Business Imperatives

Incident Response Lessons Learned in 2021

Real-world incidents reveal information about evolving tactics, techniques, and procedures. Sharing and applying that knowledge can help other organizations avoid similar compromises. Monday, March 21, 2022 By: Counter Threat Unit Research Team

The Secureworks® Incident Response (IR) practice plays a critical role supporting organizations impacted by a security incident. By leveraging expertise gained from working hundreds of engagements each year, Secureworks incident responders help customers through the difficult process of identifying, containing, and remediating a breach, ideally before it causes too much harm.

These engagements give Secureworks Counter Threat Unit™ (CTU) researchers valuable insights into the nature of the threats our customers face. We then use that enhanced knowledge about threat actor behaviors to inform and protect other organizations.

IR engagements in 2021 revealed several notable trends:

  • There were multiple high-profile ransomware incidents, including the attack on Kaseya VSA software in July. The number of ransomware engagements increased in the second half of 2021, and this trend was also reflected in the number of victims publicly named and shamed on ransomware leak sites.
  • For the first time, exploitation of unpatched vulnerabilities replaced credential abuse as the most common initial access vector. Organizations that do not implement a vulnerability management process are at significantly increased risk of experiencing a security incident.
  • Multi-factor authentication (MFA) remains important, as many attacks exploited remote access solutions that required only a username and password. However, correct implementation of MFA is increasingly critical as threat actors look for ways to bypass it.
  • Cloud environments offer security benefits but also introduce challenges around network visibility, access management, and evidence preservation. Organizations should ensure that they understand their cloud security control framework to avoid leaving gaps that a threat actor can exploit.
  • Business email compromise (BEC) can cost a victim millions of dollars. Secureworks incident responders consistently advised organizations to secure email and to monitor for spoofed domains, which are often leveraged in these attacks.

For more details and statistics, read our Learning from Incident Response: 2021 Year in Review report.

Learning from Incident Response: 2021 Year in Review

Get real-world insight into emerging threats and trends. Read the 2021 Incident Response Year in Review

If you need urgent assistance with an incident, contact the Secureworks Incident Response team.

originally published on

Related posts

Announcing the winner of the Secureworks® Cybersecurity Literacy Challenge


SOC Operations: The XDR Attributes that Matter


A Smarter Way to Prioritize Unpatched Vulnerabilities, Part 1