topic Re: Event or Incident in Tech Talk

Event or Incident

tmekelburg1 — Thu, 03 Sep 2020 18:59:14 GMT

I was listening to the Security Metrics podcast: 6 Phases of an Incident Response Plan during my usual lunch walk. Dave was describing the 2nd phase Identification and knowing if it's an incident or an event. He described both and gave examples of each. I pulled the definition of those from two different sources as a comparison.

"An event is any occurrence that can be observed, verified, and documented, whereas an incident is one or more related events that negatively affect the company and/or impact its security posture."

Event - Any occurrence that takes place during a certain period of time
Incident - An event that has a negative outcome affecting the confidentiality, integrity, or availability of an organization’s data

In regards to cyber security, has anyone ever experienced an event that didn't turn into an incident? Not counting false-positive alarms from a SIEM.

Re: Event or Incident

rslade — Thu, 03 Sep 2020 19:31:43 GMT

> tmekelburg1 (Newcomer III) posted a new topic in Tech Talk on 09-03-2020 02:58

> In regards to cyber security,
> has anyone ever experienced an event that didn't turn into an incident?

Every browser crash or device reboot is an event. Most of them don't turn into
incidents.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
You can't depend on your eyes when your imagination is out of
focus. - Mark Twain
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

Re: Event or Incident

tmekelburg1 — Thu, 03 Sep 2020 19:38:02 GMT

Every browser crash or device reboot is an event. Most of them don't turn into
incidents.

Of course but I'm talking cyber security related, not technical glitches.

Re: Event or Incident

sergeling — Thu, 03 Sep 2020 21:16:23 GMT

For example, an externally facing web server with authentication/login workflow.
From the authentication log you see a failed login attempt, that's an event.
But since the login failed and did not cause breach, it's not incident.

Re: Event or Incident

tmekelburg1 — Thu, 03 Sep 2020 22:19:15 GMT

Good example, it could be a potential adversarial event that could escalate into an incident. Or it could be someone who forgot their password.

How about port scanning on Internet facing devices? I'd get the alert and monitor the situation but we really wouldn't escalate to an incident by itself.

Re: Event or Incident

Caute_cautim — Sun, 06 Sep 2020 06:33:56 GMT

@tmekelburg1Its an observation, the source, if it can be defined accurately should be logged. Or a Use case created to identify agreed actions or notifications due to a reconnaissance, which may later turn out into something more vigorous.

Regards

Caute_cautim

Re: Event or Incident

tmekelburg1 — Sun, 06 Sep 2020 12:13:43 GMT

@Caute_cautim wrote:
or notifications due to a reconnaissance, which may later turn out into something more vigorous.

Absolutely, and it could be used as a distraction technique as well. Any more examples of a cyber security event that stays an event and wouldn't escalate into an incident?

Does anyone feel it's important that people outside of the IT world understand the difference and even go so far as correcting their language when used incorrectly? It personally doesn't bother me but to some it does.

Re: Event or Incident

chogan — Mon, 07 Sep 2020 18:26:42 GMT

Event - Something that happens that gets logged. Think of Windows Event Viewer. A user logs on. A service starts. A server is restarted. A packet is allowed through a firewall.

Incident - An event that violates policy. A user attempts to logon outside of allowed hours or from outside of an allowed location. An IPS signature is triggered.

Breach - Information is lost of disclosed. CIA is compromised.

Re: Event or Incident

tmekelburg1 — Mon, 07 Sep 2020 21:13:07 GMT

Thanks for replying chogan!

What about a phishing email? Would the email delivered to the user's inbox be the event and it wouldn't escalate to an incident until the payload was activated? Or would you consider it an incident at the onset?

Re: Event or Incident

denbesten — Tue, 08 Sep 2020 13:01:10 GMT

@tmekelburg1 wrote:
What about a phishing email? Would the email delivered to the user's inbox be the event and it wouldn't escalate to an incident until the payload was activated? Or would you consider it an incident at the onset?

Ask yourself if you have a policy that prohibits receipt of a phishing email. If you do, then it would be an Incident. Otherwise, it would be an event.

If you actively filter bad emails with an "advanced threat protection" system, then bad things getting past it would be an incident. However, if you depend upon your users to do the correct thing then it would only become an incident if the user reacts incorrectly.

Re: Event or Incident

tmekelburg1 — Tue, 08 Sep 2020 14:15:28 GMT

@denbesten wrote:
Ask yourself if you have a policy that prohibits receipt of a phishing email.

As soon as I get one drafted, I'll send it to the threat actors for their signature and acknowledgment! I'm kidding, I know what you mean lol.

If you actively filter bad emails with an "advanced threat protection" system, then bad things getting past it would be an incident. However, if you depend upon your users to do the correct thing then it would only become an incident if the user reacts incorrectly.

In our case, we filter email and depend on our users to apply their security awareness training skills. Some phishing emails still get through. This could be one of those grey areas where the view point of an incident or event would change between organizations.

Re: Event or Incident

chogan — Wed, 09 Sep 2020 23:48:41 GMT

When I look as the message log on my email gateway, I see a list of emails. Some were allowed, some were blocked. I consider all of those to be events.

We instruct users to report any malicious emails they receive. These I create incidents for, so that we can investigate how they made it through our filters and see if there is any action we can take to prevent them in the future.

Re: Event or Incident

MartinN — Fri, 15 Sep 2023 20:42:07 GMT

Before I studied for my CISSP, I did not realize that availability is one of the principles of InfoSec. An application crashing or a reboot are events that affect availability so they are InfoSec/cybersecurity events. C and I get most of the focus (the OSG mentions something to that effect, and it generally is true) but don't forget the A.

Incidents may or may not be serious and thus may or may not need to be reported to senior mgmt, regulatory authorities, law enforcement, etc. For example, you have a public web server that was port scanned by an IP address from X country. Is it an incident? Yes. Does it need to be reported, probably not since your public web server is by design exposed to the internet. If the attacker actually breached the network by exploiting a vulnerability on the web server, that should be considered a major and reportable incident.

About incidents, NIST has a few definitions with some minute differences which don't line up exactly with the CISSP OSG definition. A few here:

https://csrc.nist.gov/glossary/term/computer_security_incident

https://csrc.nist.gov/glossary/term/cybersecurity_incident

https://csrc.nist.gov/glossary/term/incident

Re: Event or Incident

GemDales — Wed, 27 Sep 2023 06:44:51 GMT

Event comes first before the incident.

some events are not incident, for example an authorized user that forgot his password.

tried to log so many times but failed and got blocked.