Redefining Security: The AI-backed technological evolution of cybersecurity incident response

Twenty years ago, the cloud was unfamiliar, and IoT sensors, social media, remote work, and even Gmail had not yet emerged. Now in 2024, cybersecurity has become a national and international priority, with cyberattacks impacting consumers online and in person. In these uncertain times, the prevalent use of technologies like AI, cloud, and IoT in the hands of businesses, cybersecurity vendors, and cybercriminals themselves, are reshaping the threat and defence landscape.

People store a wealth of personal data online, ranging from financial information to medical records. Cyberattacks pose risks such as identity theft, financial harm, and emotional distress, while companies affected by data breaches and leaks can suffer both monetary and reputational damages. Ransomware attacks remain the top threat to organizations in the UAE, and while Group-IB data shows that in 2023, manufacturing and real estate were the two most common industries in the UAE to feature on the leak sites of ransomware groups, organizations from all verticals need to act to step up their cybersecurity posture.

Over the past decade, cybercrime has become a lucrative industry, marked by new malicious techniques and programs, leading to trillions of dollars in losses globally. Mena companies invested $2.8 billion in cybersecurity last year, with global end-user spending projected to reach $215 billion in 2024, a 14.3% increase from 2023, as reported by Gartner. This underscores organizations’ heightened cybersecurity efforts, including the wider procurement of cybersecurity solutions, increased staffing within IT and security teams, as well as investments in employee education. Nevertheless, the evolving sophistication of cyber threats poses ongoing challenges for organizations across the Mena region.

Prioritizing incident response planning

Despite the significant investments made by companies across the MENA region to strengthen their cybersecurity posture, the fact remains that a cybersecurity incident can occur at any time. All it takes is for cybercriminals to exploit one vulnerable driver or an online vulnerability to gain access, and that’s not without saying the human factor that remains a key element of almost all successful cyberattacks.

In roughly half of the ransomware incidents that Group-IB’s Incident Response team addressed in the Middle East and Africa in 2023, the groups responsible for the attack purchased access to a network from initial access brokers (IABs). These IABs often sell compromised credentials obtained with the use of information stealing malware, which is often hosted on phishing sites and downloaded mistakenly by unwitting individual users.

The 5Ps principle (proper planning prevents poor performance) can significantly enhance a company’s ability to respond to cybersecurity incidents. By implementing stringent cybersecurity policies, investing in cybersecurity solutions, fostering a culture of cybersecurity with engaging employee training, and assessing the risks associated with third-party vendors, companies can get ahead of the curve and reduce the potential of a cybersecurity incident occurring.

Speed is vital during a cybersecurity incident. As a result, organizations should also ensure that they proactively create a robust incident response plan that will ensure all relevant stakeholders know the steps they need to take in order to detect, respond and recover from any attack or breach. Roles and responsibilities should be assigned ahead of time, and reporting channels and escalation procedures should be established.

But what happens when a cybersecurity incident takes place?

Partner with cybersecurity experts

Cybersecurity companies are uniquely positioned to understand the global threat landscape due to their access to the most recent threat intelligence, global reach, and specialized expertise. As a result, when a cybersecurity incident occurs, vendors can connect the dots and respond quickly in order to firstly stop the attacker in their tracks and restore critical functions in time, create a remediation plan based on the indicators of compromise collected during the attack, and also assist in the drafting of specific reports for regulatory or legal proceedings. Additionally, vendors should prioritize efficient, and empathetic client communication throughout any incident to build trust and reassure customers.

GCC companies should prioritize working with cybersecurity vendors that specialize in responding to high-profile, sophisticated cybersecurity incidents and those that have unique expertise of the regional, as well as global, threat landscape.

Cybersecurity vendors can also provide proactive guidance and strategic consulting before an incident even takes place. Experts can identify vulnerabilities, prioritize security controls, and also draft response plans ahead of time through risk assessments and other consulting services.

otably, many cybersecurity vendors are also offering incident response retainer services, which gives companies the opportunity to benefit from a pre-negotiated statement of work that sets out the proactive and reactive services offered during a cybersecurity incident in order to minimize the time spent in negotiations and maximize the speed of response.

From months to seconds: The AI revolution

In the past, digital forensic investigations were not automated, requiring onsite and manual efforts. Vulnerability scanning was conducted on large screens, and remote work technology was scarce. Physical presence was necessary to plug into networks, review data, and input it into spreadsheets for performance comparisons. Data collection teams took weeks, followed by additional time for lab diagnostics.

Today, accessing digital environments remotely takes minutes, enabling rapid triage activities. Within the first day of engagement, major insights into incidents may be gained, and resolution can occur within the course of several days or weeks, a significant improvement from the months-long analysis of breaches in the past. The current focus is on speed, as both cyber defenders and attackers operate at accelerated rates when compared to even several years ago.

In the ongoing battle between cyber defenders and threat actors, automation plays a pivotal role, with speed often determining the winner in this arms race. This underscores the crucial significance of threat detection and response solutions, such as XDR (extended detection and response) tools.

During cybersecurity incidents, Group-IB experts deploy XDR tools across an organization’s servers and endpoints. XDR solutions collect data from various network sources, including endpoints, network traffic, and emails. Using advanced techniques like machine learning, it scans for cyber threats. If a threat is detected, XDR analyzes its nature and origin, then initiates countermeasures to contain and neutralize it. Post-incident, XDR learns and adapts its defense mechanisms for future threats, ensuring continuous improvement over time.

Artificial intelligence is also bringing a step-change in the effectiveness of XDR solutions. For example, AI-infused malware detonation platforms can now enhance the detection of “malware-free” attacks, giving organizations greater protection against advanced threats and zero-day attacks.

Despite these advancements, artificial intelligence, especially in the hands of cybercriminals, will create new challenges for cybersecurity vendors and their teams of experienced incident responders. The primary focus for organizations and cybersecurity vendors alike must be on outpacing threat actors in the ongoing automation race. Despite the uncertainties, the cybersecurity industry remains committed to maintaining vigilance in the face of evolving innovations.

Ashraf Koheil, Regional Sales Director META for Group-IB

• Business