The Persistent Problem of Spear Phishing with Senior Security Practitioner Garrett Gross
Release Date: 07/18/2022
the CYBER5
In Episode 90 of TheCyber5, we are joined by , founder of the Counterintelligence Institute. Warmka is a retired senior intelligence officer with the U.S. Central Intelligence Agency (CIA) where he specialized in clandestine HUMINT (human intelligence) collection. With 20+ years of breaching security overseas for a living, Warmka now teaches individuals and businesses about the strategy and tactics of “human hacking”. Warmka highlights how insiders are targeted, the methods used by nationstates for committing crimes, and what organizations need to help focus their security training...
info_outline The Top Nisos Investigations Of the Last Seven Years with Nisos Research Principal Vincas Ciziunasthe CYBER5
In Episode 89 of TheCyber5, we are joined by Nisos Research Principal, It was 7 years ago, at a restaurant in Ashburn, Virginia, when Nisos’ co-founders Justin Zeefe and Landon Winkelvoss met Vincas. At the time, Vincas was working as a contractor for the US government but was considering a pivot into the private sector. It was Vincas’ impressive intellect, strategic thinking, and technical capabilities that made him the ideal intelligence operator on whom to depend for the launch of Nisos. Over the course of several years, Vincas’ experience, as a developer, open threat...
info_outline The Vital Role of Customer Success in Intel Programs with Senior Director of Nisos Brandon Kappusthe CYBER5
In Episode 88 of TheCyber5, we are joined by Nisos Senior Director for Customer Success, . Here are five topics we discuss in this episode: Intelligence Playbooks Start with Education to the Customer Playbooks should include three major steps. The first step is education on how intelligence is going to be consumed and not be nonstop noise. Discussions between customers and vendors should start around requirements that customers are trying to address with business stakeholders. Understanding Commercially and Publicly Available Data to Avoid Noise The next...
info_outline Identifying When Attribution of Threat Actors Matters and How to Track the Outcomes with Senior Information Security Leader Charles Garzonithe CYBER5
In Episode 87 of TheCyber5, we are joined by senior information security leader . Here are five topics we discuss in this episode: Defining When Attribution is Relevant and Necessary Many corporations are not overly concerned with attribution against cyber adversaries, they just want to get back to business operations. However, if someone robbed your house, you would want to know if it was a random drive-by, or if it was your neighbor because that will inform your defenses much more appropriately. Defending Against Nation States Versus Crime Groups The ability to attribute...
info_outline Properly Defining a Threat Management Department within Enterprise with Senior Manager of Nvidia Chris Cottrellthe CYBER5
In Episode 86 of TheCyber5, we are joined by Senior Manager of Threat Management for Nvidia . Here are six topics we discuss in this episode: What is a threat management department within enterprise security? Threat management departments are usually formed when security teams become mature and have table stakes functions within threat intelligence, red team, penetration testing, and threat hunting. These functions are usually formed after compliance, risk, governance, vulnerability management, and security operations center (SOC) are operational. Unfortunately, threat...
info_outline Operational Resiliency Framework Pertaining to Supply Chains by Foundation for Defense of Democracies George Sheathe CYBER5
In Episode 85 of TheCyber5, we are joined by Chief Technologist of Transformative Cyber Innovation Lab for the Foundation for Defense of Democracies (FDD) Here are four topics we discuss in this episode: What is the Operational Resiliency Framework (ORF)? The Operational Resiliency Framework (ORF) is a framework that is intended to be used by executives to ensure business continuity processes when their suppliers are knocked offline during natural disasters and cyber attacks. Defining Minimum Viable Services Step one, and the most important step, is defining a minimum level of...
info_outline Integrating Attack Simulation with Intelligence to Provide Actionable Outcomes with CrossCountry Consultingthe CYBER5
In Episode 84 of TheCyber5, we are joined by members of the CrossCountry Consulting team: , Offensive R&D Lead, , Associate Director, and , Director, Cyber and Privacy. Here are five topics we discuss in this episode: Adversary Emulation vs. Simulation and Use of Threat Intelligence Replaying attacks from adversaries is considered . The pros of emulation are you can react and defend against threat intelligence and the actual techniques during a penetration test. The cons are that many times these are yesterday’s threats. Simulation is the art of coming up with new attack...
info_outline Data Governance and Threat Intelligence Converge with Egnyte’s Chief Governance Officer Jeff Sizemorethe CYBER5
Topic: Title: Data Governance and Threat Intelligence Converge In Episode 83 of TheCyber5, we are joined by our guest, Egnyte’s Chief Governance Officer, Jeff Sizemore. We discuss the Cybersecurity Maturity Model Certification (CMMC) and the impact on Department of Defense (DOD) contractors to mature their cybersecurity hygiene in order to compete for US government contracts. CMMC was based on NIST Standards 800-71. Here are 4 topics we discuss in this episode: Why Does CMMC Matter? In the near future, contracts are going to be rated L1-3 and if contractors are not certified up to a...
info_outline Driving Diversity in Cyber Security and Intelligence with BGH Security CEO Tennisha Martinthe CYBER5
In episode 82 of The Cyber5, we are joined by guest moderator and senior intelligence analyst for Nisos, Valerie G., and CEO of BGH Security, Tennisha Martin. In this episode, we discuss the challenges and opportunities of promoting and enabling diversity and inclusion in cyber security. Key Takeaways: Showing Impact for Diversity and Inclusion (D&I) within Security Beyond filling cyber security skills gaps, some metrics that show success in D&I include: Jobs Feeling more confident in interviews Recommending minorities for employment opportunities...
info_outline Leveraging Open Source Intelligence in Insider Threat Programs with Vaillance Group CEO, Shawnee Delaneythe CYBER5
In episode 81 of The Cyber5, we are joined by the Head of Insider Threat at Uber and CEO of Vaillance Group, Shawnee Delaney. In this episode, we provide an overview of different functions within an insider threat program. We also discuss the support open source intelligence provides to such programs and how to change company culture to care about insider threats. We also discuss the ROI metrics that are important to different stakeholders when implementing an insider threat program. Three Takeaways: Departments and Functions within Insider Threat Insider threat programs...
info_outlineIn episode 79 of The Cyber5, we are joined by senior security practitioner, Garrett Gross.
We discuss the age old problem of spear phishing and why enterprises still struggle to fix this problem. We talk about the critical processes and technologies necessary to defend against spear phishing, including robust training programs and endpoint detections. We also cover how to use the telemetry collected from spear phishing and integrate this with outside threat intelligence to be useful.
Five Takeaways:
- Security Teams Need to Make a Sensor Network from the Employee Base
Attackers win consistently when they get employees to click malicious spear phishing links. They use social engineered communications, usually over email, that appear legitimate but have malicious intent to trick a user to open a document or click on a link to obtain sensitive information about a user.
Security training is boring and employees outside of security don’t pay attention to the annual reminders. Real education must be relatable to employees so that they can identify when a malicious link is deployed against them. The most critical training a security team can do is get a sensor network from their employees to spell out the ripple effects to employees for PII and intellectual property theft after a malicious link is executed.
- Experts Must Create Critical Processes and Use Technologies Defend Against Spear Phishing
A closed door approach to security is not efficient. Experts transparently interacting with the employee base defends against spear phishing. A phased approach will be necessary to assess the necessary logging in an automated way as this takes months to configure and properly alert. The building blocks of this approach are:
- An endpoint detection and response solution (EDR) is the most important tool to defend against spear phishing.
- An automated way to report incidents should be considered so users are not waffling on whether or not to report incidents. It should go without saying, but no one should get in trouble for reporting an incident.
- Spear Phishing Typically Impersonates Executives; Executives Should Conduct PII Removal and PII Poisoning
The sophistication and reconnaissance of advanced adversaries are challenging to detect, particularly when bad actors impersonate executives. Verifying information over the phone is often needed to circumvent advanced attempts to social engineer an employee base. Further, publicly available information about executives should be scrubbed and removed from the internet on a routine basis.
- Use of Spear Phishing Telemetry with Threat Intelligence for Small and Medium Size Business
Small companies with limited security personnel will be fortunate to get employees to get banners saying emails are coming from an external source. They will spend a small part of their day conducting internal threat hunting. They won’t be able to conduct external threat hunting to determine the sophistication of a spear phishing campaign. They need to partner with managed intelligence providers to do external threat hunting effectively.
- “Defensibility” Measures are Critical Success Metrics: Threat Intelligence and Red Teams
Quantifying reports and solutions that show how a security team is systematically reducing risks that affect their business is the only way budgets will get increased by the board. To prove that various attacks will matter to a business, threat intelligence with subsequent red teaming are the primary ways to illustrate the issues to an executive team.