the CYBER5

In episode 70 of The Cyber5, we are joined by Open Source Context Director of Operations, Donald McCarthy.

We discuss external telemetry available to the private sector, focusing on passive domain name systems or passive DNS, and Border Gateway Protocol or BGP. These data sets are critical for threat intelligence teams, as they often provide crucial information on attacker infrastructure for the SOC. Still, they also help solve problems and provide context on a much broader scale.

Three Key Takeaways:

1) What is Passive DNS and how is it collected?

To simplify, passive DNS is a way of storing DNS resolution data so that security teams can reference past DNS record values to uncover potential security incidents or discover malicious infrastructures. Passive DNS is the historical phone book of the internet. Practitioners can collect it by:

1. Collecting on the resolver: Have access and enable logging on the resolver, often termed “T-ing the Resolver.” The client-side of the DNS is called a DNS resolver. A resolver is responsible for initiating and sequencing the queries that ultimately leads to a full resolution (translation) of the resource sought, e.g., translation of a domain name into an IP address. DNS resolvers classify data using various query methods, such as recursive, non-recursive, and iterative. 
2. Listening on the wire: DNS is port 53 UDP unencrypted, and many security teams put a sensor like Bro, Onion, Snort, or Suricata that can collect and then parse the data.

2) What is Border Gateway Protocol (BGP)? 

1. BGP is designed to exchange routing and reachability information between autonomous systems on the Internet and is often complementary to passive DNS.
2. If PDNS is the historical phone book of the internet, Border Gateway Protocol (BGP) is the postal service of the Internet. BGP is the protocol that makes the Internet work by enabling data routing. For example, when a user in Thailand loads a website with origin servers in Brazil, BGP is the protocol that allows that communication to happen quickly and efficiently, usually through autonomous systems (ASes). ASes typically belong to Internet service providers (ISPs) or other large organizations, such as tech companies, universities, government agencies, and scientific institutions. Much of this information can be commercially collected and available. 

3) Use Cases for PDNS and BGP in the SOC:

1. Identifying attacker or botnet infrastructure.
2. Identifying all internet-facing infrastructure in business use.
3. Identifying tactics, techniques, and procedures of attackers.

4) Use Cases for PDNS and BGP outside of the SOC:

1. Verify internet-facing applications and infrastructure for merger, acquisition, and compromise items for M&A.
2. Verify internet-facing applications, infrastructure, and compromise for suppliers. 
3. Review staging infrastructure of competitors to scan product launches. 
4. Investigate threatening emails to executives.
5. Investigate disinformation websites and infrastructure.

5) Enrichment is King and Does Not Need to Be Resource Intensive

If security teams are not engaging with the business to solve problems that risk revenue generation, data sets like PDNS or BGP do not matter.  For example, if an organization does not control DNS at their borders, they will lose a lot of visibility to reduce risk and potentially give away proprietary information.

In episode 69 of The Cyber5, we are joined by Lima Charlie’s CEO, Maxime Lamothe-Brassard. 

We discuss the future of what's known in the security industry as XDR, which is essentially an enrichment of endpoint detection response products. 

Three Key Takeaways:

1) What is XDR?  Depends who you ask.

XDR is not another tool, but merely an extension of Endpoint Detection and Response (EDR) products. Gartner expects 50% of mid-market buyers to adopt XDR strategies by 2027. For context, in around 2010, cybersecurity vendors started driving stronger antivirus solutions for endpoint computers and servers, called Endpoint Detection and Response (EDR). The antivirus was only catching malware with a known signature and not able to detect more malicious lateral movements that are common in today's attacks. 

Every EDR platform has its own unique set of capabilities. However, some common capabilities include the monitoring of endpoints in both online and offline mode, responding to threats in real-time, increasing visibility and transparency of user data, detecting stored events with malicious malware injections, and creating blacklists and white lists in integration with other technologies. 

Now that EDR solutions are firmly within the market, they need to be integrated with other tools, including threat intelligence, to be effective at scale for the enterprise. These massive integrations needed at scale, especially with the cloud, are what is starting to be defined as XDR. 

2) What are the key integrations to EDR products to form an XDR strategy?

a. Identity Access Management: Gives visibility to who is accessing what applications and websites in the enterprise.

b. Threat Intelligence: Information and artifacts from attacker infrastructure, previous compromises, and behavior that can be identified outside of firewalls. 

c. Cloud and SaaS Logging: Any application in the cloud produces a log for access and use.

3) XDR does not have to be expensive or manpower-intensive for SMB.

a. Cloud, SaaS, and Identity Access Management produce logs that can be integrated into easy solutions that do not need to be complex products, particularly for SMB. 

b. Enablement should be the critical aspect of XDR rather than more expensive tooling. 

c. Easy, automatable solutions to apply security controls are the critical way forward for medium and large enterprises.

In episode 68 of The Cyber5, we are joined by Executive Director and Head of Global Threat Intelligence for Morgan Stanley, Valentina Soria. 

We discuss leading a large-scale threat intelligence program in the financial institution space and how to make intelligence absorbable by multiple consumers. We also talk about how intelligence teams can build processes and technology at scale to increase investment costs to criminals. Finally, we touch on large enterprises being a value-add to small and medium-sized businesses.

Two Key Takeaways:

1) Intelligence is Valued Differently By Different Stakeholders 

1. Tactical, operational, and strategic intelligence gains can fill many gaps in business, inside and outside the security operations function.
2. Good intelligence analysis should make business stakeholders rethink their assumptions about risk and address realities regarding specific scenarios around the state of the organization’s risk posture.

2) Begin with the SOC, then Spread Across All Business Sectors 

1. Cyber threat intelligence is a journey and it takes time to realize a return on investment. Find coverage gaps that complement existing controls that have current metrics leveraged against them and leverage them.
2. User Metrics to help, such as: 
   1. For SOC/CIRT Teams: The number of incidents and issues remediated,  quantity of vulnerabilities patched, and most importantly, enumerate or outline the loss that could have occurred from those exploited vulnerabilities.
   2. For Outside the SOC: Inform the business of any type of risk through tactical, strategic, and operational intelligence. 

Topic: Value of Securing Containers in the Technology Supply Chain

In episode 67 of The Cyber5, we are joined by senior security practitioner Julie Tsai. 

We discuss security and intelligence in modern-day technology platforms, concentrating on how to secure the impact that container and cloud environments have on the technology supply chain. Compliance and intelligence play a critical role in the application and development of supply chain risk. Specifically, when developers perform code commits and updates, we discuss the criticality of intelligence and compliance to ensure code is truthful, accurate, and complete. 

Three Key Takeaways:

1) Containers and Virtualization Images Offer Repeatability But Also Potential for Compromise at Scale

Containers give software developers the potential to establish an assembly line of repeatable, secure patterns because they are operating system agnostic. However, the upstream effort to harden the container and set the right images or configurations needs to be correct from the beginning. Simultaneously, mistakes can lead to a compromised container or host OS level that might impact the container. 

Container configurations have a shared kernel with modular application containers and services on top. Therefore, security practitioners must be mindful of anything that can break out of that container. Furthermore, if there is a host OS-level hardening, they must ensure kernel-level memory doesn't compromise and impact all the dependent layers.

2)  Supply Chain Risk with Containers

Supply chain risk in technology is challenging because developers generally borrow code from other developers, and they don’t check libraries and dependencies for security issues. In addition, contractual agreements aren’t capturing all the supply chain pipeline nuances. It’s hard enough to know what’s happening inside an enterprise network, let alone understand the provenance and the chain of custody. 

Security issues can get injected into the end product when not following a strict process concerning container changes. “Defense in Depth” is a classic security principle that matters in securing containers such as application and configuration management. In addition, other aspects like source control, commit trail, and fingerprinting different kinds of artifacts are all checksums to ensure the correct update of code.

3) Threat Intelligence Fundamentals with Container Security

A threat intelligence program needs to start by aligning with the business with the most prevalent threats. A banking site will have different threats than e-commerce, gaming, or crypt-currency exchange. Therefore, a threat intelligence program needs to be modular enough to scale to many types of threats as the business grows. 

More tactically related to containers, developers can’t be tearing down containers as little work would get done if a malicious actor scans a container environment. However, if a threat intelligence team notices a regularity or repeatability with the scan attempts followed by authentication attempts to the environment, those types of intelligence alerts are fruitful. 

Intelligence programs show clear value on highly attacked industries (manufacturing, health care, retail, finance). The challenge is if you put blinders on and think there isn’t a way to be attacked other than regular threat intelligence blogs. 

In episode 66 of The Cyber5, we are joined by H&R Block Chief Information Security Officer (CISO) Josh Brown.  

In this episode we discuss the importance in  building an informed security team that can collect intelligence and proper risk strategy. We have a frank conversation about what the business of security means and how to develop a team that understands multiple business lines so a security team is anchoring their security strategy to how the company is driving revenue. We talk through how to do this at scale within the intelligence discipline that touches many lines of risk, not just cybersecurity.

Three Key Takeaways:

1) Security Informs the Business to Make Risk-Based Decisions

Security professionals must have a deep understanding of how the business functions to understand how to develop a proper risk-based approach. Security is a risk management function that puts up guardrails so the business avoids bad decisions and loses money. Intelligence is critical for gaining a 360-degree review: fraud and user segment of the network. Threat intelligence must be relevant to the specific business, not the industry overall. If there is a threat to a bank, that likely has nothing to do with a tax filing service.  

2)  Actionable Intelligence That Reduces Business Risk

The industry has not secured an  intelligence solution. Intelligence is an enrichment function, not the first line of the truth of what to prioritize. Fraud and other specific business-specific data that result in business loss are equally important to be funneled into traditional cybersecurity tools. Further, threat feeds and information must be bi-directional so even competitors and businesses in the same location can understand when incidents are taking place. The threats that most companies face are not those that are regularly marketed such as Advanced Persistent Threats. The cybersecurity industry does a poor job at providing the likelihood of a certain advanced attack. Business email compromises, account takeovers, and fraud are still the most prevalent style attacks, even to those businesses that can afford sophisticated security technology. 

3) Actionable Intelligence That Gives Visibility into Supply Chain Risk

“The perimeter” is no longer relevant like it used to be. With work from home, the perimeter is just as much identity access management (IAM) as it is about IP space. On third-party supply chain risk, currently, enterprises implement score card tooling as an audit function so when a software vulnerability is released, an enterprise can quickly query what suppliers use that library or dependency. Further, the supply chain is equally about business interruption (DDoS) as much as it is about suppliers that hold critical data. Major enterprises also care about the vendor’s vendors if compromised depending on the criticality of the data (fourth-party supply chain risk). Since the United States does not even have a standard breach notification law, it’s going to be very challenging to share intelligence bi-directionally let alone get developers to uniformly submit secure technology code.

1) Even in Marketing, Context and Insights Provide Intelligence, Not Data

Raw data is not intelligence; rather, intelligence is a refined product where context is provided around information and data. Similar to the national security and enterprise security world, where adversaries are trying to commit crimes and espionage, businesses want to attract people to their brand. Open-source and social media information are powerful data points when analyzed, providing critical intelligence on what consumers and businesses want to buy. Every human being is now a signal no different from radio intercepts during Pearl Harbor. 

2)  The Role of OSINT in Driving Revenue for the Brand; Quantitative and Qualitative Metrics

In the security world, attribution to a particular organization is necessary to continue to receive fundraising, whether it’s a hacking group or a terrorist organization. In the marketing world, brand intelligence is a crucial piece in the following three elements to influence a person:

1. Persuasive content
2. Delivered from a credible voice
3. Network or audience with a high engagement rate

Open-source intelligence can be mined in a way that provides insights stronger than traditional marketing focus groups. While celebrities attract attention, people are likely to follow people like themselves, aka micro-influencers.  

Quantitatively, numbers increasing in revenue, sharing, engagements are critical metrics. Qualitatively, marketing teams can mine social media data to determine what people are thinking about a particular product, but also to understand how the products are performing, and then design and build future products. The crowd will tell a brand what they want and they don't have yet, and you can use that data to build future products.

3) Where Marketing Meets Security: Threats to Brand Reputation

Security teams should work with marketing teams daily to protect the brand. In today’s threats to brands, the human dimension of what people say online is of equal credibility if not more important than technical signals that show a company has suffered a breach, particularly regarding misinformation and disinformation. The human dimension is converging with a technical dimension, and a true holistic hybrid model is needed for enterprise security and intelligence teams. An example of reputation threats that happen in business every day:

1. Smear campaigns using disinformation and misinformation from competitors introduce uncertainty into a brand’s ecosystem.

4) Where Security Meets Marketing: Privacy Taken Seriously That Enhances the Brand

On the flip side, marketing teams should look for ways to promote the security of their products as business differentiators. Marketing teams should also consult with the security teams to understand all the different data lakes that are available in social media, dark web, and open source to ensure they can collect on the proper type of sentiment where brands are being discussed.

In episode 64 of The Cyber5, we are again joined by John Marshall, Senior Intelligence Analyst at Okta. 

We discuss building a threat intelligence program to protect executives, particularly on nuances of being a “solution-side security company”. We discuss a risk-based approach for protecting executives and the data that's important to aggregate and analyze. We also talk about success metrics for intelligence analysis when building an executive protection program.

Three Key Takeaways:

• Plans, Actions, and Milestones

Regardless of industry, connecting with your executive team on a personal level to establish trust is the first step in any executive protection program. Communicating plans, actions, and milestones are critical. Within these three segments, intelligence requirements should be tiered into 3 groups - strategic, operational, and tactical. 

• Strategic: Security of the people, security of places, and security of the brand
• Operational: Methodologies and means a security team is going to use to monitor for threats to the brand. Specifically, collecting intel on current events, private investigation, travel tracking for executives, and company-wide messaging system to track employees
• Tactical: Day-to-day implementation of integrating the strategic and operational methodologies

2)  Distinguishing Between Targets of Opportunity and Targets of Attack

Typical items to review when protecting executives:

• Weather that’s going to impede movement
• Social media activity that reveals plans for protests or riots near a location of interest
• Natural disasters 
• Geo-political events

The primary mechanisms to protect against targets of opportunity:

• Background checks
• Social media monitoring, includes OSINT monitoring and analysis 

When mechanisms to flesh out targets of opportunity appear to escalate, where they become a target of the attack, often private sector security teams lack an action arm to dispel that threat and have to rely on law enforcement for investigations. 

Intelligence analysis and determination of facts should be pursued on any threat so that security teams can effectively request law enforcement intervention - equipped with more information that will allow faster response. 

3) Articulating Success Metrics 

Pinpointing the right event is the most critical of success criteria. Executing the intelligence cycle of planning, collecting, exploiting, analyzing, and disseminating information that an executive can use to answer a “so what?” is still a nuanced concept for many private sector organizations. 

Documenting “wins” and “losses” are equally critical. Security is a risk management function that exists to keep the workforce safe and doing their jobs. 

Whether it's getting an executive out of a traffic jam or informing a team of a hurricane happening during a conference that mitigates injury, these should be documented for value-based metrics. 

In episode 63 of The Cyber5, we are again joined by Sean O’Connor, Head of Global Cyber Threat Intelligence for Equinix. 

We discuss attribution in the cyber threat intelligence and investigation space, and what the private sector can learn from public sector intelligence programs. We also discuss different levels of attribution, the outcomes, and the disruption campaigns that are needed to make an impact on cybercriminals around the world. We define the impact of attribution with different stakeholders throughout the business and how the intelligence discipline will likely evolve over the next five to 10 years.

Five Key Takeaways:

• Lessons For Private Sector Intelligence Teams from Public Sector National Security Apparatus (Intelligence Life Cycle, MITRE ATT&CK, Cyber Kill Chain)

Many cybersecurity best practices and frameworks originate from the US public sector:

• Intelligence life cycle: Defining priorities and communicating intelligence to stakeholders
• Lockheed Martin Cyber Kill Chain: Defining broad malicious actions in IT networks
• MITRE ATT&CK Framework: Identifying more specific malicious movements in IT networks
• Structured analytical techniques by CIA analysts, such as Richard Kerr. 

2)  Attribution is Critical in Cybersecurity to Warrant an Action

Attribution to cyber threat actors by industry is still important as a starting point to derive appropriate controls for the SOC and the CERT within a large organization. How these threats pose a risk of monetary loss are important elements of context when providing these threats to business executives. Here are two typical starting points:

• Review phishing telemetry for common TTPs and create rule-based detections based on phishing infrastructure used by actors. 
• External threat landscape assessment for TTPs resulting in targeted threat hunts for most notorious ransomware gangs. Creating custom detections is typically the outcome until the appropriate disruptions can be put in place. 

3) Disruption Campaigns Happen with Successful Information Sharing

Successful disruption campaigns come from non-public information sharing between vendors, enterprises, and public sector institutions like CISA or the FBI. They typically do not originate from marketing blog posts. 

4) Threat Intelligence is a Service-Based Role that Goes Beyond the SOC

Success in cybersecurity (SOC and CERT) is keeping security incidents limited to “events” and ensuring they do not escalate into breaches. This occurs from multiple stakeholders having the proper visibility to ensure network telemetry is complete, accurate, and truthful. However, due to the services nature of intelligence work, it goes beyond just the SOC. 

5) Threat Intelligence Should be a Floating Team to the Business

Threat intelligence should be a floating team that can operate outside of the SOC and is an asset to the overall business, not just limited to combating cyber threats. Often executives want intelligence on mergers and acquisitions and market entry in a given geopolitical area, and threat analysis needs to be tailored to different customers. A Chief Intelligence Officer may be more widely accepted in the future as the needs of the business expand and diversify.

In episode 62 of The Cyber5, we are again joined by Charles Finfrock, CEO and Founder of Black Hand Solutions. Charles was previously the Senior Manager of Insider Threat and Investigations at Tesla and prior to that, he worked as an Operations Officer for the Central Intelligence Agency. 

We discuss the generalities of cryptocurrency and go into the tactics, techniques, and procedures for conducting cryptocurrency investigations. We also discuss some case studies and what proper outcomes look like for making it more expensive for the adversaries to conduct their operations in this generally unregulated world.

Three Key Takeaways:

• Generalities, Functionalities, and Value of Bitcoin and Cryptocurrency

In its simplest form, Cryptocurrency is digital coins or money (Bitcoin and Ethereum being the most popular). It is not run or governed by a central authority, but by a mathematical algorithm that verifies the transactions, controls the supply of the certain coin, and runs on the blockchain.

Blockchain, as it pertains to Cryptocurrency, is a ledger that verifies what has been sent and received from an account. It is pseudo-anonymous, it is not anonymous - which is why criminals have been leveraging it so aggressively. 

When Bitcoin is transacted, the amount sent and received are recorded on the Bitcoin ledger (Blockchain) and associated with a Cryptocurrency wallet address. Criminals think they can hide their identities as a result of not needing a formally validated identity through a central authority. 

Since Cryptocurrency is not controlled by a central government no one can modify the supply of the particular cryptocurrency. It derives value in the same way the US dollar used to derive value from gold - scarcity. The argument for Bitcoin's value is similar to that of gold—a commodity that shares characteristics with the Cryptocurrency. The cryptocurrency is limited to a quantity of 21 million. Bitcoin's value is a function of this scarcity.

2) Conducting Cryptocurrency Investigations - Decreasing Return on Investment to Criminals

When criminals first started using Cryptocurrency in 2012 it was because they thought they could hide their identity. At the time, tools were not available to law enforcement to unmask and attribute actions to persons. That has changed. 

The two kinds of investigations that clients engage in are reactive and proactive. Reactive are when scams have already been perpetrated against their brand. Proactive are when security teams engage with actors to derive the scam before a significant amount of loss occurs.

Legal and technical methods can be deployed to “burn down the infrastructure” to decrease the return on investment for online criminals. Oftentimes an outcome can be to contact a centralized bank or Cryptocurrency exchange (i.e. Coinbase) that is linked to the Cryptocurrency as a means to “cash out” the criminal proceeds, report the fraud, and disrupt the activity, thus increasing the costs to the criminals. 

3) Provenance and Repudiation To Understand Truth, Accuracy, and Completeness

As with any online crime investigation, investigative techniques identify stylometric attributes of the criminal infrastructure that reveal the provenance of data by the malicious actor. The end provides authorities the ability to repudiate this scheme in the future.

Often what we look for are lapses in operational security by the threat actors, which include but are not limited to the following:

• An actor registered a domain and failed to enable private registration before correcting their mistake.
• An actor forgot to use their VPN or proxy to connect to their C2 infrastructure and revealed their source IP range.
• An actor reused certificates on different infrastructure or failed to properly encrypt their C2 traffic.

Going a step further, we pivot from technical analysis to open source intelligence (OSINT) to add valuable context to the nature of the threat an organization faces. By exposing network infrastructure and drawing associations using threat information and other technology-enabled OSINT connections, we can determine the motivation and sophistication of the threat. We assess characteristics such as: 

• Content, stylometric attributes, and similarities between criminal persona accounts and true-name accounts.
• Re-use of content in a spearphish that was similar to content existing elsewhere, such as blog or social media posts.
• Re-use of usernames or email addresses to register a malicious domain or subscribe to a third-party file server or virtual private server.
• Photographs that provide traceable location details such as landmarks or geographical attributes.
• Screenshots, files, or photos used by the actor that leave vital forensic clues revealing real identity or location. 
• Details ascertained through direct engagement with the threat actor.

In episode 61 of The Cyber5, we are joined by Josh Shaul, CEO of Allure Security. 

We discuss cybersecurity and account takeovers. We focus on the lifecycle of an account takeover , how to permanently solve it, and how to show a clear return on investment to small business owners. We also talk about how to impede attackers by making their efforts more costly and difficult. 

Four Key Takeaways:

1) Account Takeovers 

An account takeover is a form of identity theft and fraud, where a malicious third party successfully gains access to a user's account credentials. Previously targeted at large enterprises, these attacks are now targeting SMBs.  

2) Disrupting the Return on Investment Against an Attacker 

By Automating defenses and rapidly removing fake websites, attackers are faced with increased cost and less success.  

3) Too Much marketing Focus on APTs 

A lot of cybersecurity products and technology focus on advanced persistent threats (APTs) and ignore the  threats that matter. Organizations can best protect themselves by mapping technology to the threats that are actually targeting them. 

4) Intelligence Must be Actionable

Making intelligence actionable is necessary for proper security regardless of an organization’s size. For many organizations, this is most easily achieved through managed services providers that provide people, process, and technology that is otherwise not attainable for small enterprises. 

In episode 60 of The Cyber5, we are joined by Tom Thorley, the Director of Technology at the Global Internet Forum to Counter Terrorism (GIF-CT). 

We discuss the mission of GIF-CT and how it's evolved over the last five years, with particular interest on violent terrorist messaging across different social media platforms. We also discuss the technical approaches to countering terrorism between platforms and how their organization accounts for human rights while conducting their mission. 

Four Key Takeaways:

1) The Evolving Mission of GIF-CT 

GIF-CT combats terrorist messaging on digital platforms and is particularly focused on removing live streaming of violence. They were founded in 2017 by Microsoft, Facebook, YouTube, and Twitter to mostly combat advanced ISIS messaging efforts across their platforms, particularly after several high profile terrorist attacks were live streamed. 

GIF-CT has grown to include 17 different technology companies that participate in the mission of combating terrorist exploitation of their platforms. Since ISIS has been degraded over the last three years, GIF-CT has expanded their mission to include supporting the United Nations Security Council’s Consolidated Sanctions List. 

2) Behavioral Models as Opposed to Group Affiliation

Due to the fast adaptation and evolution of terrorism, GIF-CT has moved to track behavioral models of violence rather than attempt to focus on known terrorist groups. They built out an incident response framework to review emergency crisis situations using technology called “hash sharing.” Now, they are looking at expanding into:

• Manifestations of terrorist attacks just carried out
• Terrorist publications (Inspire Magazine by al-Qaeda) with specific branding
• URLs, videos, and images where specific terrorist content exists across platforms

 3) Hash Sharing Across Social Media Platforms with Content

User created content is not associated with an identifiable individual, like an IP address generally tied to a device. When GIF-CT hashes videos, they not only use traditional MD5 hashes, but also use perceptual hashes, which are locality sensitive. These hashing techniques and different algorithms provided by the technology companies, allow images, videos, and URLs to be flagged and potentially removed from the platform in close to real time. 

There is some new hash sharing technology that is being explored around PDFs. The need has been driven in part because malware is exploited because the backend code of the PDF is manipulated whereas terrorist manifestos are not, they are just content. Technology is being explored by GIF-CT where they can hash certain content strings in PDFs for alert.

4) Optimizing for Human Rights

GIF-CT hashing algorithms minimizes impact to human rights during emergency situations and differentiates between legitimate journalism and normal discord between people on the platform. GIF-CT goes through tremendous transparency initiatives that focus their algorithms on violence extremism.

In episode 59 of The Cyber5, we are joined by active security compliance practitioner, Dylan McKnight. 

We discuss the business of security. We unpacked how security can be effective at driving profitability and not just be a cost center toward an organization. We discuss how compliance measures can drive meaningful metrics around profitability and avoiding breaches. And finally, we talk about where threat intelligence provides the proper risk-based approach for security teams in this process.

Five Key Takeaways:

1) Making “Security” Be Seen as More than Just a “Cost Center”

Prioritize external-facing business leaders and help them to become security stakeholders. Give Sales, Customer Success, and Marketing a reason to care about security. In the technology space it’s important to understand how your organization makes money. You must embed security practices into the contracts to ensure your organization is being a good steward of each department’s data. Third party risk management processes are an example of how this shows up in the everyday.

In the pre-close world, work with the sales team to ensure security functions are assisting to close deals faster. As a communicator, you must also improve customer relationships through privacy programs and a good incident notification policy after the sale. 

You must still maintain key relationships with necessary internal stakeholders such as:

• Internal auditors who will answer to regulators (SOC2, ISO Cert, etc)
• Engineering team with product development cycle
• Legal and HR 

2) Security Roadmap is Critical with Limited Resources 

It’s critical for security practitioners to understand that the vortex of power within technology teams is centered around sales and product engineering teams. Security practitioners lament that they don’t get enough time in front of internal decision makers, that’s why they need to embed themselves in the sales cycle. Critical security functions like identity and access management (IAM) and file integrity monitoring are two examples of having value, but are time intensive and don’t necessarily improve the bottom line unless they are part of customer contracts. 

However, privacy requirements are becoming critical to engineering and sales teams and a security program should be adapted to meet those needs first.

 3) Developing the GTM-focused Security Playbooks that Scale with the Business Growth

Risk assessments for what could cause the most business loss are important to start, backed by standards and controls that align to this potential loss. 

“Move fast and break things” could have monetary losses in security, so it’s important to go to quarterly business reviews with the sales team and understand the pain points in the sales process. Security should exist to make sales move through the process quicker and then by illuminating potential risk. 

4) Compliance is Important for Maintaining Customers

It’s cheaper to keep existing customers than gain new customers. To keep existing customers, trust becomes a critical aspect. Transparency around security controls and incident notification with your customers can go a long way to keeping them satisfied during renewals. 

Compliance standards that meet these transparency requirements are beneficial for building trust with customers including the right levels of monitoring of cloud infrastructure and managed detection and response. It’s important to understand how all the different teams use data in the environment and protect what really matters, which in technology companies is usually the “least privilege” permissions around the production environment. 

5) The Role of Threat Intelligence in Risk Assessments

Risk-based approaches are always a good starting point. Threat intelligence should be geared to focusing on who, how, and why threat actors are actually attacking your organization. Simple defenses should be built around threats that are happening, not just what is possible. Not only monitoring the dark and open web, but closely analyzing your firewall logs and providing an “outside-in” inspection to closely enrich data your internal telemetry with external signals for more risk-based context and prioritization.

In episode 58 of The Cyber5, we are joined by Magen Gicinto, Director People Strategy and Culture for Nisos. 

We discuss the “Great Resignation’” that's happening in the work environment during the COVID pandemic and how to realign your “people strategy” to recruit and retain the best talent in spite of those challenges. We address the aspects of recruiting and retaining the best talent and how to calibrate total rewards in consideration of employees’ ever-changing motivations. Finally, we cover the nature of startup culture in the technology sector and the convergence of generalists and specialists in high performance organizations.

Four Key Takeaways:

1) Recruiting and Retaining Talent During the COVID-19 Pandemic

Employees who would have otherwise left their jobs decided to stay put during the pandemic. Now, even though we are still in the throes, people feel safe again to move jobs, which is leading to an unprecedented turnover in the global workforce. In fact, according to statistics published by the U.S. Department of Labor, voluntary turnover dipped significantly in 2020, but in early 2021, it jumped higher than ever before, with 4 million people leaving jobs in April 2021 alone in the U.S.

Employees that are looking for new opportunities and want to integrate work/life responsibilities are looking for employers who support those values. What remains is employees continue to want opportunities for career advancement and building their skill sets. 

One core solution for employers is to reimagine the employee experience so you can keep your best people and recruit great talent. Understanding what your employees value and what motivates them is key to reducing churn and attracting new people. High performing People Strategy departments are adept at creating employee engagement, from onboarding through the employee lifecycle, that help to continue to satisfy employee motivations throughout their tenure with an organization.

2) Experiential Support to Employees Is Critical 

Organizations that invest heavily in creating the best employee experience will have better success at recruitment and retention. Organizations and teams are most successful when the organization’s strategies, structure, and culture are aligned. 

During the infancy stage of  startups, there is little consistency for people to hang on to. Leaders are focused on doing what they can to source and hire the best talent, while outsourcing other services. Once you move past the infancy stage and start growing, your attention needs to move to ensuring stability and creating a life cycle for employees. 

Employees who are embedded into the organization from day one who have experience with a strong onboarding regimen will have more staying power and satisfaction with the organization. While white-glove on-boarding is not always achievable at a  startup level (based on lean staffing), companies that can find the resources to do so win it back with stronger employee integration in the entity from day one. 

 3) Challenge Playbooks to Create the Best Employee Experience

Here are some ways to create an environment where employees can succeed and grow within an organization. This is especially crucial within cybersecurity where the table stakes can be higher, and the goal posts can move quicker. 

• Set clear goals
• Be consistent in performance management
• Understand what obstacles are in the way of them performing at their best so you can help remove barriers to them being successful
• Keep the lines of communication open 
• Have honest, fact-based conversations so that when they have concerns about their job or their performance, you’re prepared to address things with perspective. 

4) Prevent Silos and Bring People Together When New Departments are Created

When recruiting, look for talent who create value and can deliver on company objectives. Employees want to have purpose in their work and know that they’re making a difference. As a startup organization, you have a great opportunity to create and influence organizational decisions and add value. Hire individuals who are up for the challenge and want to lean into the company’s goals with the team.

To avoid departmental silos, it’s important to:

• Attract and help select the best talent that meets the business’ needs
• Close any skills gaps
• Recruit people who value differences in perspectives
• Look for ways to create new and better ways for the organization to be successful
• Hire people who are likely to drive results and tackle new challenges using both success and failure as learning opportunities 

By bringing different departments into the recruitment and retention process, it helps avoid silo-type organizations. It creates more alignment, and helps employees understand what’s going on in the business. Once a new hire comes on, all of the departments are similarly invested in the individual, and can incorporate them, which will allow them and you to begin to utilize their skillsets effectively.

In episode 57 of The Cyber5, we are joined by Colby Clark, Director for Cyber Threat Management. He’s also the author of the recently published book, The Cyber Security Incident Management Master’s Guide.

We baseline incident response playbooks around customer environment, threat, landscape, regulatory environment, and security controls. Afterward, we discuss how incident response (IR) playbooks have evolved in the last five years and they have scaled in the cloud. We discuss telemetry that is critical to ensure an IR team can say with confidence that an incident is accurate, complete and truthful in order to avoid breaches. Lastly, we discuss the criticality of threat intelligence in the IR process and what boards really care about during an incident. 

Four Topics Covered in this Episode:

1. The Shift in Incident Response Playbooks

Playbooks used to be contact lists, and an outline of roles and responsibilities of who to call during a cybersecurity incident. It was typically based on recovery from natural disasters. Today, threat -based playbooks are more specific and actionable tailored to the enterprise environments that were based on compliance and insurance requirements. 

In Clark’s book, in his execution with clients, 13 distinct domains are relevant for baselining these playbooks; including customer environment, threat landscape, regulatory environment, and security controls. Most importantly, incident management is a repeatable process over a period time that adapts to regulators. Enterprise solution tooling is always behind the tooling of the attackers, and therefore, gap analysis within IR playbooks is a constant job for any IR team.

2. The Need for Consolidating Cybersecurity Solution Tools

• Security practitioners sometimes struggle with knowing the business functionality of applications and systems within enterprise networks, which makes identifying what is normal or malicious challenging.
• If security technology is not tuned with consideration for the people and process involved, the tooling is useless. 
• Network encryption pervasiveness is making network traffic analysis tools increasingly irrelevant; all important telemetry, to reduce visibility gaps, is moving to the endpoint (devices, servers). Realizing big companies cannot have endpoint detection and response agents (EDR solutions) on every endpoint, means some network traffic capture is still important to track. 

3. Incident Response Migration and Evolution to the Cloud

• Tooling: In 2014, EDR tools started to be developed that took over anti-virus software and since then has detected 80% of breaches. EDR, and now XDR (Extended Detection and Response), solutions that operate in the cloud (AWS, GCP, Azure) are the only means to quickly detect and recover from cyber incidents, especially with a distributed workforce. 
• Protecting Environment: Customer applications that run on cloud servers (production and non-production) bring tremendous frustration for incident response efforts. They do not have on-par visibility to their physical counterparts, particularly with containers. They have reduced controls and limited investigative capabilities, allowing malicious backdoors into environments. 
• Important Strategies: First, maintain, update, and patch baseline images for containers. Second, turn on logging; nothing is logged in cloud environments by default. Companies have to pay extra money to turn on logging and pay additional licensing fees for security tools (cloud trail logging for AWS, for example). Third, turn on network decryption at the right points. Last, keep maintenance of EDR tooling.

4. The Importance of Threat Intelligence in Cloud Security

• Threat intelligence should be built into EDR logging by default and will likely be part of the XDR paradigm in the future.
• A deep dive RFI (request for information) capability must also be included to ascertain if the intelligence is directly relevant to the organization or just an industry trend. 

In episode 56 of The Cyber5, we are joined by Ray O’Hara, Executive Vice President for Allied Universal.

We discuss the use of intelligence for corporate security programs, usually overseen by a Chief Security Officer (CSO). We talk about some of the challenges this role faces and how intelligence can be actionable to mitigate those risks. We also work through various case studies, talk about metrics for success, and what technology platforms are used to aggregate intelligence that might be useful in the future.

Four Topics Covered in this Episode:

1. Role Shift for Chief Security Officers (CSO)

• For many large organizations, the chief security officer is the chief strategist for organizing the holistic security strategy and obtaining board approval for the organization. 
• CSOs are no longer in the day-to-day planning around “guns, guard, and gates.” Instead, they are more strategically focused on business continuity, emergency planning, and crisis management.
• Risk to business leaders drives the daily activities of CSOs. They need to understand that other business leaders may choose to work around the threat to execute against profit and loss.  

2. Intelligence Sources for Chief Security Officers

• Having a dedicated intelligence analyst is an important asset to a chief security officer. 
• Emerging markets, information on key suppliers, as well as competitor data is routine tasking for an intel analysis who is subordinate to the CSO. 
• Since security is a necessary cost center on the administrative function within organizations, intelligence analysts need trusted partners to handle the collection and analysis side of intelligence, including social media. Additionally, intelligence analysts ensure that collection and analysis are tailored to business management requirements. 

3. Sentiment Analysis Combines CISO and CSO Functions

• Negative sentiment analysis against a company's brand traditionally falls within the CSO's GSOC function. However, this responsibility is starting to move toward information security due to threats to confidentiality, integrity, plus the needs for availability of data, systems, and networks from the Dark Web. As long as coordination is present, it doesn't matter whose lane covers social media sentiment analysis. 

4. Social Media Monitoring Critical For Reducing Executive Protection Resources

• Executive protection is expensive when a physical security threat escalates. Effective social media monitoring and direct threat actor engagement help to derive the most accurate protective intelligence. They can be a more cost-effective way to monitor the danger without having 24x7 surveillance.

In episode 55 of The Cyber5, we are joined by Nate Singleton, a security practitioner who was most recently the Director of IT, Governance, and Incident Response at Helmerich and Payne.

We discussed the conundrums of operational technology security within gas and energy sectors, including risks downstream and upstream. We also compared the aggressive and constant need for interconnectivity on the information operation technology sides of the house to show that events like the Colonial Pipeline ransomware attack are probably just the beginning of future attacks against critical infrastructure. 

We also discussed what more major oil and gas companies can do to help improve cybersecurity for small companies critical in the oil and gas supply chain.

Five Topics Covered in this Episode:

1. Operational Technology is Built to Last, Bringing Nuance to Security

• Underlying technology controlling oil, gas, and energy PLCs runs on old Linux and Windows servers from 20 years ago and patching for upgrades is expensive and takes a lot of down time. 
• Routine vulnerability scanning against an entire IP block often seen within regular IT environments can cause major damage, even resulting in the loss of human life, if not conducted carefully and properly in OT environments.

2. Interconnectivity Comparisons Between Legacy Silicon Valley Tech and Operational Tech Development

• Security takes a back seat in operational technology for the Energy Industry, just like it does for Silicon Valley product development. 
• The bigger challenge is often integrating regular IT and application developments that need constant upgrades with OT technology that can’t take the upgrades on time. A “move fast and break things” mentality in OT could get someone killed. 
• Ransomware and other malware events have the capacity to take down OT production lines for weeks, costing millions of dollars. 
• While the Colonial Pipeline ransomware event only attacked the IT environment, it did not attack the OT environment, thus demonstrating the potential for future calamities to occur. 

3. Attacks Against Oil and Gas are Geopolitical in Nature and Will Likely Get Worse

• Attacks against critical infrastructure are going to get worse and the attacks are often conducted by nation states who have the time to build exploits against the IT environment and are also leveraging sophisticated OT technology. 

4. Strategies for Protecting Operational Technology in ONG

• OT security is protecting the IT administrator who can access oil rigs, energy systems, and OT devices. 

• Reporting must make it from the OT systems to the corporate IT systems so they can see profit and loss. Therefore, many critical infrastructures use the Purdue Model to segment different layers in network infrastructure from the machinery to different levels in the corporate environment so customers can be billed. More granular strategies include:
• 1. Updated EDR products in the corporate environment
  2. Multi-factor authentication separating corporate and OT environments
  3. Separate domains for engineers’ ability to browse the internet and check email and upgrade software on the OT networks
  4. Robust firewall policies on the network layer controlling port protocol connectivity back and forth

5. Threat Intelligence for OT Security

• Integrating Indicators of Compromise (IOCs) into a SIEM has become an antiquated practice, but they are still valuable for OT environments since they are modeled around constant connectivity and up times. 
• Client-specific intelligence of what threat actors are doing is most critical because the remediations will take place over weeks and months. A cost-benefit analysis is always going to be levied when allocating resources to fix vulnerabilities. A “block all” approach to threat intelligence is not going to work.

In episode 54 of The Cyber5, we are joined by Aaron Barr, Piiq Media’s Chief Technology Officer.

We discuss how data breaches are combined with other open source information to paint a more holistic target profile for bad actors. We also discussed the true information anchors and weaponization that can lead to an online attack against someone. Finally, we discussed what executives and individuals can do to protect themselves and how protective intelligence is playing a greater role in physical security.

Four Topics Covered in this Episode:

1. Common Information Anchors Used to Attack Someone Online

1. Connection to an organization indicating that someone is likely a high net-worth individual.  
2. Communication platform for content delivery including, email address, social media platform, phone number, etc.
3. Context for authenticity. The social engineering approach must have the right information about an individual for increased success.

2. Best Practices for Staying Safe on the Internet

1. Keep social media postings about personal information, locations, jobs, education as simple as possible. Be careful not to post pictures with background details that give your location or family profile to potential attackers. 
2. Ensure profile pictures are minimal as those are public regardless if everything else is private.
3. Password managers should be used for personal accounts. 
4. People should have at least three personal email addresses. Email addresses should be siloed: a) social media accounts b) bank accounts or personal information c) thrown away for rewards, e-commerce, and gifts. 

3. Education and Awareness Training Still Important

Education to executives and the workforce about simple technology such as the ability to flag suspicious emails that get escalated to the security team still goes a long way in securing the workforce.

In episode 53 of The Cyber5, we are joined by Ciaran Martin, the former United Kingdom National Cybersecurity Center CEO and former Director General for Cybersecurity of GCHQ. He’s currently a professor at the University of Oxford and a strategic advisor for Paladin Capital. 

We discuss the political, legal, and ethical challenges of today's ransomware threats and the corresponding nation state challenges of Russia, China, and Iran. We also discuss what the U.S. and global economies can do to reduce these threats and how the financial industry can assist in a greater capacity.

Four Topics Covered in this Episode:

1. Ransomware’s Social Impact Escalates to National Security Priority

With semi-conductor shortages caused by the pandemic and corresponding geopolitical rifts between the U.S., Russia, and China, ransomware is at the center of national security threats While ransomware actors are just organized criminals, three characteristics have made this a broader national security threat:

1. Russia and surrounding states allow criminality to flourish.
2. Cybersecurity problems exist in western economies due to vulnerabilities caused by poor security practices within development lifecycles.  
3. Ransomware business models position criminals for success. Executives don’t understand cybersecurity and immediate business impact motivates them to pay ransom.

2. China Wants Authoritarian Control over Technology; Russia Wants a New Cold War

The U.S. and Western model of technology has created flaws that lead to ransomware. The “move fast and break things” mantra of Silicon Valley prioritizes connectivity over security. The Chinese model is one of consistent integration, overwatch, authority, and frugality. Russia seeks regional control and the overall weakening of democracies through disinformation and offensive computer network exploitation operations.

3. Commonalities and Differences of Combating Ransomware Actors and Other Non-State Actors

Key Differences:

Ransomware actors are not yet causing widespread harm to individuals.  If this starts to occur, we could see increased offensive campaigns against ransomware actors similar to what we’ve seen against other non-state actors. 

Non-state actors of the last 15 years were usually under a failed state whereas ransomware actors enjoy state protection in many cases.

Key Commonalities:

The world economies will eventually join to stop the movement of money that is used by ransomware actors, repeating what happened to the non-state actors of the last 15 years. 

4. The Financial Sector Must Step Up to Stop Ransomware

Cybersecurity risk is well understood by the major financial sectors as it pertains to their own security. Cybersecurity, fraud, insider theft, and general resilience are well understood and defended by the major banks. Aspects of cryptocurrency and money laundering aspects of cyber security are still major opportunities for the FIs.

In episode 52 of The Cyber5, we are joined by Nisos Managing and Technical Principals Robert Volkert and Travis Peska who lead operations within the Pandion Intelligence team. 

We talk about the evolution of Nisos over the past six years, including how we now position ourselves within the private sector threat intelligence market under our new Chief Executive Officer, David Etue. 

Our managed intelligence mission combines open-source intelligence analysis, technical cyber security investigative tradecraft, and data engineering to solve enterprise threats around cyber security, trust and safety platforms, reputation, fraud, third party risk, and executive protection. We reminisce about our favorite investigations and talk about what’s next for Nisos. 

Three Topics Covered in this Episode:

1. How Nisos Has Evolved

In the last six years, Nisos evolved its mission to focus on being the Managed Intelligence Company™. Using skill sets combining offensive operators, forensic and network analysts, open source intelligence experts, and data engineers, we collect and analyze data to solve problems within six primary intelligence domains:

1. Cyber Threat Intelligence
2. Protective Intelligence
3. Reputation Intelligence
4. Platform Intelligence
5. Fraud Intelligence
6. Third Party Intelligence

2. Providing the Answers, Not Just Data in Monitoring and RFI Services

Since our “outside of the firewall” investigations and tradecraft over the years, we realized customizing smaller datasets around customer problems is more helpful to customers and helps differentiate our offering with actionable intelligence with appropriate context. 

Aggregating data to a product that doesn’t provide the answers is often a waste of resources for many organizations who need to make information actionable to security operations teams and executives. As part of these services, routine monitoring services followed by an aggressive RFI service is generally viewed as the most effective way to quickly answer customer intelligence requirements within a 24-48 hour period. 

3. Favorite Investigations Over the Last Six Years

While the most prolific investigations have involved the unmasking of threat actors when the appropriate context is needed, the most well known investigations generally involve attributing attacker infrastructure and unraveling different malicious tool sets against platform technology companies and business applications.

In episode 51 of The Cyber5, we are joined by Chris Castaldo. Chris is the Chief Information Security Officer for CrossBeam and has been CISO for a number of emerging technology companies. 

In this episode, we talk about his newly released book, “Startup Secure” and how different growth companies can implement security at different funding stages. He also talks about the reasons security professionals should want to be a start-up CISO at a growing technology company and how success can be defined as a first time CISO. We also talk about how start up companies can avoid ransomware events in a landscape that is not only constantly changing but also gives little advantage for defenders of small and medium sized enterprises.

Two Topics Covered in this Episode:

1. 4 Security Lessons for Founders of Start-up Technology Companies

When a B2B company is pre-seed or before Series A funding, customers might have leeway for lax cybersecurity controls. However, after an A round, policies, certifications (SOC2 or ISO27001), procedures will be required to ensure customer data is staying safe. A B2C technology company might not be asked by the public for certifications, but auditors and regulators may. Basic policies include:

1. Single Sign-On or an Okta authentication into applications, cloud, and workstations
2. Password management implementation (LassPass or OnePassword)
3. Encryption at rest and transit
4. Vulnerability scanning

2. Combating Ransomware from The Inside-Out Approach and Integrating Threat Intelligence

Blocking and tackling from inside-out to get in front of ransomware is challenging. The simple items to tackle are the following: 

1. Auto-updates for patch management on operating systems
2. Endpoint Detection and Response products
3. Proper asset management to have full visibility on all network devices and services

At the point when resilience and compliance controls are in place and an organization can bounce back from an incident in a timely manner, adversary insights via threat intelligence is a logical next step.