Top 5 Most Common Cybersecurity Incident Response Scenarios

Dealing with a cyber incident can be daunting. Whether the threat is phishing, malicious network scanning, or ransomware, it's easy to feel overwhelmed.

Even if your organization hasn't been affected by an incident yet, it's essential to understand attacker tactics and stay informed of potential incidents that could impact your environment.

Understanding cybersecurity incident response, knowing how to detect an incident, and recognizing common attack types can significantly improve your organization's ability to contain and eradicate a cyberattack.

This blog focuses on the actions security teams take during an active threat — specifically, how to protect against, detect, and respond to the most common types of incidents.

Jump to a common cybersecurity incident:

• Phishing
• Malware
• Ransomware
• Internet-facing vulnerabilities
• Business email account takeover

A Closer Look at the Most Frequent Incident Response Scenarios

Let’s examine five of the most frequent incident types. For each, we’ll highlight practical actions organizations can take to minimize impact before, during, and immediately after an attack.

1. Phishing

Phishing is the most common incident response scenario and often the initial compromise in the following scenarios. Now, more than ever, is the time to focus on training employees to be vigilant of malicious emails by implementing regular training and testing with companywide phishing campaigns.

Protect

• Security awareness training and testing: It's crucial that everyone at the company can recognize phishing emails and other social engineering methods. Consider conducting a social engineering assessment to enhance their awareness and understand your baseline.
• Domain-Based Message Authentication, Reporting, and Conformance (DMARC), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF): Implementing DMARC, DKIM, and SPF (all free!) will help prevent phishing emails from becoming an incident response situation.
  
  • DMARC is an email authentication, policy, and reporting protocol.
  • DKIM is an email authentication method that identifies forged email sender addresses.
  • SPF is another email authentication method that detects the forging of sender addresses during email delivery.
• Email sandboxing: Sandboxing methods, such as Mimecast, add an extra layer of protection against malicious emails. Emails containing links or attachments can be tested before they reach a mail server.
• Multifactor authentication (MFA): MFA is an authentication method in which a user is granted access to an application or system only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA will ensure that an attacker cannot gain unauthorized access to any accounts in the network, even if the user provides those credentials through a phishing attack. Warn employees of MFA fatigue and remind them only to authenticate when actively trying to access an application or system.

Detect

• Unexpected emails from known or unknown individuals: If the person or conversation seems out of the blue, be vigilant and confirm that the email is legitimate.
• Emails that contain links and/or attachments: Links and attachments can be a backdoor to your network. Remember, the hacker cannot get in unless you give them an opening. Also, look for spelling errors or unusual domains in emails you receive.
• Emails prompting extreme feelings: Phishing emails often push the user in the direction the malicious actor wants. If any email is trying to persuade or rush you into doing an action, resist the urge.

Respond

• Quarantine: The malicious email should be quarantined from all system accounts. Make sure no one can access the message from your network until an administrator reviews it.
• Security information and event management (SIEM): Check for any custom threat intelligence rules to add to your SIEM.
• Indicators of compromise (IoCs): Watch network alerts for IoCs, which arise when metrics found on a network stray from normal traffic, thus indicating a compromise.

2. Malware

Malware is a broad category of harmful software often used to gain unauthorized access to a system or network. This can allow attackers to steal valuable data, intelligence, or other sensitive information.

Protect

• Application whitelisting: Whitelisting specific applications ensures a device will only allow pre-approved applications to be installed, preventing malicious applications from being downloaded and installed.
• AV scans and endpoint protection: Use a solution with second-generation detection capabilities (behavioral analysis versus detection by definition) that includes scripting control.
• MFA: As in the phishing scenario, MFA will ensure that an attacker cannot gain unauthorized access to any accounts in the network.

Detect

• Slow computer and blue screen of death (BSoD): If your device is running slower or you receive an unexpected BSoD, these are common symptoms of malware on your device. Be sure to report such issues to your information technology (IT) and information security (IS) staff.
• Dwindling storage space: If your device suddenly (and unexpectedly) runs out of storage, malware may be hiding in your system.
• Pop-ups or unwanted applications: Keep track of the applications installed on your device and pay attention if you get any confusing pop-ups. If you find any applications that you did not install on your system yourself, it could be camouflaged malware.
• Managed detection and response (MDR): MDR combines technology and human expertise to perform threat hunting, monitoring, and response. MDR can rapidly identify and limit the impact of threats without the need for additional staffing.
• Extended detection and response (XDR): XDR provides extended visibility, analysis, and response across endpoints, workloads, users, and networks by consolidating multiple security tools and data sources into a single platform.

Respond

• Key risk indicators (KRIs): KRIs act as a logging metric used to establish the upper and lower bounds of normal on networks or client-server infrastructures.
• Contain and eradicate: Disconnect the computer from the network, but don’t power the device off. Work through the system and eradicate any malicious files or applications.

3. Ransomware

Technically, ransomware is included under the malware umbrella we discussed above. However, ransomware deserves to be highlighted separately due to its destructive nature. Modern ransomware has taken a turn for the worse.

Attackers are now dropping ransomware after being in a network for a while and gaining information and data. It also helps attackers cover their tracks and distract users while data is being infiltrated.

To better understand how to prevent and respond to these attacks, refer to SBS CyberSecurity’s ransomware guide.

Protect

• AV scans and endpoint protection: Use a solution with second-generation detection capabilities, including scripting control. Also, maintain security patches on all workstations, servers, and network devices.
• MFA: MFA ensures that a user would be notified if a malicious actor tried to log into an account.
• Suspicion: Use extreme caution with any email that includes attachments or links, as ransomware is often disguised to look harmless.
• Service accounts: Limit service accounts to one service per account. Passwords should also be at least 15 characters long, highly complex, and have strong entropy, meaning they are sufficiently unpredictable and difficult to guess.
• Microsoft Active Directory (AD): Disable NTLM and NTLMv2 ciphers in AD in favor of Kerberos v5 or higher.
• Business-approved connections: Only implement business-approved connections between VLANs.
• Uninstall: Decrease the attack surface on all workstations and servers by uninstalling applications and services that are not needed for business reasons.
• Data-level backup: Implement data-level backup for file shares and SQL databases so the latest data sets can be recovered if the server is compromised. The data needs to be restored from a date after the compromise.
• Administrator accounts: Rename the administrator account from its default name (Administrator). Do this in AD’s Group Policy. Also, use good admin account hygiene by not browsing the internet or using email while logged into an administrator account. This account is needed for specific and explicit business operations. In addition, no standard user should have local administrative access.

Detect

• Unusual pop-ups on the device and encrypted files: As the most obvious sign of detection, ransomware will likely notify the user on the device and encrypt all files your device can see and access on your network.
• Firewall logs: Logs will show all data activity received and sent from outside the network. Ensure yours are correctly configured and retained before an attack occurs. This will help investigate where external traffic is coming from and going, and when the attack occurred.
• KRIs: Define KRIs, such as high disk usage on servers or workstations and user account logins during nonbusiness hours, to help detect a potential ransomware incident.
• Endpoint detection and response (EDR)/MDR to detect scripting: EDR is a tool that can be deployed to protect endpoints. MDR is a service that provides security monitoring and management across an IT environment. Maintain aggressive EDR/MDR policies on all activity and servers, and do not whitelist or bypass the tool. Instead, work through each issue with the tool to keep its efficacy. Also, enable Windows Defender to run in parallel with the EDR solution and have the Defender snap-in for MDR solutions.
• Application whitelisting and geolocation blocking: These are especially important for all foreign applications and IP addresses in the firewall.

Respond

• Detect: Detect a network intrusion before ransomware begins to encrypt files, as modern ransomware is caused by attackers already in the network.
• Monitor: Monitor KRIs and IoCs vigilantly. It is essential to know what normal looks like on your network. Anything outside your normal levels should raise red flags.
• Contain: Containment is a top priority in any incident response scenario. Creating an environment where nothing that isn’t approved gets out of the network or runs on a workstation or server is key to eradication.
• MDR
• XDR

4. Internet-Facing Vulnerabilities

Every device connected to the internet can be scanned for vulnerabilities from outside sources. Hackers do not specifically look for one victim of their scans — they set up scripts and scan every port and device they can. Any device may become an attacker’s next victim.

Protect

• AV scans and endpoint protection
• Whitelist: Only whitelist the scripts your web apps use. Block everything else.
• Demilitarized zone (DMZ): Implement a DMZ for anything you host locally. A DMZ is a separate, firewalled zone that protects the rest of your network from being accessed by internet traffic from the application or system you host.
• Burp Suite: Scan your websites with Burp Suite, which is software that can find SQL injection, cross-site scripting, and other potential security pitfalls in your websites.
• Geolocation blocking: If your organization doesn’t do business with companies in other countries, those countries should be blocked from accessing your web systems. Use your firewall or web application firewall (WAF), which helps protect web applications, to block locations you don’t do business with.

Detect

• Regularly audit your webservers, routers, and firewalls with penetration tests and vulnerability assessments: Vulnerability assessments will identify any known external vulnerabilities, and network penetration tests will determine if those vulnerabilities are exploitable, allowing an attacker to access your network from the outside.
• Use a WAF: A WAF helps monitor and block HTTP traffic to and from web applications, allowing you to filter the content of specific web applications and protect your device from malicious content.
• IoCs
• MDR
• XDR

Respond

• Contain: The organization is compromised if adversaries gain access to your network due to known vulnerabilities. Be sure to disconnect compromised devices or network segments from the rest of your corporate network, which will ensure the attacker cannot perform lateral movement.
• Eradicate: Eradicate compromised devices or network segments. Be sure devices and segments are clear of any present malware.
• IoCs

5. Business Email Account Takeover

Business email account takeover occurs when a malicious user gains access to a legitimate user’s email account. For example, once an attacker gains access to the credentials from a phishing email sent out to employees, the attacker will have access to that user’s email.

Protect

• External email access: Only enable external email access for the specific countries in which your employees work.
• Geolocation blocking: If your organization doesn’t do business with companies in other countries, those countries should be blocked from accessing your email systems. Use Microsoft Conditional Access to block locations you don’t do business with.
• MFA 

Detect

• User and entity behavior analytics (UEBA) in the SIEM: Look for user logins at strange times or suspicious user activity. Set alerts for employees accessing their email accounts at strange times.
• Email logging: Look out for unusual country code logins to cloud-based email accounts. By default, Office 365 and Google Workspace do not log these. Be sure your organization’s email platform is licensed properly.
• Abnormal email rules: Be aware of missing or deleted emails. Other users might receive emails from the compromised account without the corresponding email in the sender’s sent folder. Also look out for inbox rules that the intended user or the administrator didn’t create. These may automatically forward emails to unknown addresses or move them to the notes, junk, or RSS subscription folders. The user’s mailbox may also be blocked from sending mail, and the sent or deleted folders in Microsoft Outlook contain common hacked account messages.
• Global Address List (GAL): The user’s display name might be changed in the GAL.
• Unusual profile changes: Monitor changes to names, telephone numbers, and postal codes, as well as unusual credential updates, such as multiple password changes.
• Interactive login attempts: Look for strange interactive attempts in logs and IP address connection attempts that are out of the norm for the user.

Respond

• Contain: Shut down the email account so that no users can access it.
• Change passwords and block access: Change all account passwords and block email access from countries where employees wouldn’t log in.
• Examine: Look at the contents of your compromised email account. If personally identifiable information (PII) was exposed, you may need to file a breach report.

Building a Resilient Cybersecurity Incident Response Strategy

Staying ahead of cyber threats requires proactive monitoring and strong security measures. Organizations that struggle with network monitoring should invest in tools like SIEM, which enhance threat detection, compliance, and incident management.

Features like UEBA and security orchestration automation response (SOAR) help identify anomalies and enable a swift, effective response to incidents.

MFA remains one of the most reliable defenses, blocking unauthorized access even if credentials are compromised. Since phishing is the leading cause of security breaches, continuous employee training and testing are essential.

Robust security controls to prevent, detect, and respond help organizations stay ahead of threats and maintain a stronger, more resilient cybersecurity posture.

How Can SBS Help?

Tools to Strengthen Your Response

Read More

Virtual CISO

Utilize our knowledge and experience, combined with your team's insights into internal processes, people, and culture, to create a tailored approach to next-level cybersecurity.

Read More

Read More

Security Awareness Training

Implementing a consistent training program for your employees, board of directors, and even your customers helps establish trust that your organization takes cybersecurity seriously.

Read More