惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Apple Machine Learning Research
Apple Machine Learning Research
AWS News Blog
AWS News Blog
Google DeepMind News
Google DeepMind News
U
Unit 42
博客园 - 叶小钗
博客园 - 聂微东
GbyAI
GbyAI
Stack Overflow Blog
Stack Overflow Blog
有赞技术团队
有赞技术团队
aimingoo的专栏
aimingoo的专栏
D
DataBreaches.Net
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Jina AI
Jina AI
美团技术团队
The Cloudflare Blog
M
MIT News - Artificial intelligence
Microsoft Azure Blog
Microsoft Azure Blog
I
InfoQ
S
Schneier on Security
C
Check Point Blog
Project Zero
Project Zero
The Hacker News
The Hacker News
Scott Helme
Scott Helme
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Cisco Talos Blog
Cisco Talos Blog
P
Privacy International News Feed
SecWiki News
SecWiki News
Latest news
Latest news
MongoDB | Blog
MongoDB | Blog
S
Secure Thoughts
Google Online Security Blog
Google Online Security Blog
F
Fortinet All Blogs
博客园 - 三生石上(FineUI控件)
H
Help Net Security
TaoSecurity Blog
TaoSecurity Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Last Week in AI
Last Week in AI
P
Privacy & Cybersecurity Law Blog
Forbes - Security
Forbes - Security
G
GRAHAM CLULEY
N
Netflix TechBlog - Medium
L
Lohrmann on Cybersecurity
A
About on SuperTechFans
T
The Exploit Database - CXSecurity.com
C
Cisco Blogs
PCI Perspectives
PCI Perspectives
大猫的无限游戏
大猫的无限游戏
T
Troy Hunt's Blog
H
Hacker News: Front Page
Vercel News
Vercel News

The Hacker News

SystemBC C2 Server Reveals 1,570+ Victims in The Gentlemen Ransomware Operation 22 BRIDGE:BREAK Flaws Expose Thousands of Lantronix and Silex Serial-to-IP Converters Ransomware Negotiator Pleads Guilty to Aiding BlackCat Attacks in 2023 5 Places where Mature SOCs Keep MTTR Fast and Others Waste Time NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs No Exploit Needed: How Attackers Walk Through the Front Door via Identity-Based Attacks Google Patches Antigravity IDE Flaw Enabling Prompt Injection Code Execution CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files ⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More Why Most AI Deployments Stall After the Demo Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain Researchers Detect ZionSiphon Malware Targeting Israeli Water, Desalination OT Systems $13.74M Hack Shuts Down Sanctioned Grinex Exchange After Intelligence Claims Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched Google Blocks 8.3B Policy-Violating Ads in 2025, Launches Android 17 Privacy Overhaul NIST Limits CVE Enrichment After 263% Surge in Vulnerability Submissions Operation PowerOFF Seizes 53 DDoS Domains, Exposes 3 Million Criminal Accounts Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation Newly Discovered PowMix Botnet Hits Czech Workers Using Randomized C2 Traffic ThreatsDay Bulletin: Defender 0-Day, SonicWall Brute-Force, 17-Year-Old Excel RCE and 15 More Stories [Webinar] Eliminate Ghost Identities Before They Expose Your Enterprise Data The Hacker News The Hacker News Obsidian Plugin Abuse Delivers PHANTOMPULSE RAT in Targeted Finance, Crypto Attacks UAC-0247 Targets Ukrainian Clinics and Government in Data-Theft Malware Campaign n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover April Patch Tuesday Fixes Critical Flaws Across SAP, Adobe, Microsoft, Fortinet, and More Deterministic + Agentic AI: The Architecture Exposure Validation Requires Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities OpenAI Launches GPT-5.4-Cyber with Expanded Access for Security Teams New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released Google Adds Rust-Based DNS Parser into Pixel 10 Modem to Enhance Security AI-Driven Pushpaganda Scam Exploits Google Discover to Spread Scareware and Ad Fraud Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads Analysis of 216M Security Findings Shows a 4x Increase In Critical Risk (2026 Report) 108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited on Unpatched Servers CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software JanelaRAT Malware Targets Latin American Banks with 14,739 Attacks in Brazil in 2025 FBI and Indonesian Police Dismantle W3LL Phishing Network Behind $20M Fraud Attempts ⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More Your MTTD Looks Great. Your Post-Alert Gap Doesn't North Korea's APT37 Uses Facebook Social Engineering to Deliver RokRAT Malware OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident CPUID Breach Distributes STX RAT via Trojanized CPU-Z and HWMonitor Downloads Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Citizen Lab: Law Enforcement Used Webloc to Track 500 Million Devices via Ad Data GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs Browser Extensions Are the New AI Consumption Channel That No One Is Talking About Google Rolls Out DBSC in Chrome 146 to Block Session Theft on Windows Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure Backdoored Smart Slider 3 Pro Update Distributed via Compromised Nextend Servers EngageLab SDK Flaw Exposed 50M Android Users, Including 30M Crypto Wallet Installs UAT-10362 Targets Taiwanese NGOs with LucidRook Malware in Spear-Phishing Campaigns ThreatsDay Bulletin: Hybrid P2P Botnet, 13-Year-Old Apache RCE and 18 More Stories The Hidden Security Risks of Shadow AI in Enterprises Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025 Bitter-Linked Hack-for-Hire Campaign Targets Journalists Across MENA Region New Chaos Variant Targets Misconfigured Cloud Deployments, Adds SOCKS Proxy Masjesu Botnet Emerges as DDoS-for-Hire Service Targeting Global IoT Devices APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies Shrinking the IAM Attack Surface through Identity Visibility and Intelligence Platforms (IVIP) Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust Iran-Linked Hackers Disrupt U.S. Critical Infrastructure by Targeting Internet-Exposed PLCs Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign [Webinar] How to Close Identity Gaps in 2026 Before AI Exploits Enterprise Risk Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign The Hidden Cost of Recurring Credential Incidents New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations DPRK-Linked Hackers Use GitHub as C2 in Multi-Stage Attacks Targeting South Korea Multi-OS Cyberattacks: How SOCs Close a Critical Risk in 3 Steps ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More How LiteLLM Turned Developer Machines Into Credential Vaults for Attackers Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks $285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation 36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images Drift Loses $285 Million in Durable Nonce Social Engineering Attack Linked to DPRK Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise ThreatsDay Bulletin: Pre-Auth Chains, Android Rootkits, CloudTrail Evasion & 10 More Stories Researchers Uncover Mining Operation Using ISO Lures to Spread RATs and Crypto Miners The State of Trusted Open Source Report WhatsApp Alerts 200 Users After Fake iOS App Installed Spyware; Italian Firm Faces Action Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails
Day Zero Readiness: The Operational Gaps That Break Incident Response
info@thehack · 2026-05-07 · via The Hacker News

Having an incident response retainer, or even a pre-approved external incident response firm, is not the same as being ready for an incident. A retainer means someone will answer the phone. Operational readiness determines whether that team can do meaningful work the moment they do. 

That distinction matters far more than many organizations realize. In the first hours of a security incident, attackers are not waiting for your identity team to provision emergency accounts, for legal to decide whether an outside firm can access sensitive systems, or for someone to figure out who owns the EDR console. Every delay gives the attacker more uninterrupted time in your environment. Every hour lost to logistics increases the likelihood of deeper compromise, broader impact, and more expensive recovery. 

The same is true internally. An organization may have an incident response plan, a capable security team, and a list of escalation contacts, yet still be unprepared to respond under pressure. Readiness is not measured by what exists on paper. It is measured by how quickly responders, internal or external, can gain visibility, understand what the attacker has already touched, and make informed decisions. 

On Day Zero, responders are not asking for unlimited control. They are asking for visibility first and authority second. Without visibility, containment decisions are made blindly, timelines cannot be reconstructed, and the true scope of the compromise remains unknown while the response team debates access and approvals. 

This guide outlines what responders need on Day Zero, where organizations most often fall short, and how to ensure your internal team and external IR partner can begin effective work immediately when an incident is declared. 

What determines response speed 

Whether the first responders are internal security staff, an external retainer firm, or both working in parallel, they need access to the same core systems. Internal teams may already have some of that access. External responders usually do not unless it has been prepared in advance. 

Not all access is equally urgent. Identity comes first, because identity reveals the blast radius. It shows how the attacker got in, which credentials are compromised, how privilege may have changed, and where the attacker is likely to move next. Cloud, endpoint, and logging access are all critical, but without identity visibility, responders are building a timeline on guesswork. 

Identity and authentication access 

Modern attacks run on identity. Stolen credentials, abused tokens, misconfigured privileges, and compromised sessions are now central to how attackers gain persistence and move laterally. If responders cannot see identity activity, they cannot explain the initial compromise, trace privilege escalation, or identify which accounts are already unsafe to trust. 

For external IR firms, identity access is often the first major bottleneck. Organizations delay access while teams debate permissions, search for the right administrator, or attempt to create accounts during the incident itself. During that delay, responders are effectively blind to the attacker’s movement. 

On Day Zero, responders need read and investigative access to the identity provider, directory services, SSO platforms, and federation layers. They need visibility into authentication logs, MFA events, token issuance, session activity, privileged accounts, service accounts, and recent permission changes. They also need a defined path for urgent actions such as credential resets, token invalidation, or temporary restrictions on privileged users. 

Cloud and SaaS access 

In cloud environments, attacker activity often looks normal unless responders can see it in context. It may appear as API calls, configuration changes, new role assignments, service account abuse, or use of legitimate automation. Without immediate access, critical evidence may disappear before it is reviewed. 

On Day Zero, responders need read access to relevant cloud accounts, subscriptions, and SaaS platforms. They need visibility into audit logs, control plane activity, IAM and RBAC configurations, compute workloads, storage access patterns, serverless functions, service accounts, and secrets management. Delays in cloud access are especially damaging because some telemetry is ephemeral. If it is not captured quickly, it may be gone permanently. 

Endpoint and EDR access 

Endpoint telemetry often provides the clearest picture of attacker behavior, especially in the early stages of an investigation. Process execution, command-line activity, credential dumping, persistence mechanisms, and lateral movement frequently show up first in the EDR. 

Without direct access, responders are forced to rely on screenshots, summaries, or findings relayed through internal teams who are already under pressure. That is not a serious investigation. It is a game of telephone during a crisis. 

On Day Zero, responders need investigator-level access to EDR tools, visibility into process and network activity, the ability to query historical telemetry across hosts, and the authority to isolate systems or initiate containment when needed. If those permissions are not ready in advance, valuable time is lost, and the risk of misunderstanding grows. 

Logging and monitoring access 

Logs are how responders reconstruct the full story of an attack, not just what happened after detection, but what happened before it. Too often, organizations discover that their retention periods are designed for compliance or cost efficiency rather than investigation. 

Fourteen days of retention is common. Ninety days should be the minimum baseline. If an attacker has been active for six weeks before detection, a 14-day window means the initial access event, early reconnaissance, and much of the lateral movement may already be gone. 

Responders need access to centralized SIEM or log aggregation tools, firewall and IDS/IPS logs, VPN and remote access logs, email security logs, cloud and SaaS audit trails across all relevant tenants. If those logs are incomplete, siloed, or overwritten, responders are forced to make high-stakes decisions with partial evidence. 

Access must be real, not theoretical 

Access is only useful if it can be activated immediately. If access depends on a chain of approvals, manual setup, or first-time configuration, it will fail when the pressure is highest. 

Operational readiness means required accounts already exist across identity, cloud, EDR, and logging systems. MFA enrollment must already be completed. Permissions must already be approved and mapped to responder roles. The team responsible for enabling access must know exactly how to do it and must have practiced the procedure before. 

On Day Zero, access should function like a switch: predefined, controlled, and fast to activate. Anything else is a delay, and in incident response, delay always benefits the attacker. 

Communication under breach conditions 

Access problems receive the most attention in readiness discussions, but communication failures are just as damaging. Even with perfect technical visibility, an incident response breaks down quickly if teams cannot coordinate, make decisions, and share sensitive information securely. 

Assume normal channels may be compromised 

During an active breach, organizations should assume that email, chat platforms, and internal collaboration tools may no longer be private. If the attacker has access to those systems, then discussions about containment, investigative findings, and next steps may also be visible. 

That applies to internal conversations and communication with an external IR firm. Sharing credentials, containment plans, or investigative conclusions over a compromised channel can give the attacker visibility into your response in real time. 

Establish out-of-band communication 

Every organization needs an out-of-band communication method that is separate from corporate identity, production email, and the internal network. This could be a dedicated secure messaging platform, a preconfigured encrypted group, or a structured phone-based process. The specific tool matters less than the requirements. 

The channel must be independent of the compromised environment. It must include internal responders and external retainer contacts. It must support secure sharing of sensitive information. Most importantly, it must be tested. A communication channel that has never been used is not a response plan. It is an experiment being conducted in the middle of a crisis. 

Designate an incident manager 

Every response needs a single point of coordination. This is not necessarily the most senior person in the room. It is the person with the clearest operational ownership and the authority to keep the response aligned. 

The incident manager coordinates activity across security, IT, legal, leadership, and external responders. They control information flow, maintain a consistent picture of scope and status, and serve as the primary interface to the IR firm. Without that role, organizations drift into fragmented communication, conflicting instructions, and slow decision-making. 

Define stakeholder notification paths 

Who gets notified, when, and by whom should never become a live debate during an incident. Notification tiers need to be defined in advance. Internal escalation thresholds, executive updates, legal and regulatory decision-making, customer communications, and external messaging all need clear ownership. 

Organizations should also define exactly what information is shared with the IR firm on initial contact, who acts as the consistent liaison, and how updates are handled. Poor communication is not just inconvenient. It measurably slows containment and increases damage. 

Building a pre-approved IR access policy 

A pre-approved incident response access policy exists to eliminate decision-making overhead at the worst possible moment. When an incident is declared, the question of who can access what should already be answered. 

What the policy should define 

The most common failure in IR access policies is vagueness. A statement such as “responders will be granted appropriate access upon incident declaration” is not an operational policy. It is a placeholder that guarantees confusion later. 

An effective policy should clearly define who can declare an incident and trigger emergency procedures. This should not require a full executive chain. A CISO, security leader, or designated on-call authority should be empowered to make that call. 

It should define who can approve temporary access for external responders without reopening procurement, legal review, or vendor onboarding. Those controls matter, but they are not built for incident timelines unless pre-cleared. 

It should specify the scope of access by responder role, such as IR investigator or IR lead, rather than negotiating permissions during a live event. It should also define time-boxed access, with a clear review and revocation cadence, and designate who is responsible for removing access once the incident stabilizes. 

Finally, it should require post-incident cleanup, access validation, and governance review. Governance should catch up after stabilization, not slow down the first hours of investigation. 

Pre-created accounts and tested workflows 

Policy is only as good as the workflows behind it. If the accounts do not exist, the permissions have not been validated, or the identity team has never enabled them under realistic conditions, then the organization does not have a capability. It has documentation. 

Dormant IR accounts should be created in advance across the identity provider, EDR, SIEM, and cloud tenants. They should be disabled by default, with a documented and tested enable procedure. MFA enrollment should already be complete. Hardware tokens or secure authentication workflows should be assigned before an incident occurs. 

Role assignments should also be pre-approved. Enabling emergency access should be a single action, not the beginning of a conversation. 

Background checks and legal friction 

Background checks are a common friction point, especially in regulated sectors. The issue is not whether checks are appropriate. It is when they are enforced. 

If background checks are first raised during an active incident, the organization has already failed the readiness test. Reputable IR firms handle vetting, certifications, and internal controls during onboarding. Those conversations belong in the retainer setup phase, not in the first hours of a breach. 

The same is true of legal approval. If legal needs to decide in real time whether external responders can access production systems or regulated data, the response will slow immediately. Those decisions should be resolved before the incident. 

A practical Day Zero readiness checklist 

Organizations can test readiness by asking simple, operational questions. 

Can a dormant IR account be enabled and used to pull authentication logs within 30 minutes? 

Is a scoped read-only cloud role already defined, and are audit logs enabled across all relevant tenants? 

Does the EDR platform have an investigator role that an external responder can use immediately, with access to at least 30 days of historical telemetry? 

Can an external responder query the SIEM directly, and does retention cover at least 90 days across identity, endpoint, network, and cloud sources? 

Who can authorize host isolation, VPN shutdown, credential rotation, or account suspension, and has that authority been exercised in an exercise? 

If any of these questions produce hesitation, uncertainty, or the phrase “we’ll figure it out during an incident,” then that area is not ready. 

For organizations with an IR retainer, additional questions matter. Are dormant accounts already created for retainer responders? Is MFA preconfigured? Are legal approvals complete? Does the IR firm have current contact information for the incident manager, CISO, and identity lead? Is there an established out-of-band channel that includes the IR firm? Has the full activation workflow been tested in a tabletop exercise from initial call through working access? 

If several of these answers are no, the retainer is a contract, not an operational capability. 

What organizations commonly overlook 

Even mature organizations with strong security tooling and formal plans routinely discover important gaps only after a real incident begins. 

Backups are a common example. Many organizations know backup jobs are completing, but have not verified that backups are isolated from the environment that an attacker has already compromised. If the same credentials, networks, or service accounts can reach backup infrastructure, attackers may be able to destroy recovery options before deploying ransomware. A backup that has never been restored, and never been tested for isolation, is still an assumption. 

Containment authority is another frequent gap. Teams may know whether a system should be isolated or credentials should be rotated, but no one has explicit authority to disrupt operations. As the decision moves through leadership, legal, finance, or business operations, the attacker remains active. Prepared organizations decide in advance which systems can be shut down immediately, who can authorize those actions, and how emergency decisions will be escalated when necessary. 

Short or fragmented logging retention is also common. Logs may exist but only for seven to fourteen days, or they may be scattered across tools and teams with no centralized access. In those cases, the organization can often see what is happening now but not how it started. 

Untested response plans are equally dangerous. Many plans look complete in a binder and fail in practice because people do not know their roles, approvals take too long, and critical steps have never been exercised. Testing does not need to be elaborate. It needs to be realistic, cross-functional, and honest about what breaks. 

Finally, many organizations lack a current asset inventory or network map. Systems are deployed outside formal processes, cloud resources are spun up without central registration, and ownership is unclear. Responders cannot investigate what they do not know exists. Untracked assets are not just documentation gaps. They are blind spots that attackers actively exploit. 

A readiness exercise you can run now 

Most of the recommendations in this guide can be tested this week with the people and systems already in place. 

Start with access. Create dormant IR accounts and measure how long it takes to enable them. Attempt to pull 90 days of authentication logs. Ask your EDR administrator to create or validate an external investigator role. Confirm cloud audit logging is enabled across all relevant tenants and that a scoped read-only role can be activated immediately. 

Then test the response itself. Run a tabletop exercise in which the IR firm has just been called in. Measure how long it takes before they can access identity logs, endpoint telemetry, and cloud audit trails. Test whether the incident manager can be reached and whether the out-of-band channel can be established quickly. Run a containment decision through the approval chain and time it. 

Whatever fails in that exercise will fail the same way during a real incident. The difference is that during a real breach, the attacker is operating inside that gap while the organization is still figuring it out. 

Conclusion 

Readiness is not a policy document, a signed retainer, or a successful audit. It is the result of practical decisions made before an incident begins: access provisioned, authority clarified, communication paths tested, and operational gaps closed before an attacker can exploit them. 

The organizations that contain incidents quickly are rarely the ones with the most impressive slide decks. They are the ones who did the unglamorous work in advance. They created the accounts, tested the workflows, validated the logs, practiced the decisions, and ensured that when the call came in, the response could begin immediately. 

That is the real meaning of Day Zero readiness: not just having help available but being prepared to use it the moment it matters most. 

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.