable.

Moving forward another two decades to 2010, when the world saw what it never imagined could happen in Stuxnet: an extremely coordinated effort to create a specifically crafted piece of software, which was purpose-built to target the Iranian nuclear facility. It targeted Industrial Control Systems (ICSes). This was designed only to target a specific brand and make of Siemens ICS, which manages the speed of centrifuges in a nuclear facility. It is presumed that it was designed to deliver onsite because the Iranian facility that it was targeting was air-gapped.

This was one-of-a-kind industrial cyber sabotage. The malware was purpose-built so that it would never leave the facility of the nuclear plant. However, somehow (there is still speculation as to how), it still made its way out to the internet. It took researchers many months after its discovery to figure out the working principle of the malware. It’s speculated that it took at least a few years to develop it to a fully functional working model. Since Stuxnet, we have witnessed many similar attack patterns in the form of Duqu and Flame, and it’s believed by some experts in this field that malware similar to these are still active.

Currently, we are seeing new variants of attack with new modus operandi. Their intent is to earn money by using ransomware or to steal data in order to sell or destroy it. Ransomware attackers use computer viruses to infect a computer, encrypting and locking information in the computer. They then ask for a ransom from the owners to regain access to their computers. Alternatively, attackers might use victims’ infrastructure to run crypto miner malware to mine cryptocurrencies.

Today, security has taken center stage, not only because the attack surface has increased for each entity, or the number of successful high-profile and mass attacks is more normalized, but because of the fact that each one of us knows that the need to secure data is paramount, irrespective of whether you are a target or not.

To read the rest please go to Article 2, here

Article 2 will cover

• Modern cybersecurity evolution

• Challenges facing incident response

• Protecting the company brand

• Preventing future breaches

• Preparing for attacks

• Developing cyber resilience

Read this article on Packt Web site,

Click here to read Incident Response related articles

Incident Response in the Age of Cloud

Anyone can be hacked. It is just a matter of time. Even the right technology, e.g. the best firewall or anti-virus application, can fall short of protecting your system against cyber-attacks since cybercriminals are always in search of new methods and ways to infiltrate into systems. Responding to an incident quickly will help an organization to minimize its losses, decrease vulnerabilities, rebuild services and processes. Therefore, at this very moment, it is significant to know the best practices to respond to a successful cyber-attack.

Organizations should have skilled employees and sophisticated tools to identify the threats or to respond to and eliminate them. Without knowing the best practices of an incident response process, the organization will be an easy target for cybercriminals and be vulnerable to a cyber-attack.

This book will be a guideline for organizations on how to address and manage the aftermath of a cyber-attack, and how to control the cybersecurity breach in a way that decreases damage, recovery time and costs.

Cybercriminals are always in search of new methods to infiltrate systems. Quickly responding to an incident will help organizations minimize losses, decrease vulnerabilities, and rebuild services and processes.

In the wake of the COVID-19 pandemic, with most organizations gravitating towards remote working and cloud computing, this book uses frameworks such as MITRE ATT&CK® and the SANS IR model to assess security risks.

The book begins by introducing you to the cybersecurity landscape and explaining why IR matters. You will understand the evolution of IR, current challenges, key metrics, and the composition of an IR team, along with an array of methods and tools used in an effective IR process. You will then learn how to apply these strategies, with discussions on incident alerting, handling, investigation, recovery, and reporting.

Further, you will cover governing IR on multiple platforms and sharing cyber threat intelligence and the procedures involved in IR in the cloud. Finally, the book concludes with an “Ask the Experts” chapter wherein industry experts have provided their perspective on diverse topics in the IR sphere.

By the end of this book, you should become proficient at building and applying IR strategies pre-emptively and confidently.

Cybercriminals are always in search of new methods to infiltrate systems. Quickly responding to an incident will help organizations minimize losses, decrease vulnerabilities, and rebuild services and processes.

In the wake of the COVID-19 pandemic, with most organizations gravitating towards remote working and cloud computing, this book uses frameworks such as MITRE ATT&CK® and the SANS IR model to assess security risks.

The book begins by introducing you to the cybersecurity landscape and explaining why IR matters. You will understand the evolution of IR, current challenges, key metrics, and the composition of an IR team, along with an array of methods and tools used in an effective IR process. You will then learn how to apply these strategies, with discussions on incident alerting, handling, investigation, recovery, and reporting.

Further, you will cover governing IR on multiple platforms and sharing cyber threat intelligence and the procedures involved in IR in the cloud. Finally, the book concludes with an “Ask the Experts” chapter wherein industry experts have provided their perspective on diverse topics in the IR sphere.

By the end of this book, you should become proficient at building and applying IR strategies pre-emptively and confidently.

The experts who have contributed in the book, See the full list here

To buy the book

Amazon – click here

Packt – click here