the CYBER5
The CYBER5 is hosted by Landon Winkelvoss, Co-Founder at Nisos, and features cybersecurity and investigations industry leaders' thoughts and answers to five questions on one topic on actionable intelligence to enterprise revolving around third-party risk management, adversary research and attribution, digital executive protection, merger and acquisition diligence, brand protection, disinformation, and cyber threat intelligence.
info_outline
Insider Threats and Social Engineering Tactics by Counterintelligence Institute’s Peter Warmka
03/08/2023
Insider Threats and Social Engineering Tactics by Counterintelligence Institute’s Peter Warmka
In Episode 90 of TheCyber5, we are joined by , founder of the Counterintelligence Institute. Warmka is a retired senior intelligence officer with the U.S. Central Intelligence Agency (CIA) where he specialized in clandestine HUMINT (human intelligence) collection. With 20+ years of breaching security overseas for a living, Warmka now teaches individuals and businesses about the strategy and tactics of “human hacking”. Warmka highlights how insiders are targeted, the methods used by nationstates for committing crimes, and what organizations need to help focus their security training to prevent a breach. Below are the three major takeaways: Prevalent open source techniques for targeting a person or company as an insider threat: A website that defines the key personnel and mission statement of an organization provides critical context of how to target employees using social engineering techniques. Bad actors use job descriptions that provide critical targeting information about the enterprise and security technologies that are used so they may target potential technology vulnerabilities and subsequently penetrate the organization. Lastly, social media and open source content typically offer information about employees and companies that can be used for nefarious purposes. Employees are recruited for nation state espionage or crime: Adversaries pose as executive recruiters through direct engagement and through hiring platforms to elicit sensitive company information. Employees allow themselves to be socially engineered from a spearphish. Threat actors will also go so far as to create deep fakes to help sell the impression that they are a senior company executive. Security awareness training should focus on verification: There are several ways to defend yourself and your enterprise, but consistent education and training are tried and true successful methods for defense. However, annual videos for security training will not change employee behavior. They are too infrequent to modify human behavior. Employees need to be taught to be apprehensive about unsolicited outreach through email, phone call, social media, or SMS. Business procedures need to focus on quick and timely verification of suspicious activity. A policy of “trust but verify” is likely going to be too late.
/episode/index/show/the-cyber5/id/26160960
info_outline
The Top Nisos Investigations Of the Last Seven Years with Nisos Research Principal Vincas Ciziunas
02/08/2023
The Top Nisos Investigations Of the Last Seven Years with Nisos Research Principal Vincas Ciziunas
In Episode 89 of TheCyber5, we are joined by Nisos Research Principal, It was 7 years ago, at a restaurant in Ashburn, Virginia, when Nisos’ co-founders Justin Zeefe and Landon Winkelvoss met Vincas. At the time, Vincas was working as a contractor for the US government but was considering a pivot into the private sector. It was Vincas’ impressive intellect, strategic thinking, and technical capabilities that made him the ideal intelligence operator on whom to depend for the launch of Nisos. Over the course of several years, Vincas’ experience, as a developer, open threat intelligence analyst, hacker, threat detection, and threat hunting expert would prove crucial to solving some of the most complex challenges Nisos’ clients would bring us to solve. Once just the trio, but now known as the Nisos Dogpile, our diverse and unique team members huddle together to solve the most intractable cyber, physical, and fraud threats faced by enterprises. In this episode, Landon and Vincas recount some anonymized but most memorable investigations. These stories helped put Nisos on the map and range from Nisos’ core capabilities of open source and threat intelligence, direct threat actor engagement, and technical signature analysis against cyber threat actors, to validating physical security threats, trust and safety issues, and insider threats. Make sure to follow Vincas on LinkedIn for more insights and commentary on the world of Managed Intelligence™.
/episode/index/show/the-cyber5/id/25867323
info_outline
The Vital Role of Customer Success in Intel Programs with Senior Director of Nisos Brandon Kappus
01/24/2023
The Vital Role of Customer Success in Intel Programs with Senior Director of Nisos Brandon Kappus
In Episode 88 of TheCyber5, we are joined by Nisos Senior Director for Customer Success, . Here are five topics we discuss in this episode: Intelligence Playbooks Start with Education to the Customer Playbooks should include three major steps. The first step is education on how intelligence is going to be consumed and not be nonstop noise. Discussions between customers and vendors should start around requirements that customers are trying to address with business stakeholders. Understanding Commercially and Publicly Available Data to Avoid Noise The next step in any playbook needs to be about what data is needed to cover unique intelligence requirements. Social media, passive DNS, foreign media, business entity, person, and netflow datasets are all available, but they’re meaningless without understanding what a security team is trying to accomplish. Flexibility is Critical to Meet Compliance Regulations A threat intelligence program by itself is not generally a compliance regulation like anti-virus or a DLP program. However, there are many aspects of a threat intelligence program that are inherent with compliance spending such as the ability to monitor third parties, manage vulnerabilities, track credential and data leaks, as well as mitigate against insider threats. Flexibility to adapt to compliance needs is critical for maintaining the program and is as important as addressing routine vulnerability disclosures for the SOC or giving business units a competitive advantage. Intelligence Backgrounds are Useful for Building Great Threat Intelligence Programs Two general backgrounds are common with building intelligence programs: US government intelligence community experience and those with a data engineering background. While data engineering is important for automation and bringing indicators into network defense tooling like a SIEM, intelligence community backgrounds are critical for building relationships and crafting winning value propositions across a stakeholder community. Asking the question, “what does success look like for you,” goes a long way between customers and vendors, particularly when a program is starting. Return On Investment Criteria When an intelligence program is starting, requirements are collected, and data that is needed is purchased, oftentimes return on investment comes in the form of storytelling. For example sharing how you’re stopping credentials from being used or stopping an insider threat from leaking data. Over time these stories become common themes that can be built out at scale and will ultimately be used to capture “prevention dollars” and potential dollar loss from leaving the company. This story telling to capture of dollar loss should be the pinnacle of any threat intelligence program maturation.
/episode/index/show/the-cyber5/id/25710690
info_outline
Identifying When Attribution of Threat Actors Matters and How to Track the Outcomes with Senior Information Security Leader Charles Garzoni
01/03/2023
Identifying When Attribution of Threat Actors Matters and How to Track the Outcomes with Senior Information Security Leader Charles Garzoni
In Episode 87 of TheCyber5, we are joined by senior information security leader . Here are five topics we discuss in this episode: Defining When Attribution is Relevant and Necessary Many corporations are not overly concerned with attribution against cyber adversaries, they just want to get back to business operations. However, if someone robbed your house, you would want to know if it was a random drive-by, or if it was your neighbor because that will inform your defenses much more appropriately. Defending Against Nation States Versus Crime Groups The ability to attribute between crime groups and nation states has large implications on a defense posture. First, organizations need to conduct a victimology assessment against themselves to determine what actors would want to steal from them. Second, an organization should list out priority threat actors targeting your sector and intellectual property. Third, they should look for customized detections and prioritized alerts as the resulting output. The Human Element of Attribution Engaging directly with threat actors (a different kind of human intelligence-HUMINT) is critical in understanding the human element of attribution, such as their motivation, TTPs, and intent. For ransomware actors, understanding their past actions will inform future recovery and negotiation efforts, for example. Organizations cannot do this without having attribution. For nation states, geopolitical context is critical to understanding security incidents, not to mention the “how” and “why” they are moving in your network. Public Disclosures of Nation State Adversaries Are Effective Public disclosures and indictments are effective disruption efforts, depending on the nation state. For example, demarche and indictment efforts against China put them on their heels and have a debilitating effect because of how they want to be seen in the world. However, Russian state operators look at disclosures as a badge of honor. Disclosures by private sector companies also can have just as much impact if the goal is to have disruption. False Flag Operations While it’s easy to say you are someone else, it’s challenging to look like someone else. Adversaries think masking their infrastructure to look like another adversary makes attribution challenging. Fortunately for analysts, it’s very hard to mimic TTPs exactly like an adversary, thus making attribution easier for defenders. Adversaries would need to study how the TTP implementation works, and they typically don’t do that. For example, when North Korea attacked Sony in 2015, their actions mimicked the same attack against a South Korean bank a year earlier in 2014 that made attribution straightforward. While they tried to improve and encrypt their command and control in 2015, the session logs between the two attacks looked almost identical.
/episode/index/show/the-cyber5/id/25495131
info_outline
Properly Defining a Threat Management Department within Enterprise with Senior Manager of Nvidia Chris Cottrell
11/28/2022
Properly Defining a Threat Management Department within Enterprise with Senior Manager of Nvidia Chris Cottrell
In Episode 86 of TheCyber5, we are joined by Senior Manager of Threat Management for Nvidia . Here are six topics we discuss in this episode: What is a threat management department within enterprise security? Threat management departments are usually formed when security teams become mature and have table stakes functions within threat intelligence, red team, penetration testing, and threat hunting. These functions are usually formed after compliance, risk, governance, vulnerability management, and security operations center (SOC) are operational. Unfortunately, threat management is not a well defined lexicon in enterprise. For example, “threat hunting” in one organization could mean a SOC escalating alerts in another company. Incident Response’s Role in Threat Management Incident response is usually a separate capability from threat management (red team, threat hunting, threat intelligence) and the governance, risk, and compliance (GRC) roles. Incident response is a reactive capability and has the ability to find an actor inside the environment, whereas SOC is the first reactive capability to stop the attacker at the perimeter. Threat management is still considered a proactive capability to keep attackers out at the perimeter. Defining the Roles within Threat Management Threat Hunt: Expert level investigators that know how to review network telemetry with a variety of tools and alerts and find an anomaly to investigate if an adversary is inside the environment. They usually take their clues from incident response, red team, or threat intelligence. Threat Intelligence: Expert level analysts and engineers reviewing the types of threats that could attack an organization and develop alerts and playbooks for threat hunters. They also have many other roles depending on the business. Red Team: Penetration testers that emulate or simulate adversaries within the environment to determine what alerts should be created and prioritized. Threat Intelligence Must Start with Business Requirements Threat intelligence is meaningless and not contextualized until analysts understand how the business makes money and the corresponding risks that could disrupt the business. Building a threat intelligence program from scratch can take up to a year, and the first six months will be building relationships with the business before any feeds can start to be incorporated. Stories are the Best Metrics for Threat Intelligence Programs Mean time to respond and mean time to alert are table stakes metrics for SOC, but are out of the control of the threat management team (red team, threat intel, etc). However, the better metrics for threat intelligence teams are success stories when information was actioned by a business unit and risk was averted. Reactive Capabilities When An Incident Occurs The threat management department becomes critical during a security incident. Red teamers have the mindset to look for a mistake in a vulnerability or network defense. Threat hunters have mindsets to look for mistakes in adversaries. The same mindsets are critical to investigating security events and incidents with the incident response team. Threat intelligence can conduct external threat hunting outside the firewalls when an incident occurs.
/episode/index/show/the-cyber5/id/25149450
info_outline
Operational Resiliency Framework Pertaining to Supply Chains by Foundation for Defense of Democracies George Shea
11/02/2022
Operational Resiliency Framework Pertaining to Supply Chains by Foundation for Defense of Democracies George Shea
In Episode 85 of TheCyber5, we are joined by Chief Technologist of Transformative Cyber Innovation Lab for the Foundation for Defense of Democracies (FDD) Here are four topics we discuss in this episode: What is the Operational Resiliency Framework (ORF)? The Operational Resiliency Framework (ORF) is a framework that is intended to be used by executives to ensure business continuity processes when their suppliers are knocked offline during natural disasters and cyber attacks. Defining Minimum Viable Services Step one, and the most important step, is defining a minimum level of service for all products and services. When disasters or cyber attacks occur, the minimum viable service will reveal the critical suppliers that need extra attention from a redundancy and monitoring perspective. Resilience is Not Going to Stop a Cyber Attack The ORF is not a compliance requirement nor will this framework stop a cyber attack. However, this framework is designed to help organizations respond when an attack has taken place and is ongoing. For example, if an attacker is already within the system, it’s important to keep valuable services running and ensure the suppliers that enable those critical services don’t go down. This framework goes beyond your perimeter to the suppliers and customers. Cyber Configurations Are Critical While this is not a cyber security framework, technical controls and configurations on the suppliers is an important part of the process for minimum viable services to be up and running.
/episode/index/show/the-cyber5/id/24881793
info_outline
Integrating Attack Simulation with Intelligence to Provide Actionable Outcomes with CrossCountry Consulting
10/26/2022
Integrating Attack Simulation with Intelligence to Provide Actionable Outcomes with CrossCountry Consulting
In Episode 84 of TheCyber5, we are joined by members of the CrossCountry Consulting team: , Offensive R&D Lead, , Associate Director, and , Director, Cyber and Privacy. Here are five topics we discuss in this episode: Adversary Emulation vs. Simulation and Use of Threat Intelligence Replaying attacks from adversaries is considered . The pros of emulation are you can react and defend against threat intelligence and the actual techniques during a penetration test. The cons are that many times these are yesterday’s threats. Simulation is the art of coming up with new attack vectors with nuanced penetration testers. The pros are that these attacks give blue teams new ways to think ahead and adapt their defenses before threat actors do. The cons are that these attacks aren’t yet in the wild and the probability of such attacks are not known. Values of Threat Intelligence with Red Teams (IOCs) are immediately relevant with something that is actionable even though the value of IOCs is overcome by events (OBE) in hours. Threat intelligence IOCs are not relevant to heuristics of sophisticated adversaries and that is what sophisticated adversary simulation and threat intelligence combined attempts to overcome. For example, if an enterprise can defend against Malicious HTML Applications (HTAs), that protects them against any sort of adversary using that vector. Another example would be to have a simulated ransomware event, based on threat intel, that drops in several places and simulates everything that six different ransomware families would do (up until encryption). Tools Are Not Enough Enterprises struggle to defend if a security product does not catch an actor in the environment nor how to react in a way that forensically preserves the attacker’s initial access vector. Training incident response and conducting external threat hunting are critical elements to defend and react when an attacker creates a new way to penetrate an environment. Satisfying a Chief Financial Officer’s Appetite for Security In today’s information technology environments, CFOs need to be conversant in cyber security, not experts. Some considerations should be: A considerable accountability on security tooling needs to be considered by CFOs because there is an overconsumption of tooling that simply does not make an impact. Further, corporate development, merger and acquisition strategy, and payments to vendors, are critical business aspects a CFO should be concerned to protect. A CFO should be empowered to initiate a penetration test unbeknownst to the security team. Adversary simulations are often highly political as a result but this kind of dialogue is beneficial for understanding incident response preparation and threat intelligence of how to defend against certain threat actors. If a company is in growth mode and over $1B in annual revenue, and if IT cannot integrate acquisitions quick enough, more should be spent on security. If a company is in profitability mode, streamlining security is probably more important. If companies are under $1B in annual revenue, spending on security is always challenging and managed services and consulting come more into play. Benchmarks Can Be Challenging Many companies want benchmarks on how they stack up to industry peers. Every company is different and no two environments are the same so stacking up against industries like third party risk “scores” is challenging and not advisable.
/episode/index/show/the-cyber5/id/24806640
info_outline
Data Governance and Threat Intelligence Converge with Egnyte’s Chief Governance Officer Jeff Sizemore
09/28/2022
Data Governance and Threat Intelligence Converge with Egnyte’s Chief Governance Officer Jeff Sizemore
Topic: Title: Data Governance and Threat Intelligence Converge In Episode 83 of TheCyber5, we are joined by our guest, Egnyte’s Chief Governance Officer, Jeff Sizemore. We discuss the Cybersecurity Maturity Model Certification (CMMC) and the impact on Department of Defense (DOD) contractors to mature their cybersecurity hygiene in order to compete for US government contracts. CMMC was based on NIST Standards 800-71. Here are 4 topics we discuss in this episode: Why Does CMMC Matter? In the near future, contracts are going to be rated L1-3 and if contractors are not certified up to a certain level, they cannot bid on the contract. This is more focused on the smaller defense contractors who up to now, have generally disregarded compliance measures yet are major targets for nation state cyber attacks. Failure to Comply with CMMC Could Mean Perjury Compliance for DOD contractors is not new and companies were previously allowed to self-attest. When DOD regulatory bodies did the research, 75% of companies were found to be not in compliance. For enforcement, the Department of Justice is now involved and if contractors lie, it’s considered perjury. Compliance Cybersecurity Controls Contractors Can Implement Before choosing an email provider, cloud environment, or file share, be sure they are FedRamp compliant. Automate the search capability within secure enclaves so CUI is detected in an environment. Automate the ability to be audited so contractors aren’t wasting time in spreadsheets. Incident Response and Threat Intelligence Controls Needed Threat intelligence is in an evolutionary stage for larger contractors to monitor their subcontractors to determine if they have vulnerabilities and/or if they have been breached. Third party risk score cards are generally not actionable for defense contractors because the vulnerabilities are not put into context to a business risk. The key is to bring together a threat intelligence picture that can alert on actionable data leaks.
/episode/index/show/the-cyber5/id/24522912
info_outline
Driving Diversity in Cyber Security and Intelligence with BGH Security CEO Tennisha Martin
09/22/2022
Driving Diversity in Cyber Security and Intelligence with BGH Security CEO Tennisha Martin
In episode 82 of The Cyber5, we are joined by guest moderator and senior intelligence analyst for Nisos, Valerie G., and CEO of BGH Security, Tennisha Martin. In this episode, we discuss the challenges and opportunities of promoting and enabling diversity and inclusion in cyber security. Key Takeaways: Showing Impact for Diversity and Inclusion (D&I) within Security Beyond filling cyber security skills gaps, some metrics that show success in D&I include: Jobs Feeling more confident in interviews Recommending minorities for employment opportunities Educate about opportunities outside of the technical positions such as project management, customer success, product management, marketing, and sales Certifications Transition to cyber security from other career fields 2) Giving back to the Cybersecurity Community Volunteering to help educate the next generation of ethical hackers or cybersecurity specialists. Donating funds to nonprofit organizations that assist people interested in pursuing a career in cybersecurity. Volunteering time instructing courses or sessions on issues to assist individuals in gaining exposure to the cybersecurity sector. 3) Being part of a supportive virtual community. Having a community of people that you can talk to, even though they're not necessarily near you, about issues you are encountering in the industry. Having people that you can relate to and reach out to because they are navigating through the same path as you are. Having a psychological safe space for people to problem solve, and brainstorm and feel like they're not being judged. Help people that are new in cybersecurity feel comfortable and stay in the industry.
/episode/index/show/the-cyber5/id/24461820
info_outline
Leveraging Open Source Intelligence in Insider Threat Programs with Vaillance Group CEO, Shawnee Delaney
09/14/2022
Leveraging Open Source Intelligence in Insider Threat Programs with Vaillance Group CEO, Shawnee Delaney
In episode 81 of The Cyber5, we are joined by the Head of Insider Threat at Uber and CEO of Vaillance Group, Shawnee Delaney. In this episode, we provide an overview of different functions within an insider threat program. We also discuss the support open source intelligence provides to such programs and how to change company culture to care about insider threats. We also discuss the ROI metrics that are important to different stakeholders when implementing an insider threat program. Three Takeaways: Departments and Functions within Insider Threat Insider threat programs are relatively new in enterprise security and often change from company to company. Open source intelligence can be a standalone role or be cross functional among all departments. Common departments and functions can be: Open source intelligence. Forensics monitoring. Training and awareness (steering committees for stakeholders, benchmarking). Technical and behavioral monitoring (UEBA or DLP). Supplier due diligence. Global investigations. Global intelligence analysis. 2) Common Problems Faced by Insider Threat Teams Common challenges faced by insider threat teams: Privacy to ensure employee confidentiality is not violated. Tooling to have visibility into malicious events from normal behavior. Finding practitioners that can do the technical monitoring and open source intelligence. Shifting culture to be more security conscious. Focus on physical security issues, like active shooter situations, just as much as data exfiltration and other cyber concerns. 3) Role of Open Source intelligence in Insider Threat Programs An Insider threat program is a key stakeholder for a threat intelligence program, not the individual buyer. Three key areas where open source intelligence (OSINT) supports insider threat programs: Employee lifecycle management: ensuring employees, former employees, and prospects are not an insider threat based on what they post on the internet. Validating red flag indicators with OSINT. Investigations into vendors.
/episode/index/show/the-cyber5/id/24375324
info_outline
The DISARM Framework Helps Bring Focus to the Disinformation Problem with Executive Director of the DISARM Foundation Jon Brewer
07/26/2022
The DISARM Framework Helps Bring Focus to the Disinformation Problem with Executive Director of the DISARM Foundation Jon Brewer
In episode 80 of The Cyber5, we are joined by Executive Director of the DISARM Foundation, . We discuss the mission of the DISARM Framework, which is a common framework for combating disinformation. Much like how the is used for combating cyber attacks, the DISARM framework is used to identify what Jon calls “cognitive security.” What that means is all the tactics, techniques, and procedures used in crafting disinformation attacks and influencing someone's mind. This includes the narratives, accounts, outlets, and technical signatures used to influence a large population. We chat about what success looks like for the foundation and specific audiences used to help the population in understanding how disinformation actors work. Three Takeaways: 1. What is the DISARM Framework? is the open-source, master framework for fighting disinformation through the coordination of effective action. It was created by . It is used to help communicators, from whichever discipline or sector, to gain a clear, shared understanding of disinformation incidents and to immediately identify the countermeasure options that are available to them. It is similar to the MITRE ATT&CK framework which provides a list of TTPs that malicious actors conduct cyber attacks. 2. Similarities Between DISARM and MITRE ATT&CK Frameworks: Cognitive Security vs Cyber Security Cognitive security and the DISARM framework is analogous to cyber security and the MITRE ATT&CK framework. Cognitive security are the TTPs that actors influence minds and cyber security are actors’ ability to steal data from networks. MITRE ATT&CK’s list covers the different TTPs of the cyber kill chain: Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration DISARM’s list covers different TTPs of the disinformation chain: Plan Strategy Plan Objectives Target Audience Analysis Develop Narratives Develop Content Establish Social Assets Establish Legitimacy Microtarget Select Channels and Affordances Conduct Pump Priming Deliver Content Maximize Exposure Drive Online Harms Drive Offline Activity Persist in Information Environment Assess Effectiveness 3. Disinformation: A Whole of Society Problem While MITRE ATT&CK is mostly a business to business framework for enterprises to defend against cyber attacks. The DISARM framework is both a B2B framework for companies like technology and journalism, but also more broadly to consumers. This will take much more support from non-profits and public sector organizations like police and education systems.
/episode/index/show/the-cyber5/id/23869503
info_outline
The Persistent Problem of Spear Phishing with Senior Security Practitioner Garrett Gross
07/18/2022
The Persistent Problem of Spear Phishing with Senior Security Practitioner Garrett Gross
In episode 79 of The Cyber5, we are joined by senior security practitioner, . We discuss the age old problem of spear phishing and why enterprises still struggle to fix this problem. We talk about the critical processes and technologies necessary to defend against spear phishing, including robust training programs and endpoint detections. We also cover how to use the telemetry collected from spear phishing and integrate this with outside threat intelligence to be useful. Five Takeaways: Security Teams Need to Make a Sensor Network from the Employee Base Attackers win consistently when they get employees to click malicious spear phishing links. They use social engineered communications, usually over email, that appear legitimate but have malicious intent to trick a user to open a document or click on a link to obtain sensitive information about a user. Security training is boring and employees outside of security don’t pay attention to the annual reminders. Real education must be relatable to employees so that they can identify when a malicious link is deployed against them. The most critical training a security team can do is get a sensor network from their employees to spell out the ripple effects to employees for PII and intellectual property theft after a malicious link is executed. Experts Must Create Critical Processes and Use Technologies Defend Against Spear Phishing A closed door approach to security is not efficient. Experts transparently interacting with the employee base defends against spear phishing. A phased approach will be necessary to assess the necessary logging in an automated way as this takes months to configure and properly alert. The building blocks of this approach are: An endpoint detection and response solution (EDR) is the most important tool to defend against spear phishing. An automated way to report incidents should be considered so users are not waffling on whether or not to report incidents. It should go without saying, but no one should get in trouble for reporting an incident. Spear Phishing Typically Impersonates Executives; Executives Should Conduct PII Removal and PII Poisoning The sophistication and reconnaissance of advanced adversaries are challenging to detect, particularly when bad actors impersonate executives. Verifying information over the phone is often needed to circumvent advanced attempts to social engineer an employee base. Further, publicly available information about executives should be scrubbed and removed from the internet on a routine basis. Use of Spear Phishing Telemetry with Threat Intelligence for Small and Medium Size Business Small companies with limited security personnel will be fortunate to get employees to get banners saying emails are coming from an external source. They will spend a small part of their day conducting internal threat hunting. They won’t be able to conduct external threat hunting to determine the sophistication of a spear phishing campaign. They need to partner with managed intelligence providers to do external threat hunting effectively. “Defensibility” Measures are Critical Success Metrics: Threat Intelligence and Red Teams Quantifying reports and solutions that show how a security team is systematically reducing risks that affect their business is the only way budgets will get increased by the board. To prove that various attacks will matter to a business, threat intelligence with subsequent red teaming are the primary ways to illustrate the issues to an executive team.
/episode/index/show/the-cyber5/id/23777120
info_outline
Digital Transformation and Threat Intelligence Use in the US Public Sector with Former Booz Allen Hamilton Manager Gaurang Shah
07/12/2022
Digital Transformation and Threat Intelligence Use in the US Public Sector with Former Booz Allen Hamilton Manager Gaurang Shah
In episode 78 of The Cyber5, we are joined by our guest, , former senior lead technology manager at Booz Allen Hamilton. We talk about the challenges of digital transformation and cybersecurity in the US federal government. We discuss solutions for bringing innovative technology and bespoke services into the federal space and how to shorten long procurement cycles. We also cover what the federal government can learn from the private sector, including how to shrink the ongoing cyber skills shortage. Four Takeaways: Federal CISOs and CIOs Think Cloud Migrations Will Not Bake in Security Outside of the US national security, intelligence, and DOD sectors, many civilian agency CIOs and CISOs in the US federal sector have the following shortcomings with regard to cloud migration: First, they think security will be baked in as part of cloud migrations to AWS, Azure, or GCP when that is not reality. Second, cloud implementation is for infrastructure-as-a-service but way behind in software-as-a-service and application security. Third, they are either not aware of their expanding attack surface with a lack of enterprise security culture or there is an inability to gain funding for their security initiatives. Last, they have trouble retaining talent from the private sector. 2) Build Versus Buy Debate in the US Civilian Agencies Procurement in many of the civil agencies within the US federal government is based on the lowest cost acceptable and not necessarily on value delivered for efficiency. They also cannot hire and retain talent at costs compared to the private sector, so building technology is extremely challenging. In many civilian organizations, they aren’t doing threat intelligence and incident response at the scale and speed necessary. 3) Approaches for Overcoming Cyber Skills Shortage Gap Understanding the federal government will lose on hiring top talent due to lowest cost acceptable restrictions in the procurement cycle, we recommend training IT, enterprise architects, database administrators, and system administration personnel who want to grow into security, particularly in automation. 4) Future of Outsourcing to Managed Services Experts and Codifying Appropriate Threat Models Some civilian agencies will likely need to outsource portions of SOC operations to managed services companies over the coming years. Some agencies are out-sourcing Level 1 alerting, for example, while keeping the escalations Level 2-4 in house. However, for the US federal government as a whole to be successful, there needs to be an agreed upon risk posture framework that many civilian agencies adhere to so that automation in detection and response can be achieved at the scale needed in the federal space. Further, application and software security are way behind and much of the focus is on infrastructure security. Unfortunately, outsourcing is still reticent in the federal space because of supply chain concerns. However, the federal government may have no choice but to implement aspects of next-generation SOC through outsourcing to a higher degree of experts.
/episode/index/show/the-cyber5/id/23719709
info_outline
Moving a Security Team Beyond IOCs and Positioning for Stronger Outcomes with Senior Manager of Deloitte Eric Lekus
07/05/2022
Moving a Security Team Beyond IOCs and Positioning for Stronger Outcomes with Senior Manager of Deloitte Eric Lekus
In episode 77 of The Cyber5, we are joined by our guest, , Senior Manager for Threat Intelligence at Deloitte. Eric delivers for Deloitte’s internal security team and is not a client-facing consultant. We talk about how to evolve cyber threat intelligence in a SOC environment, beyond basic indicators of compromise (IOC) integration. We discuss the different stakeholders a CTI team has beyond a SOC, but also focus on what a CTI team needs to push and pull from a SOC to be relevant for a broader audience. We also outline success metrics for a CTI team. Four Takeaways: 1. Indicators of Compromise are a Baseline Activity, Not Holistic Threat Intelligence Indicators of compromise consist of known malicious IPs and domains. Stakeholders expect security teams to be doing this as a baseline. However, IPs and domains can change in the matter of seconds so it’s not fruitful to only rely on IOCs to be integrated into a SIEM that alerts with other network traffic and logging. 2. A Security Operations Team Already Has A Rich Source of Baseline Activity; Enrich with Threat Intelligence Security teams should be integrating many sources of logging, such as IPs from emails, using threat intelligence to alert on malicious activity. This should then establish two-way communication where a threat intelligence team is pulling information from the SOC to enrich and provide feedback. A SOC team is generally writing tickets for alerts and a threat intelligence team can’t just ask for bulk data; therefore automation to integrate into threat intelligence platforms is critical. A SOC analyst will ask, “what’s in it for me” and a threat intelligence professional should address this. 3. Threat Intelligence Should be a Separate Entity from the SOC; They Have Numerous Customers The following services are generally associated with cyber threat intelligence teams. Since the SOC is a major stakeholder, the CTI usually has the following functions: Adversary infrastructure analysis Attribution analysis Dark Web tracking Internal threat hunting Threat research for identification and correlation of malicious actors and external datasets Intelligence report production Intelligence sharing (external to the organization) Tracking threat actors’ intentions and capabilities Malware analysis and reverse engineering Vulnerability Research and indicator of compromise analysis (enrichment, pivoting, and correlating to historical reporting) 4) Success for Security Teams Means Reducing Risk Through Outcomes Regardless of who the stakeholders are in an organization, improving security should be focused around reducing risk and influencing outcomes for disrupting actors. This should be accomplished in alignment with the executive team and the culture of the organization. Showing how you are reducing risk over time is what makes threat intelligence teams successful in the eyes of business executives.
/episode/index/show/the-cyber5/id/23635211
info_outline
Topic: Elevating Private Sector Intelligence through Professionalization with Harvard University's Maria Robson
06/28/2022
Topic: Elevating Private Sector Intelligence through Professionalization with Harvard University's Maria Robson
In episode 76 of The Cyber5, guest moderator and Nisos Director for Product Marketing, , is joined by our guest, , the Program Coordinator for the Intelligence Project of the Belfer Center at Harvard University's Kennedy School. We discuss the evolution of intelligence roles in enterprise and the ultimate path for intelligence professionals. We cover ethics in private sector intelligence teams and the role of academia in fostering not only the ethics, but also the professionalization of private sector intelligence positions. Dr. Robson also discusses insights into how proactive intelligence gathering capabilities tends to provide most value to enterprise. Finally, she gives an overview of the Association of International Risk Intelligence Professionals work and mission. Three Takeaways: Ethical Focus is Critical Ethical lines of consideration and having a standard of what is appropriate for collection and analysis is important but currently very murky. Collection and analysis for the U.S. Intelligence Community would be entirely inappropriate and illegal when collecting against private sector persons and organizations. Standards would ensure, for example, that new analysts know what was in and out of bounds of the type of inquiry that can be answered. The Association of International Risk Intelligence Professionals (AIRIP) is leading the way to identify these standards. Apprentice and Guild Process is Critical if Standards are Slow to be Developed Craft and guild process is important to get jobs in private sector intelligence because there is no linear pathway to employment. Since networking and a manager’s previous experience in the intelligence community, non-profit, or private sector are the driving forces behind mentorship, craft and guild benchmarking and professionalization become important models. Security Organization and Reporting Structure Has Changed Cyber threat intelligence, geopolitical risk, and corporate security have historically been the security functions. Before digging into how cyber threat intelligence benefits a physical security program, we identify a list of some of the services, products, and analyses that a CTI program might address. The following services have significant overlap with physical security programs: Adversary infrastructure analysis Attribution analysis Dark Web tracking Internal threat hunting Threat research for identification and correlation of malicious actors and external datasets Intelligence report production Intelligence sharing (external to the organization) Tracking threat actors’ intentions and capabilities Other CTI services generally do not overlap with physical security and remain the responsibility of cybersecurity teams. These services include malware analysis and reverse engineering, vulnerabilities research, and indicator analysis (enrichment, pivoting, and correlating to historical reporting). Security teams are now leveraging open-source intelligence and cyber threat intelligence to provide critical information to physical security practitioners. The physical and corporate security programs of these teams generally consist of the following disciplines, with use cases that are at the center of the convergence of cyber and physical security disciplines: and Physical Asset Protection Travel Security Regulatory/Environmental Risk Specific to Business Geo-Political Risk Global Investigations
/episode/index/show/the-cyber5/id/23568782
info_outline
Open Source Intelligence's Role in the National Security and the Broader Public Sector with Grist Mill Exchange's Kristin Wood
06/14/2022
Open Source Intelligence's Role in the National Security and the Broader Public Sector with Grist Mill Exchange's Kristin Wood
In episode 75 of The Cyber5, we are joined by Grist Mill Exchange CEO, . We discuss open source intelligence (OSINT) use in the U.S. public sector, not only with national security but also with the emergency response sectors. We talk about how open source intelligence has evolved in the last ten years and talk about how adversaries use open source intelligence against us. We also discuss how the U.S. needs to catch up with not only how to operationalize OSINT in meaningful ways, but how the U.S. government can procure bleeding edge technologies in a more time sensitive manner to meet mission requirements. Three Takeaways: Open Source Intelligence Has Evolved From Just Foreign Media; It’s The New All-Source Intelligence The national security sector traditionally used open source intelligence as translating foreign media particularly during crisis situations. Now, open source intelligence is being leveraged in many ways like all source intelligence - the integration of human, signal, and imagery intelligence. Interconnectivity of devices has led to a commercial “goldrush” to aggregate data and sell it to public and private sector clients. China is Remarkable at Open Source Intelligence Using Autocracy as an Advantage China and Russia are collecting open source intelligence at an unprecedented level against the U.S. including what’s commercially available and through computer network exploitation and data exfiltration. They are aiming to reframe the U.S. using disinformation as a powerful tool. They have been very successful in leveraging online disinhibition effects against the U.S. populace. The United States Public Sector Needs an Overhaul in Procurement Authority The U.S. private sector has a lot to teach the U.S. public sector in terms of learning consumer behaviors and how to pair that with commercially derived data, such as device fingerprinting, to extract valuable insights for national security purposes. To accomplish this, analysts need to be able to circumvent cumbersome government procurement buying cycles.
/episode/index/show/the-cyber5/id/23424023
info_outline
Evolving the Physical Security and the GSOC with Open Source Intelligence Collection and Analysis with Director of GSOC Operations for the NFL Robert Gummer
06/08/2022
Evolving the Physical Security and the GSOC with Open Source Intelligence Collection and Analysis with Director of GSOC Operations for the NFL Robert Gummer
In episode 74 of The Cyber5, we are joined by , the Director of the Global Security Operations Center (GSOC) for the National Football League (NFL). First, we talk about how to expand the mission of a global security operations center (GSOC) using open source intelligence. We talk about the role of vendors in the GSOC ecosystem and how open source intelligence can be aggregated in the case management systems across all facets of a GSOC fusion center. We also talk about how to educate business stakeholders to make them a valuable intelligence consumer. We further discuss how a GSOC can model collection and analysis around successful outcomes for the business, both from a risk management function, but also as a business enabler. Five Takeaways: Functions of the Modern Day GSOC: A Blend of Physical and Cyber Security A GSOC is a fusion center - the blend of physical security, cyber security, emergency preparedness, business continuity, and global investigations around any and all threats to an enterprise. Most physical security threats have a cyber or digital nexus. Active shooters, someone flying a drone over a location, and ransomware threats that shut down business continuity all have equal threats to business that need to be dealt with in a collaborative environment. Key for Open Source Intelligence to Solve Business Problems: Eliminating Coverage Gaps is an 18-Month Process There are two main categories of datasets to map, those are traditional open-source intelligence and non-traditional open-source intelligence. Traditional open-source intelligence datasets encompass the qualitative and quantitative collection and analysis of public, non-classified sources that deliver context such as archives, business records, dating sites and dark web. Non-traditional open-source intelligence datasets include the human, signals, and imagery intelligence equivalents in OSINT – based on anything from threat actor engagement on social media to external telemetry (netflow, passive DNS, cookies) to social media photos used to pinpoint locations. Dialing in the threat intelligence landscape and reviewing vendors to determine who has the better social media and data coverage is a lengthy process, sometimes taking 18 months to get right. Aggregation of Intelligence is Still a Maturing Process for Many Physical Security Teams While mature physical security teams have an incident system that sends notifications for action, there still is not a single source of truth that aggregates everything together. Finding vendors that want to integrate with other vendor platforms is still a challenge. Vendors should not look to displace other vendors, rather they should try to integrate with systems like a Virtual Contact Center (VCC) platform. Vendor Relationships are Partnerships and Real Intelligence Providers; GSOC Focuses on Educating Stakeholders to Drive Feedback and Integration with Business Requirements There is no turnkey solution for triaging alerts in a GSOC and business stakeholders do not understand the GSOC and open source intelligence space. It takes months of triaging alerts and molding filters to get the right information that boils down real threats. Vendor relationships should be leveraged as partnerships to help triage the right alerts, give actionable intelligence, and integrate with existing enterprise systems. Then, GSOC stakeholders can spend more of their time educating the business stakeholders to become more valuable intelligence consumers where feedback is given that gives enterprises a competitive advantage with regard to risk. Top 10 Use Cases for OSINT; Review of Tangible Examples In addition to reputation use cases such as diligence on social media personalities that could negatively impact brands, below are 10 additional examples of OSINT use cases for the GSOC: Executive Protection Physical Asset Protection Travel Security Regulatory/Environmental Risk Specific to Business Geo-Political Risk Global Investigations Fraud Detection Threat Surface Assessment M&A Security Due Diligence Ethical Hacking
/episode/index/show/the-cyber5/id/23366738
info_outline
Threat Intelligence Usage in API Security and DevSecOps with Snap Finance Chief Security Officer Upendra Mardikar
05/24/2022
Threat Intelligence Usage in API Security and DevSecOps with Snap Finance Chief Security Officer Upendra Mardikar
In episode 73 of The Cyber5, we are joined by Snap Finance Chief Security Officer Upendra Mardikar. We discuss how threat intelligence is used in application programming interface (API) security and development security operations (devsecops). Any organization building an application has data or user-generated content as the primary product. Once connected to customers, consumers, clients, or partners there is a new set of security considerations generated. The API serves as the software intermediary that allows two applications to talk to one another. It's bad enough if an attacker exfiltrates sensitive data, but imagine if they are able to gain visibility to see who is querying for the data held in the application. Imagine if Russia can see who is querying certain individuals in a credit bureau data set. That's a whole other set of problems organizations face. As we've talked about in previous podcasts, devsecops is the security of protecting the software development lifecycle (SDLC). We talk about why API security should be added to the wider MITRE ATT&CK framework and further discuss the impact of organizational immaturity as it relates to tackling API and DevOps security. Five Key Takeaways: 1) APIs are at the Forefront of Digital Transformation and Must be Protected APIs go north/south between the company and customers and east/west establishing interconnectivity between different applications within the enterprise. A giant need exists to go “outside the firewall” to observe threats that are attacking APIs because they are fundamental to many enterprise functions, regardless of industry. 2) API Security is Very Immature in Enterprise Many security practitioners focus on north/south protections of APIs and implement firewalls and DDoS protections to keep intruders out of the environment. However this is a myopic strategy because it does not protect against lateral movement and privilege escalation when an attacker compromises perimeter security. When perimeter security is compromised, protecting east/west APIs becomes critical. We are seeing trends around Zero Trust. Zero Trust is based on the premise that location isn’t relevant and users and devices can’t be trusted until they are authenticated and authorized. To gain security from a zero trust security model, we must therefore apply these principles to our APIs. This aligns well since modern API-driven software and apps aren’t contained in a fixed network — they’re in the cloud — and threats exist throughout the application and infrastructure stack. An API-driven application can have thousands of microservices, making it difficult for security and engineering teams to track all development and their security impact. Adopting zero trust principles ensures that each microservice communicates with the least privilege, preventing the use of open ports and enabling authentication and authorization across each API. The end goal is to make sure that one insecure API doesn’t become the weakest link, compromising the entire application and data. 3) Integrating API Security into the MITRE ATT&CK Framework API Security is different from traditional application security (OWASP), which is integrated into the MITRE ATT&CK Framework along with attacks on servers, endpoints, and TLS, etc. API security focuses more on the potential attacks of exposed, internet-facing microservices in addition to the business logic. API security primarily focuses on: Users: The most common API vulnerabilities tend to be centered around issues with an authorization that enables access to resources within an API-driven application. Transactions: Ensuring that transport layer security (TLS) encryption is enforced for all transactions between the client and application ensures an extra layer of safety. Since modern applications are built on microservices, software developers should enforce encryption between all microservices. Data: It is increasingly important to ensure sensitive data is protected both at rest and while in motion and that the data can be traced from end-to-end. Monitoring: This means collecting telemetry or meta-data that gives you a panoramic view of an application, how it behaves and how its business logic is structured. 4) Improvements for Threat Intelligence Against APIs of Applications Threat intelligence providers need to go beyond the features of user stories, but also be able to alert and automate when malicious actors are targeting the microservices of APIs as the business logic of these APIs are more central to business operations. 5) Threat Intelligence Should Try to Integrate with Threat Hunting to Conduct Proper Malicious Pattern Matching, Reducing False Positives Pattern matching to detect malicious behavior over legitimate user traffic has evolved over time: Netflow: track network traffic emanating from the routers to the endpoints Applications: track application traffic to deter anomalies of authentication Data: track data flows in motion and at rest in the data lakes Devices: mapping devices to determine proper asset inventory Users: tracking user behavior such as off business hour queries to sensitive databases The industry still needs solutions that detect and correlate these behaviors at scale because thus far this has been extremely fragmented.
/episode/index/show/the-cyber5/id/23215928
info_outline
Integrating Threat Intelligence into an Application Security and Fraud Program with DoorDash’s Patrick Mathieu
05/18/2022
Integrating Threat Intelligence into an Application Security and Fraud Program with DoorDash’s Patrick Mathieu
In episode 72 of The Cyber5, we are joined by DoorDash Application Security Manager, Patrick Mathieu. We talk about threat intelligence's role within applications security programs, particularly programs focusing on fraud. We discuss the importance of prioritization between what could happen, as often seen in penetration testing, and what is happening, as often seen with threat intelligence. We also talk about the different types of internal and external telemetry that can be used to drive a program and discuss the outcomes that are critical for an application security program to be successful. Three Key Takeaways: 1) Application Security Overlaps and Threat Intelligence Shortcomings Fraud programs exist to save money and application security programs exist to discover and mitigate cyber vulnerabilities. However, most of the same problems are derived from the same weaknesses in the application architecture during the software development lifecycle (SDLC). Any application development team needs to know the following: Attacks: Understand the threat, who is attacking, and what they are attacking. The threat could be the server, the client, the user, etc. Custom Angles: A fraudster is always going to attack the business logic of an application, the custom rules or algorithms that handle the exchange of information between a database and user interface. Obscurity: The threat will not likely be in the news, such as a ransomware group. As a technology company grows, an application will gain interest from fraudsters who will try to abuse the application. Threat intelligence falls short in collecting against these actors because it’s so specific to business logic and not an organized crime group with greater notoriety or known tactics, techniques and procedures (TTPs). 2) Common Vulnerabilities in Application Security Pertinent to Fraud While injection attacks are still common, the most common application vulnerabilities are fraudulent authentication attempts and session hijacking. Microservices (token sessions, for example) are common in applications. However, it’s very challenging to know who is doing what in the application - for example, knowing whether it’s a consumer, an application developer, or fraudsters. Many companies do not have an active inventory of asset management, particularly with their applications. There is little visibility for analyzing the logs on the Web Application Firewall (WAF). Every application is different and understanding what is normal versus fraudulent takes time and modeling to focus on who is attacking business logic for fraudulent gains. 3) Application and Security Engineers Must Communicate Security champion programs are critical to getting application and security engineers to communicate in a way that articulates what is normal in an application. If this collaboration does not work, the attackers will be able to collaborate quicker to execute. Adoption rates of application engineers are a better metric to monitor versus showing remediation of vulnerabilities.
/episode/index/show/the-cyber5/id/23152829
info_outline
Building Your Own Intelligence Program within the SOC and Beyond
04/25/2022
Building Your Own Intelligence Program within the SOC and Beyond
In episode 71 of The Cyber5, guest Nisos moderator and teammate Matt Brown is joined by security practitioner Matt Nelson. They talk about a recent intelligence blog Matt Nelson wrote about how to operationalize intelligence for the SOC and some outcomes that an incident response team looks for from intelligence. They also talk about how to make intelligence more broadly used for investigations and discuss the intelligence market more holistically. Three Key Takeaways: 1) Threat Intelligence Augments Threat Hunting in the Security Operations Center (SOC) Intelligence requirements are critical throughout the business and not just limited to the SOC. Threat intelligence can be a significant help to the threat hunting and detection team. The outcomes that threat hunting teams generally look for are: Cyber Kill Chain: Analyzing payload, including commands it’s running, attack hosting infrastructure, what ports is the infrastructure using to communicate, etc. Target Verification: Identifying who and how they are being targeted and for what intent is often missing context when just looking solely at forensics data. Collection Intent of Attacker: Trying to determine what kinds of data the attackers are aiming for. This is hard to determine simply from forensics data. Target of Opportunity Versus Targeted Attack: Determining if attacks are targeting the many or the select few is critical for defense strategies. If targeting efforts are directed solely at IT personnel with admin access, that’s more significant than a “spray and pray” campaign. Outcomes: Outlining detections, protection strategies, and awareness campaigns. 2) Evolving Threat Intelligence Beyond the SOC Threat intelligence is not just cyber news or indicators of a compromise (IoC) feed. Threat intelligence is useful for insider threat, fraud, platform abuse, corporate intelligence, and supply chain risk. 3) Single Data Aggregators for Enterprises (SIEMs, TIPs, MISP) Aren’t the Panacea The SIEM is not the greatest place for threat intelligence data because there are too many internal logs that aren’t relevant. The TIPs are mostly focused externally and good for IOCs and correlating threat intelligence that’s not useful. It’s simply repeating what is already known. MISP () is open source but can be effective with the right resources. Data modeling and getting the right taxonomy of the data is the most critical.
/episode/index/show/the-cyber5/id/22898939
info_outline
Holistic Uses of PDNS and BGP Data to Address Intelligence Needs in the Private Sector
04/06/2022
Holistic Uses of PDNS and BGP Data to Address Intelligence Needs in the Private Sector
In episode 70 of The Cyber5, we are joined by Open Source Context Director of Operations, Donald McCarthy. We discuss external telemetry available to the private sector, focusing on passive domain name systems or passive DNS, and Border Gateway Protocol or BGP. These data sets are critical for threat intelligence teams, as they often provide crucial information on attacker infrastructure for the SOC. Still, they also help solve problems and provide context on a much broader scale. Three Key Takeaways: 1) What is Passive DNS and how is it collected? To simplify, passive DNS is a way of storing DNS resolution data so that security teams can reference past DNS record values to uncover potential security incidents or discover malicious infrastructures. Passive DNS is the historical phone book of the internet. Practitioners can collect it by: Collecting on the resolver: Have access and enable logging on the resolver, often termed “T-ing the Resolver.” The client-side of the DNS is called a DNS resolver. A resolver is responsible for initiating and sequencing the queries that ultimately leads to a full resolution (translation) of the resource sought, e.g., translation of a domain name into an IP address. DNS resolvers classify data using various query methods, such as recursive, non-recursive, and iterative. Listening on the wire: DNS is port 53 UDP unencrypted, and many security teams put a sensor like Bro, Onion, Snort, or Suricata that can collect and then parse the data. 2) What is Border Gateway Protocol (BGP)? BGP is designed to exchange routing and reachability information between autonomous systems on the Internet and is often complementary to passive DNS. If PDNS is the historical phone book of the internet, Border Gateway Protocol (BGP) is the postal service of the Internet. BGP is the protocol that makes the Internet work by enabling data routing. For example, when a user in Thailand loads a website with origin servers in Brazil, BGP is the protocol that allows that communication to happen quickly and efficiently, usually through autonomous systems (ASes). ASes typically belong to Internet service providers (ISPs) or other large organizations, such as tech companies, universities, government agencies, and scientific institutions. Much of this information can be commercially collected and available. 3) Use Cases for PDNS and BGP in the SOC: Identifying attacker or botnet infrastructure. Identifying all internet-facing infrastructure in business use. Identifying tactics, techniques, and procedures of attackers. 4) Use Cases for PDNS and BGP outside of the SOC: Verify internet-facing applications and infrastructure for merger, acquisition, and compromise items for M&A. Verify internet-facing applications, infrastructure, and compromise for suppliers. Review staging infrastructure of competitors to scan product launches. Investigate threatening emails to executives. Investigate disinformation websites and infrastructure. 5) Enrichment is King and Does Not Need to Be Resource Intensive If security teams are not engaging with the business to solve problems that risk revenue generation, data sets like PDNS or BGP do not matter. For example, if an organization does not control DNS at their borders, they will lose a lot of visibility to reduce risk and potentially give away proprietary information.
/episode/index/show/the-cyber5/id/22701962
info_outline
Future of XDR, SIEM, SOAR, and Threat Intelligence
03/29/2022
Future of XDR, SIEM, SOAR, and Threat Intelligence
In episode 69 of The Cyber5, we are joined by Lima Charlie’s CEO, . We discuss the future of what's known in the security industry as XDR, which is essentially an enrichment of endpoint detection response products. Three Key Takeaways: 1) What is XDR? Depends who you ask. XDR is not another tool, but merely an extension of Endpoint Detection and Response (EDR) products. Gartner expects 50% of mid-market buyers to adopt XDR strategies by 2027. For context, in around 2010, cybersecurity vendors started driving stronger antivirus solutions for endpoint computers and servers, called Endpoint Detection and Response (EDR). The antivirus was only catching malware with a known signature and not able to detect more malicious lateral movements that are common in today's attacks. Every EDR platform has its own unique set of capabilities. However, some common capabilities include the monitoring of endpoints in both online and offline mode, responding to threats in real-time, increasing visibility and transparency of user data, detecting stored events with malicious malware injections, and creating blacklists and white lists in integration with other technologies. Now that EDR solutions are firmly within the market, they need to be integrated with other tools, including threat intelligence, to be effective at scale for the enterprise. These massive integrations needed at scale, especially with the cloud, are what is starting to be defined as XDR. 2) What are the key integrations to EDR products to form an XDR strategy? a. Identity Access Management: Gives visibility to who is accessing what applications and websites in the enterprise. b. Threat Intelligence: Information and artifacts from attacker infrastructure, previous compromises, and behavior that can be identified outside of firewalls. c. Cloud and SaaS Logging: Any application in the cloud produces a log for access and use. 3) XDR does not have to be expensive or manpower-intensive for SMB. a. Cloud, SaaS, and Identity Access Management produce logs that can be integrated into easy solutions that do not need to be complex products, particularly for SMB. b. Enablement should be the critical aspect of XDR rather than more expensive tooling. c. Easy, automatable solutions to apply security controls are the critical way forward for medium and large enterprises.
/episode/index/show/the-cyber5/id/22607318
info_outline
Enterprise Stakeholder Management and the Use of Threat Intelligence
03/21/2022
Enterprise Stakeholder Management and the Use of Threat Intelligence
In episode 68 of The Cyber5, we are joined by Executive Director and Head of Global Threat Intelligence for Morgan Stanley, Valentina Soria. We discuss leading a large-scale threat intelligence program in the financial institution space and how to make intelligence absorbable by multiple consumers. We also talk about how intelligence teams can build processes and technology at scale to increase investment costs to criminals. Finally, we touch on large enterprises being a value-add to small and medium-sized businesses. Two Key Takeaways: 1) Intelligence is Valued Differently By Different Stakeholders Tactical, operational, and strategic intelligence gains can fill many gaps in business, inside and outside the security operations function. Good intelligence analysis should make business stakeholders rethink their assumptions about risk and address realities regarding specific scenarios around the state of the organization’s risk posture. 2) Begin with the SOC, then Spread Across All Business Sectors Cyber threat intelligence is a journey and it takes time to realize a return on investment. Find coverage gaps that complement existing controls that have current metrics leveraged against them and leverage them. User Metrics to help, such as: For SOC/CIRT Teams: The number of incidents and issues remediated, quantity of vulnerabilities patched, and most importantly, enumerate or outline the loss that could have occurred from those exploited vulnerabilities. For Outside the SOC: Inform the business of any type of risk through tactical, strategic, and operational intelligence.
/episode/index/show/the-cyber5/id/22522841
info_outline
Value of Securing Containers in the Technology Supply Chain with Security Practitioner Julie Tsai
03/01/2022
Value of Securing Containers in the Technology Supply Chain with Security Practitioner Julie Tsai
Topic: Value of Securing Containers in the Technology Supply Chain In episode 67 of The Cyber5, we are joined by senior security practitioner Julie Tsai. We discuss security and intelligence in modern-day technology platforms, concentrating on how to secure the impact that container and cloud environments have on the technology supply chain. Compliance and intelligence play a critical role in the application and development of supply chain risk. Specifically, when developers perform code commits and updates, we discuss the criticality of intelligence and compliance to ensure code is truthful, accurate, and complete. Three Key Takeaways: 1) Containers and Virtualization Images Offer Repeatability But Also Potential for Compromise at Scale Containers give software developers the potential to establish an assembly line of repeatable, secure patterns because they are operating system agnostic. However, the upstream effort to harden the container and set the right images or configurations needs to be correct from the beginning. Simultaneously, mistakes can lead to a compromised container or host OS level that might impact the container. Container configurations have a shared kernel with modular application containers and services on top. Therefore, security practitioners must be mindful of anything that can break out of that container. Furthermore, if there is a host OS-level hardening, they must ensure kernel-level memory doesn't compromise and impact all the dependent layers. 2) Supply Chain Risk with Containers Supply chain risk in technology is challenging because developers generally borrow code from other developers, and they don’t check libraries and dependencies for security issues. In addition, contractual agreements aren’t capturing all the supply chain pipeline nuances. It’s hard enough to know what’s happening inside an enterprise network, let alone understand the provenance and the chain of custody. Security issues can get injected into the end product when not following a strict process concerning container changes. “Defense in Depth” is a classic security principle that matters in securing containers such as application and configuration management. In addition, other aspects like source control, commit trail, and fingerprinting different kinds of artifacts are all checksums to ensure the correct update of code. 3) Threat Intelligence Fundamentals with Container Security A threat intelligence program needs to start by aligning with the business with the most prevalent threats. A banking site will have different threats than e-commerce, gaming, or crypt-currency exchange. Therefore, a threat intelligence program needs to be modular enough to scale to many types of threats as the business grows. More tactically related to containers, developers can’t be tearing down containers as little work would get done if a malicious actor scans a container environment. However, if a threat intelligence team notices a regularity or repeatability with the scan attempts followed by authentication attempts to the environment, those types of intelligence alerts are fruitful. Intelligence programs show clear value on highly attacked industries (manufacturing, health care, retail, finance). The challenge is if you put blinders on and think there isn’t a way to be attacked other than regular threat intelligence blogs.
/episode/index/show/the-cyber5/id/22297304
info_outline
Building a Security Team to the Business And Using Intelligence to Inform the Proper Risk Strategy with H&R Block CISO Josh Brown
02/24/2022
Building a Security Team to the Business And Using Intelligence to Inform the Proper Risk Strategy with H&R Block CISO Josh Brown
In episode 66 of The Cyber5, we are joined by H&R Block Chief Information Security Officer (CISO) Josh Brown. In this episode we discuss the importance in building an informed security team that can collect intelligence and proper risk strategy. We have a frank conversation about what the business of security means and how to develop a team that understands multiple business lines so a security team is anchoring their security strategy to how the company is driving revenue. We talk through how to do this at scale within the intelligence discipline that touches many lines of risk, not just cybersecurity. Three Key Takeaways: 1) Security Informs the Business to Make Risk-Based Decisions Security professionals must have a deep understanding of how the business functions to understand how to develop a proper risk-based approach. Security is a risk management function that puts up guardrails so the business avoids bad decisions and loses money. Intelligence is critical for gaining a 360-degree review: fraud and user segment of the network. Threat intelligence must be relevant to the specific business, not the industry overall. If there is a threat to a bank, that likely has nothing to do with a tax filing service. 2) Actionable Intelligence That Reduces Business Risk The industry has not secured an intelligence solution. Intelligence is an enrichment function, not the first line of the truth of what to prioritize. Fraud and other specific business-specific data that result in business loss are equally important to be funneled into traditional cybersecurity tools. Further, threat feeds and information must be bi-directional so even competitors and businesses in the same location can understand when incidents are taking place. The threats that most companies face are not those that are regularly marketed such as Advanced Persistent Threats. The cybersecurity industry does a poor job at providing the likelihood of a certain advanced attack. Business email compromises, account takeovers, and fraud are still the most prevalent style attacks, even to those businesses that can afford sophisticated security technology. 3) Actionable Intelligence That Gives Visibility into Supply Chain Risk “The perimeter” is no longer relevant like it used to be. With work from home, the perimeter is just as much identity access management (IAM) as it is about IP space. On third-party supply chain risk, currently, enterprises implement score card tooling as an audit function so when a software vulnerability is released, an enterprise can quickly query what suppliers use that library or dependency. Further, the supply chain is equally about business interruption (DDoS) as much as it is about suppliers that hold critical data. Major enterprises also care about the vendor’s vendors if compromised depending on the criticality of the data (fourth-party supply chain risk). Since the United States does not even have a standard breach notification law, it’s going to be very challenging to share intelligence bi-directionally let alone get developers to uniformly submit secure technology code.
/episode/index/show/the-cyber5/id/22241360
info_outline
Brand and Reputation Intelligence: Open Source Intelligence That Drives Revenue Generation But Protects the Brand with Vizsense's Jon Iadonisi
02/02/2022
Brand and Reputation Intelligence: Open Source Intelligence That Drives Revenue Generation But Protects the Brand with Vizsense's Jon Iadonisi
In episode 65 of The Cyber5, we are joined by Jon Iadonisi, CEO and Co-Founder of VizSense. Many people think of open-source intelligence (OSINT) as identifying and mitigating threats for the security team. In this episode, we explore how OSINT is used to drive revenue. We talk about the role social media and OSINT play in marketing campaigns, particularly around brand awareness, brand reputation, go-to-market (GTM) strategy, and overall revenue generation. We also discuss what marketing and security teams can learn from OSINT intelligence tradecraft, particularly when there are threats to the brand's reputation. Four Key Takeaways: 1) Even in Marketing, Context and Insights Provide Intelligence, Not Data Raw data is not intelligence; rather, intelligence is a refined product where context is provided around information and data. Similar to the national security and enterprise security world, where adversaries are trying to commit crimes and espionage, businesses want to attract people to their brand. Open-source and social media information are powerful data points when analyzed, providing critical intelligence on what consumers and businesses want to buy. Every human being is now a signal no different from radio intercepts during Pearl Harbor. 2) The Role of OSINT in Driving Revenue for the Brand; Quantitative and Qualitative Metrics In the security world, attribution to a particular organization is necessary to continue to receive fundraising, whether it’s a hacking group or a terrorist organization. In the marketing world, brand intelligence is a crucial piece in the following three elements to influence a person: Persuasive content Delivered from a credible voice Network or audience with a high engagement rate Open-source intelligence can be mined in a way that provides insights stronger than traditional marketing focus groups. While celebrities attract attention, people are likely to follow people like themselves, aka micro-influencers. Quantitatively, numbers increasing in revenue, sharing, engagements are critical metrics. Qualitatively, marketing teams can mine social media data to determine what people are thinking about a particular product, but also to understand how the products are performing, and then design and build future products. The crowd will tell a brand what they want and they don't have yet, and you can use that data to build future products. 3) Where Marketing Meets Security: Threats to Brand Reputation Security teams should work with marketing teams daily to protect the brand. In today’s threats to brands, the human dimension of what people say online is of equal credibility if not more important than technical signals that show a company has suffered a breach, particularly regarding misinformation and disinformation. The human dimension is converging with a technical dimension, and a true holistic hybrid model is needed for enterprise security and intelligence teams. An example of reputation threats that happen in business every day: Smear campaigns using disinformation and misinformation from competitors introduce uncertainty into a brand’s ecosystem. 4) Where Security Meets Marketing: Privacy Taken Seriously That Enhances the Brand On the flip side, marketing teams should look for ways to promote the security of their products as business differentiators. Marketing teams should also consult with the security teams to understand all the different data lakes that are available in social media, dark web, and open source to ensure they can collect on the proper type of sentiment where brands are being discussed.
/episode/index/show/the-cyber5/id/21998972
info_outline
Building an Intelligence Program to Protect Executives with Okta Senior Intelligence Analyst John Marshall
01/25/2022
Building an Intelligence Program to Protect Executives with Okta Senior Intelligence Analyst John Marshall
In episode 64 of The Cyber5, we are again joined by John Marshall, Senior Intelligence Analyst at Okta. We discuss building a threat intelligence program to protect executives, particularly on nuances of being a “solution-side security company”. We discuss a risk-based approach for protecting executives and the data that's important to aggregate and analyze. We also talk about success metrics for intelligence analysis when building an executive protection program. Three Key Takeaways: Plans, Actions, and Milestones Regardless of industry, connecting with your executive team on a personal level to establish trust is the first step in any executive protection program. Communicating plans, actions, and milestones are critical. Within these three segments, intelligence requirements should be tiered into 3 groups - strategic, operational, and tactical. Strategic: Security of the people, security of places, and security of the brand Operational: Methodologies and means a security team is going to use to monitor for threats to the brand. Specifically, collecting intel on current events, private investigation, travel tracking for executives, and company-wide messaging system to track employees Tactical: Day-to-day implementation of integrating the strategic and operational methodologies 2) Distinguishing Between Targets of Opportunity and Targets of Attack Typical items to review when protecting executives: Weather that’s going to impede movement Social media activity that reveals plans for protests or riots near a location of interest Natural disasters Geo-political events The primary mechanisms to protect against targets of opportunity: Background checks Social media monitoring, includes OSINT monitoring and analysis When mechanisms to flesh out targets of opportunity appear to escalate, where they become a target of the attack, often private sector security teams lack an action arm to dispel that threat and have to rely on law enforcement for investigations. Intelligence analysis and determination of facts should be pursued on any threat so that security teams can effectively request law enforcement intervention - equipped with more information that will allow faster response. 3) Articulating Success Metrics Pinpointing the right event is the most critical of success criteria. Executing the intelligence cycle of planning, collecting, exploiting, analyzing, and disseminating information that an executive can use to answer a “so what?” is still a nuanced concept for many private sector organizations. Documenting “wins” and “losses” are equally critical. Security is a risk management function that exists to keep the workforce safe and doing their jobs. Whether it's getting an executive out of a traffic jam or informing a team of a hurricane happening during a conference that mitigates injury, these should be documented for value-based metrics.
/episode/index/show/the-cyber5/id/21897236
info_outline
Defining Metrics for Attribution in Cyber Threat Intelligence and Investigations
01/19/2022
Defining Metrics for Attribution in Cyber Threat Intelligence and Investigations
In episode 63 of The Cyber5, we are again joined by Sean O’Connor, Head of Global Cyber Threat Intelligence for Equinix.
/episode/index/show/the-cyber5/id/21823049
info_outline
Introduction to Cryptocurrency Investigations
01/03/2022
Introduction to Cryptocurrency Investigations
In episode 62 of The Cyber5, we are again joined by Charles Finfrock, CEO and Founder of Black Hand Solutions. Charles was previously the Senior Manager of Insider Threat and Investigations at Tesla and prior to that, he worked as an Operations Officer for the Central Intelligence Agency.
/episode/index/show/the-cyber5/id/21661748
info_outline
Combating Account Takeovers and Fraudulent Websites at Scale for SMB
12/15/2021
Combating Account Takeovers and Fraudulent Websites at Scale for SMB
In episode 61 of The Cyber5, we are joined by Josh Shaul, CEO of Allure Security.
/episode/index/show/the-cyber5/id/21488177